Cisco ASA Site-to-Site IKEv1 IPsec VPN


(Mohammad Hasanuz Zaman) #41

Hello Rene,

What do the following two commands mean for IKE phase-1 and IKE Phase-2 :

IKE phase-1:

ASA1(config-ikev1-policy)# lifetime 4800

IKE Phase-2:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3000

I think IKE phase-1 will be deleted after 4800(If no traffic on tunnel) and IKE phase-2 will be delete after 3000(If no traffic on tunnel ).If continue traffic flows on the tunnel then what will happen, IKE phase-1 & IKE phase-2 will be re-negotiate after expiration or not??Please explain.

Many Thanks

br//
zaman


(Mohammad Hasanuz Zaman) #42

Thanks Rene.So the default mode Main and Tunnel . If we want to change it to Aggressive & transport mode then have to configure like way, right ??

br/
zaman


(Rene Molenaar) #43

Hi Zaman,

These lifetimes specify when we regenerate the keying material, they don’t specify the “idle” timeout. That’s done with another command:

ASA1# show run all | incl vpn-idle
 vpn-idle-timeout 30

By default, after 30 minutes of inactivity we tear down the SA.

The default mode is indeed “main mode” and “tunnel mode”. You can change this with the commands I supplied in the previous post.

Rene


(Mohammad Hasanuz Zaman) #44

Hi Rene,

Thanks for your reply. I have one more question that at VPN GW which one execute first - Encryption then Encapsulating or vice -versa .Thanks a lot

br//
zaman


(Rene Molenaar) #45

Hi Zaman,

For a detailed answer, take a look at this Cisco example:

Cisco ASA Packet order of operation

What I prefer to do, is to use packet tracer on the ASA:

ASA1# packet-tracer input INSIDE tcp 192.168.1.1 54411 34.5.3.1 80

If you use this then it will show you exactly what steps it takes and in what order.

Rene


(Mohammad Hasanuz Zaman) #46

Hi Rene,

What if , if we dont use the command “ASA1(config)# crypto isakmp identity address”

br//
zaman


(Rene Molenaar) #47

Hi Zaman,

Somehow, your ASAs have to be able to identify each other so that you use the correct tunnel-group. This command makes sure that the IP address is used for identification.

Rene


(sims) #48

Hi,

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

Lets say already there is a cryptomap called MY_CRYPTO_MAP and we want to create a site to site vpn to another site .
Is it ok If I create MY_CRYPTO_MAP_2 same as MY_CRYPTO_MAP

ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP_2 interface OUTSIDE

Thanks


(Ryan M) #49

In the examples, shouldn’t there be a no-nat?

Typically, there should be no NAT performed on the VPN traffic. In order to exempt that traffic, you must create an identity NAT rule. The identity NAT rule simply translates an address to the same address.

nat (inside,outside) source static local-network local-network destination static
 remote-network remote-network no-proxy-arp route

(Rene Molenaar) #50

@Sims You can only apply one crypto-map to your interface. You should create one crypto-map with different statement numbers for each peer. Something like this:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP 20 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set peer 10.10.10.3
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set security-association lifetime seconds 3600

@Ryan if you use NAT then yes, you will need to exempt your site-to-site or remote VPN traffic or it will be translated. Here’s an example:

nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static VPN_POOL VPN_POOL

Basically it means that whenever traffic from the INSIDE destined to VPN_POOL goes from INSIDE > OUTSIDE that it will be translated to its own address. In other words, no NAT.

Rene


(Shraddha P) #51

We have firewall 5505 where I have created site to site VPN. First time I have created crypto policy with group 2 and then changed to below.

Phase 1 failure: Mismatched attribute types for class Group Description: Rcv’d: Group 5 Cfg’d: Group 2Group
192.168.1.1, IP = 192.168.1.1, Received non-routine Notify message: No proposal chosen (14)

Phase 1 (Main mode)
Lifetime: 86400s (1 day)
Encryption: AES256
Hash: SHA1 Key-Ex:
Group5
Phase 2
Lifetime: 3600s (1 hour)
Encryption: AES256
Hash: SHA1
PFS: Group5
Below is my firewall config.

crypto ikev1 policy 170
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

I can ping to remote end peer as well from firewall and from host. It seems like cypto first checks for group2 and then it goes to group 5. I can ping to 192.168.1.1 successfully from firewall and server. What is this error message and how can I get it off?

Thank you Shraddha


(Rene Molenaar) #52

Hi Shraddha,

The device on the other end starts the proposal with group 5 while on your end, it’s configured for group 2. The most simple solution is probably to change your local policy…change it to group 5 and get rid of group 2.

DH group 2 is also a bit on the weak side:

Rene


(Shawn O) #53

Hi Rene,

Good explanation. I was wondering what the configuration of the crypto maps would be if you were using dynamic crypto maps instead of static. I imagine the ACL would not be needed. Do you have a code snippet for this example of what the dynamic crypto map configuration would look like?

Thanks
S


(Maher H) #54

Hi Shawn,

In the next lessons you have explanation of
Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peer
Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peers

As you will see, in both cases you need to configure an access-list in each of the 2 ASA’s to define which traffic will be encrypted.

Regards,


(Md Iqbal H) #55

Hi Rene,

I tried to setup similar tunnel config in my VIRL LAB. However couldn’t able to bring my tunnel up. I am attaching my virl LAB. Would appreciate if you can check what am missing in my setup.

Regards,
Iqbal


(Md Iqbal H) #56

Here is the attahced VIRL


(Md Iqbal H) #57

Topology


(Networklessons Admin) split this topic #58

19 posts were merged into an existing topic: Cisco ASA Site-to-Site IKEv1 IPsec VPN


(Md Iqbal H) #59

Strange my attachment is not uploaded.


(Enthusiast) #60

Hi Rene,

I modified the network in your example with a few more nodes on each site. The network diagram is attached.

The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the ping request.

Can you please help me find out the issue?