Cisco ASA Site-to-Site IKEv2 IPSEC VPN

Hi Rene,

I’ve been unable to establish crypto isakmp SA following this guide. Should this work in gns3. or are there known issues

Hi Richard,

It might be related to GNS3, it’s difficult to tell. If possible I would test it on real hardware first (or try Cisco VIRL).

Rene

Pls can you a small lab on Ikev2 ASA-ASA static-Dynamic IP

Thanks

Hi Anuoluwapo,

You should be able to make it work by combining the ASA IKEv1 Dynamic Peer tutorial and this ASA IKEv2 tutorial.

Rene

Hello Rene,

we have couple of ikev 1 l2l vpn tunnels with our vendors. we want to migrate one of the ikev 1 l2l vpn tunnel to ikev 2 vpn. i know there a command to do swiift migration “migrate l2l” but i believe it will migrate all of my ikev l2l vpn tunnels. is there a way that i can just migrate that particular ikev 1 l2l vpn to ikev 2? or do i have to do a configuration for it from scratch? i will really appriciate your help.

Thanks
Umer

Hello UMER

To answer your question, it really depends on what you want to do. I am assuming first of all that you are using ASA 8.X (although I believe with relative certainty that the following is supported for 9.X as well). Also, I am assuming that these tunnels are to different vendors. This is important because according to Cisco “Multiple peers used for redundancy is not supported with IKEv2 on the ASA.” Only IKEv1 supports this. So if these tunnels are redundant tunnels to the same vendor, don’t migrate to IKEv2.

Now, when you use the migration command you are correct that all IKEv1 tunnels are migrated to IKEv2. However, the current IKEv1 configurations are not removed. IKEv1 and IKEv2 both run in parallel on the same crypto map and IKEv1 acts as a backup for IKEv2.

So, assuming you issue the migrate command and you migrate everything, the IKEv2 tunnel will be created and will function as you desire (if the other end is configured correctly as well), but the tunnel you want to remain on IKEv1 will remain as such since it will fall back to IKEv1 if IKEv2 cannot be established.

You can then tweak your configuration and remove any IKEv2 configuration from that particular tunnel.

Cisco has very good and detailed documentation for this procedure and you can find it here: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

I hope this has been helpful!

Laz

This lesson has been so valuable to me. Ive only be in Networking for a year with just my CCNA, so ive come into contact with devices that I did not learn about while studying. This job has been my rock and today I was asked to learn how to and configure an IPSEC VPN between the ASA at my site and the ASA at a new site we just put up.

I just want to thank you so much for offering a clear and concise tutorial. I often get overwhelmed by wordy explanations of things and your website has literally solved my problems with getting “lost in the sauce”. I am studying for CCNP now using both your site, INE, and the official cert guide.

Thank you so much!

Hello Letia

It’s great to hear that you are enjoying and finding value in this site. This is what we aim to do. I wish you success in your CCNP studies and exams!

Laz

Are there any trouble shooting commands that can assist you. IE you type the password incorrectly…

Hi Robert,

When troubleshooting, I usually start with some debugs:

* debug crypto ikev2
* debug crypto ipsec

Those will usually tell you when something (like authentication) fails.

Rene

Hi Rene,
Can you please show me some packet captures of IKEv2 and explain in detail like the way you have done in IKEv1.

Thanks.

Hi Sushanth,

I do have a capture file:

https://www.cloudshark.org/captures/767a93d720ad

I might add some more detail to this lesson in the future about IKEv2:

Rene

Hello,

Any suggestions on configuring a site to site VPN to be a full tunnel? I was under the impression that default configured site to site tunnels were full but it looks like that is incorrect. They are actually split tunnels by default.

What I am trying to accomplish…
I would like to route all traffic from remote site A via a site to site vpn back to HQ. That traffic would then be routed through HQ out to the Internet.

Remote site (1.1.1.0/24) is connected to the outside interface of the ASA at HQ 2.2.2.25. As I mentioned before, I would like to route all traffic back through HQ.

Hello Antonio

In order to disable the split tunnel functionality, you will have to configure the ACL that indicates the interesting traffic to view “any” destination as interesting instead of just the networks at your remote site. You can find out more about that at this Cisco Documentation.

Keep in mind that depending on your configuration, you may also need to issue the split-tunnel-policy tunnelall command in the group policy as well. Take a look at the above documentation which should give you a good start on the endeavour.

I hope this has been helpful!

