Buy or Renew
Buy or Renew
ATTENTION: We are currently working an issue with posting. Thank you for your patience while we work on a resolution.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
3
Replies

ASA 5512x and VPN ...cant get phase 1

davedoggydogg
Level 1
Level 1

‎12-04-2014 08:32 AM - edited ‎03-11-2019 10:11 PM

ive been trying for 2 days to get this VPN device to connect to a juniper.  i dont this ASDM is gunna cut it, i am trying to use CLI commands. the setup is fairly simple, but cisco changes too many commands and sytaxs...i am not pulling my hair out.  my problem lies with the encyrption and firewalling.

 

i dont know weather to use   SHA1 or SHA-1 or SHA

i also dont know weather to use AES256 or AES-256

i also dont know weather to include the ikev1

 

cli example:

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

or

 crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

 

i am using a

ASA 5512-x  ASA Version 9.1(2)  with ASDM 7.1  ....at this point i prefer to use CLI commands as they seem more precise

 

this is the VPN info i am trying to match

Peer public ip :   222.222.222.222
Network: 192.1.1.0/23

My public ip: 111.111.111.111
internal network: 10.10.10.0/24
ASA Device IP: 10.10.10.50

VPN details
Main Mode 
No Aggressive Mode
No PFS (perfect forward secrecy)

IKEv1 (Phase1)

Pre Shared Key : secrtetkey                        
Diffie-Helman Group :  Group 2 
Encryp Alg : AES 256 
Hash:  Sha-1 
Lifetime: 66600 
  
IPSEC/Phase2: 
Perfect Forward Secrecy:    NONE 
Encryp Alg :  AES-256 
Auth Alg : Sha-1 
Lifetime:  2500


cli config for this ???


 

Labels:
0 Helpful
3 Replies 3

davedoggydogg
Level 1
Level 1

‎12-04-2014 11:54 AM

figured it out how the SHA is written...examples:

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto map MAP-OUTSIDE 20 set ikev1 transform-set ESP-AES-256-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime seconds 3600
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000

 

 

and to get it going, had to add a few more lines for the firewall portion:

 

object network VPNLOCALSUBNET

object network VPNREMOTESUBNET

nat (inside,outside) source static VPNLOCALSUBNET VPNLOCALSUBNET destination static VPNREMOTESUBNET VPNREMOTESUBNET


nat (outside,inside) source static VPNREMOTESUBNET VPNREMOTESUBNET destination static VPNLOCALSUBNET VPNLOCALSUBNET

 

up and going!!!

0 Helpful

johnlloyd_13
Level 9
Level 9

‎12-04-2014 07:40 PM

hi,

you may want to go for IKEv2, which is the new flavor for site-to-site VPN.

here's the CLI lines you'll need.

just replace the options/IPs for your network.

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 2
 prf sha
 lifetime seconds 86400


crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
 protocol esp encryption aes-256
 protocol esp integrity sha-1

access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0


crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside

crypto ikev2 enable outside

 

see helpful link:

http://ccnpsecuritywannabe.blogspot.com/2014/08/ikev2-ipsec-site-to-site-vpns.html

0 Helpful

davedoggydogg
Level 1
Level 1
In response to johnlloyd_13

‎12-05-2014 07:32 AM

thanks, but the other side is set in stone as far as using v1, i guess they dont want to redo their config, so im just using what they are using.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card