I have on-prem Cisco ASA and in AWS 2x Cisco VSRs. I'm trying to set up a VPN tunnel between those devices.
Some requirements:
- IP addresses between tunnels must be via DHCP (i.e. I don't want to specify the IP addresses... it should pick up automatically)
- Phase 1:
- AES-256-CBC
- SHA-384
- Pre-share
- Group 24
- Lifetime 14400 seconds
- Phase 2:
- ESP
- Mode Tunnel
- Ipsec encryption AES-256-CBC
- Authentication sha-384
- PFS yes
- NAT-T enable
- group 24
- 3600 seconds
I am able to create the tunnel on the CSR via CLI, but on the ASA I'm trying and it doesn't work (using ASDM). It would be great if you guys could help with the ASA commands (not ASDM). Just have in mind that there are existing VPN connections on the ASA so the configs you send must not overwrite those VPN connections, as this is a production ASA.
CSR commands:
crypto ikev2 proposal VPN_TEST_IKEV2_PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha384
group 5
!
crypto ikev2 policy VPN_TEST_IKEV2_POLICY
match fvrf any
proposal VPN_TEST_IKEV2_PROPOSAL
!
crypto ikev2 keyring VPN_TEST_KEY
peer TEST_DC
address 200.200.200.1
pre-shared-key MySecretKey
!
crypto ikev2 profile VPN_TEST_IKEV2_PROFILE
match address local interface GigabitEthernet1
match identity remote any
authentication local pre-share
authentication remote pre-share
keyring local VPN_TEST_KEY
lifetime 36000
dpd 60 5 periodic
!
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set VPN_TEST_TS esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_TEST_VTI
set security-association lifetime seconds 3600
set transform-set VPN_TEST_TS
set pfs group24
set ikev2-profile VPN_TEST_IKEV2_PROFILE
!
interface Tunnel6
ip address 169.254.0.57 255.255.255.252 <-- I do not know how to specify dynamic IP here
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1 <-- "outside" ethernet
tunnel mode ipsec ipv4
tunnel destination 200.200.200.1
tunnel protection ipsec profile VPN_TEST_VTI
!
ip route 192.168.100.0 255.255.255.0 Tunnel6 <-- remote network
end
That VPN config works between 2x Cisco CSRs, but it doesn't work between 1x CSR and 1x ASA.