Cisco ASA Site-to-Site IKEv2 IPSEC VPN

Are there any trouble shooting commands that can assist you. IE you type the password incorrectly…

Hi Robert,

When troubleshooting, I usually start with some debugs:

* debug crypto ikev2
* debug crypto ipsec

Those will usually tell you when something (like authentication) fails.

Rene

Hi Rene,
Can you please show me some packet captures of IKEv2 and explain in detail like the way you have done in IKEv1.

Thanks.

Hi Sushanth,

I do have a capture file:

https://www.cloudshark.org/captures/767a93d720ad

I might add some more detail to this lesson in the future about IKEv2:

Rene

Hello,

Any suggestions on configuring a site to site VPN to be a full tunnel? I was under the impression that default configured site to site tunnels were full but it looks like that is incorrect. They are actually split tunnels by default.

What I am trying to accomplish…
I would like to route all traffic from remote site A via a site to site vpn back to HQ. That traffic would then be routed through HQ out to the Internet.

Remote site (1.1.1.0/24) is connected to the outside interface of the ASA at HQ 2.2.2.25. As I mentioned before, I would like to route all traffic back through HQ.

Hello Antonio

In order to disable the split tunnel functionality, you will have to configure the ACL that indicates the interesting traffic to view “any” destination as interesting instead of just the networks at your remote site. You can find out more about that at this Cisco Documentation.

Keep in mind that depending on your configuration, you may also need to issue the split-tunnel-policy tunnelall command in the group policy as well. Take a look at the above documentation which should give you a good start on the endeavour.

I hope this has been helpful!

Laz

Lazaros,

Thank you for the help. With the new ACL, I was able to confirm that the user was able to access all internal LAN functions. However, they are not able to reach internet pages. The current setup is that all machines are manually configured to point to a proxy at the HQ location. What we are looking to do is remove the need for each machine to have to be manually configured.

When I applied the new ACL Fliter. I tested with end user and I confirmed that all outside traffic was being blocked by an ACL. I created a test ACL for the enduser on the firewall. They were granted access out to the net, however they are now receiving the public IP address of the ISP.

My questions are:

  1. What is required for them to point to the default proxy?
  2. Am I missing any other settings?

Hi Antonio,

Let me jump in on this question. I don’t have a complete walkthrough, but I do have a config for an HQ and BRANCH ASA that probably achieve what you are looking for:

hostname HQ
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.123.1 255.255.255.0 
!
same-security-traffic permit intra-interface
!
object network LAN1
 subnet 192.168.1.0 255.255.255.0
object network LAN2
 subnet 192.168.2.0 255.255.255.0
access-list LAN1_LAN2 extended permit ip any4 host 192.168.2.2 
!
nat (INSIDE,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2
!
object network LAN1
 nat (INSIDE,OUTSIDE) dynamic interface
object network LAN2
 nat (OUTSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.123.3 1
route OUTSIDE 192.168.2.0 255.255.255.0 192.168.123.2 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes
 protocol esp integrity sha-1
!
crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
crypto map MY_CRYPTO_MAP 1 set peer 192.168.123.2 
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 2
 prf sha      
 lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.2 type ipsec-l2l
tunnel-group 192.168.123.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
: end
hostname BRANCH1
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.123.2 255.255.255.0 
!
object network LAN1
 subnet 192.168.1.0 255.255.255.0
object network LAN2
 subnet 192.168.2.0 255.255.255.0
access-list LAN2_LAN1 extended permit ip host 192.168.2.2 any4 
!
nat (INSIDE,OUTSIDE) source static LAN2 LAN2 destination static LAN1 LAN1
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.123.1 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes
 protocol esp integrity sha-1
!
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
crypto map MY_CRYPTO_MAP 1 set peer 192.168.123.1 
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.1 type ipsec-l2l
tunnel-group 192.168.123.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!

What this does:

  • Traffic from devices behind HQ to the Internet are natted to the IP address on the outside interface.
  • IKEv2 site-to-site IPSec VPN between HQ and BRANCH1. HQ uses the VPN to reach 192.168.2.0/24 behind BRANCH1, while BRANCH1 sends all traffic through the VPN to HQ.
  • Traffic between the subnets behind HQ and BRANCH1 through the VPN is not translated with NAT.
  • Traffic from behind BRANCH1 through the VPN to HQ, towards the Internet is translated with NAT using the outside interface of HQ.

Some key things in this config that you need:

  • same-security-traffic permit intra-interface: you need this command to tell HQ to translate traffic that arrives on the outside interface and exits the outside interface (VPN traffic from BRANCH1).
  • nat (INSIDE,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2: this is a “no nat” rule to tell HQ not to translate traffic between the private subnets.

About your default proxy, where do you configure this? Are these windows hosts? This isn’t something you configure on your ASAs.

Hope this helps! If you have questions about this setup, let me know :slight_smile:

Rene

Appreciate the response! Currently the endusers are using windows machines are manually pointing back to the proxy here at HQ. Under the LAN settings (in what looks to be Internet Explorer) that have selected automatically detect settings. When that setting is checked, they are unable to reach the net at all. If I do an ip any/any on the firewall, the end user is able to reach the net and they get a public IP address when they type in what’s my IP.

I am still at a loss here. Looking back, i don’t believe I added the new ACL to the HQ firewall.

I’m working in my lab on some site-to-site VPN stuff and was wondering if someone could help me. Understand something…

My Setup is asa5505 <-> rtr2801 <-> rtr2911 <-> asa5505

I’m trying to verify that my IKE’s are regenerating every 15 minutes…. Below are some CLI outputs… Does this tell me that the life of the IKE’s is 900 seconds after the slash is time left… And Turned-id is the new tunnel with the new IKE’s

ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 69714249           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/810 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
193031137           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/5 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa#
ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
288927687           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/816 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
362523125           1.1.1.2/500           1.1.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 900/26 sec
Child sa: local selector  172.16.1.0/0 - 172.16.1.255/65535
          remote selector 192.168.1.0/0 - 192.168.1.255/65535
          ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa#

Hello Aaron

Yes you are correct, this output tells us the following:

Life/Active Time is the total and active times of the IKEv2 tunnel
Tunnel-id is the unique identifier of the IKEv2 tunnel

You can find out more about this output at this command reference:

I hope this has been helpful!

Laz

yes - thank you very much…

1 Like

Can anyone expand on the Remote Access VPN which includes tunneling of all traffic including internet traffic from the central site.

Hello Adrian

Take a look at the following post which should address your question.

I hope this has been helpful!

Laz

Site to Site with 2 ASA having the remote site access to the central site and internet from the central site. The remote site has a dynamic WAN IP, Central Site Static IP.
Would like to use IKEv2.

Hi Adrian

Take a look at the post above.

Laz

Is there any consideration for Antonio’s topology has routers in between the two ASA’s.
I am going LAN-HQ<>ASA-HQ<>Internet<>ASA-BR<>LAN-BR ?
Static IP at HQ and Dynamic IP at BR.

Hello Adrian

If I understand your question correctly, you are asking if there are any considerations for topologies that may have routers in between the two ASAs for site to site VPNs…

Well, it doesn’t really matter what exists between them as long as the two ASAs can find each other via correct routing. In your case, if you have a dynamic IP at the branch office, then you can see the solution described in this lesson:

I hope this has been helpful!

Laz