Laz

Lazaros,

Thank you for the help. With the new ACL, I was able to confirm that the user was able to access all internal LAN functions. However, they are not able to reach internet pages. The current setup is that all machines are manually configured to point to a proxy at the HQ location. What we are looking to do is remove the need for each machine to have to be manually configured.

When I applied the new ACL Fliter. I tested with end user and I confirmed that all outside traffic was being blocked by an ACL. I created a test ACL for the enduser on the firewall. They were granted access out to the net, however they are now receiving the public IP address of the ISP.

My questions are:

  1. What is required for them to point to the default proxy?
  2. Am I missing any other settings?

Hi Antonio,

Let me jump in on this question. I don’t have a complete walkthrough, but I do have a config for an HQ and BRANCH ASA that probably achieve what you are looking for:

hostname HQ
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.123.1 255.255.255.0 
!
same-security-traffic permit intra-interface
!
object network LAN1
 subnet 192.168.1.0 255.255.255.0
object network LAN2
 subnet 192.168.2.0 255.255.255.0
access-list LAN1_LAN2 extended permit ip any4 host 192.168.2.2 
!
nat (INSIDE,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2
!
object network LAN1
 nat (INSIDE,OUTSIDE) dynamic interface
object network LAN2
 nat (OUTSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.123.3 1
route OUTSIDE 192.168.2.0 255.255.255.0 192.168.123.2 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes
 protocol esp integrity sha-1
!
crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
crypto map MY_CRYPTO_MAP 1 set peer 192.168.123.2 
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 2
 prf sha      
 lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.2 type ipsec-l2l
tunnel-group 192.168.123.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
: end
hostname BRANCH1
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.123.2 255.255.255.0 
!
object network LAN1
 subnet 192.168.1.0 255.255.255.0
object network LAN2
 subnet 192.168.2.0 255.255.255.0
access-list LAN2_LAN1 extended permit ip host 192.168.2.2 any4 
!
nat (INSIDE,OUTSIDE) source static LAN2 LAN2 destination static LAN1 LAN1
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.123.1 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes
 protocol esp integrity sha-1
!
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
crypto map MY_CRYPTO_MAP 1 set peer 192.168.123.1 
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.1 type ipsec-l2l
tunnel-group 192.168.123.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!

What this does:

  • Traffic from devices behind HQ to the Internet are natted to the IP address on the outside interface.
  • IKEv2 site-to-site IPSec VPN between HQ and BRANCH1. HQ uses the VPN to reach 192.168.2.0/24 behind BRANCH1, while BRANCH1 sends all traffic through the VPN to HQ.
  • Traffic between the subnets behind HQ and BRANCH1 through the VPN is not translated with NAT.
  • Traffic from behind BRANCH1 through the VPN to HQ, towards the Internet is translated with NAT using the outside interface of HQ.

Some key things in this config that you need:

  • same-security-traffic permit intra-interface: you need this command to tell HQ to translate traffic that arrives on the outside interface and exits the outside interface (VPN traffic from BRANCH1).
  • nat (INSIDE,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2: this is a “no nat” rule to tell HQ not to translate traffic between the private subnets.

About your default proxy, where do you configure this? Are these windows hosts? This isn’t something you configure on your ASAs.

Hope this helps! If you have questions about this setup, let me know :slight_smile:

Rene

Appreciate the response! Currently the endusers are using windows machines are manually pointing back to the proxy here at HQ. Under the LAN settings (in what looks to be Internet Explorer) that have selected automatically detect settings. When that setting is checked, they are unable to reach the net at all. If I do an ip any/any on the firewall, the end user is able to reach the net and they get a public IP address when they type in what’s my IP.

I am still at a loss here. Looking back, i don’t believe I added the new ACL to the HQ firewall.

I’m working in my lab on some site-to-site VPN stuff and was wondering if someone could help me. Understand something…

My Setup is asa5505 <-> rtr2801 <-> rtr2911 <-> asa5505

I’m trying to verify that my IKE’s are regenerating every 15 minutes…. Below are some CLI outputs… Does this tell me that the life of the IKE’s is 900 seconds after the slash is time left… And Turned-id is the new tunnel with the new IKE’s

ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 69714249           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/810 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
193031137           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/5 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa#
ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
288927687           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/816 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
362523125           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/26 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa#

Hello Aaron

Yes you are correct, this output tells us the following:

Life/Active Time is the total and active times of the IKEv2 tunnel
Tunnel-id is the unique identifier of the IKEv2 tunnel

You can find out more about this output at this command reference:

I hope this has been helpful!

Laz