12-04-2014 08:32 AM - edited 03-11-2019 10:11 PM
ive been trying for 2 days to get this VPN device to connect to a juniper. i dont this ASDM is gunna cut it, i am trying to use CLI commands. the setup is fairly simple, but cisco changes too many commands and sytaxs...i am not pulling my hair out. my problem lies with the encyrption and firewalling.
i dont know weather to use SHA1 or SHA-1 or SHA
i also dont know weather to use AES256 or AES-256
i also dont know weather to include the ikev1
cli example:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
or
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
i am using a
ASA 5512-x ASA Version 9.1(2) with ASDM 7.1 ....at this point i prefer to use CLI commands as they seem more precise
this is the VPN info i am trying to match
Peer public ip : 222.222.222.222
Network: 192.1.1.0/23
My public ip: 111.111.111.111
internal network: 10.10.10.0/24
ASA Device IP: 10.10.10.50
VPN details
Main Mode
No Aggressive Mode
No PFS (perfect forward secrecy)
IKEv1 (Phase1)
Pre Shared Key : secrtetkey
Diffie-Helman Group : Group 2
Encryp Alg : AES 256
Hash: Sha-1
Lifetime: 66600
IPSEC/Phase2:
Perfect Forward Secrecy: NONE
Encryp Alg : AES-256
Auth Alg : Sha-1
Lifetime: 2500
cli config for this ???
12-04-2014 11:54 AM
figured it out how the SHA is written...examples:
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map MAP-OUTSIDE 20 set ikev1 transform-set ESP-AES-256-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime seconds 3600
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
and to get it going, had to add a few more lines for the firewall portion:
object network VPNLOCALSUBNET
object network VPNREMOTESUBNET
nat (inside,outside) source static VPNLOCALSUBNET VPNLOCALSUBNET destination static VPNREMOTESUBNET VPNREMOTESUBNET
nat (outside,inside) source static VPNREMOTESUBNET VPNREMOTESUBNET destination static VPNLOCALSUBNET VPNLOCALSUBNET
up and going!!!
12-04-2014 07:40 PM
hi,
you may want to go for IKEv2, which is the new flavor for site-to-site VPN.
here's the CLI lines you'll need.
just replace the options/IPs for your network.
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal S2S_VPN_IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-1
access-list VPN_ACL extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
crypto map S2S_VPN_MAP 1 match address VPN_ACL
crypto map S2S_VPN_MAP 1 set peer 200.1.1.2
crypto map S2S_VPN_MAP 1 set ikev2 ipsec-proposal S2S_VPN_IKEv2
crypto map S2S_VPN_MAP interface outside
crypto ikev2 enable outside
see helpful link:
http://ccnpsecuritywannabe.blogspot.com/2014/08/ikev2-ipsec-site-to-site-vpns.html
12-05-2014 07:32 AM
thanks, but the other side is set in stone as far as using v1, i guess they dont want to redo their config, so im just using what they are using.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide