cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
cancel
1315
Visitas
0
ÚTIL
0
Respuestas

S2S VPN Between Cisco CSR 1000V and Cisco ASA

mthomaz
Level 1
Level 1

I have on-prem Cisco ASA and in AWS 2x Cisco VSRs. I'm trying to set up a VPN tunnel between those devices.

 

Some requirements:

  • IP addresses between tunnels must be via DHCP (i.e. I don't want to specify the IP addresses... it should pick up automatically)
  • Phase 1:
    • AES-256-CBC
    • SHA-384
    • Pre-share
    • Group 24
    • Lifetime 14400 seconds
  • Phase 2:
    • ESP
    • Mode Tunnel
    • Ipsec encryption AES-256-CBC
    • Authentication sha-384
    • PFS yes
    • NAT-T enable
    • group 24
    • 3600 seconds

I am able to create the tunnel on the CSR via CLI, but on the ASA I'm trying and it doesn't work (using ASDM). It would be great if you guys could help with the ASA commands (not ASDM). Just have in mind that there are existing VPN connections on the ASA so the configs you send must not overwrite those VPN connections, as this is a production ASA.

 

CSR commands:

crypto ikev2 proposal VPN_TEST_IKEV2_PROPOSAL
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha384
 group 5
!         
crypto ikev2 policy VPN_TEST_IKEV2_POLICY
 match fvrf any
 proposal VPN_TEST_IKEV2_PROPOSAL
!
crypto ikev2 keyring VPN_TEST_KEY
 peer TEST_DC
 address 200.200.200.1
 pre-shared-key MySecretKey
!
crypto ikev2 profile VPN_TEST_IKEV2_PROFILE
 match address local interface GigabitEthernet1
 match identity remote any
 authentication local pre-share
 authentication remote pre-share
 keyring local VPN_TEST_KEY
 lifetime 36000
 dpd 60 5 periodic
!
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set VPN_TEST_TS esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_TEST_VTI
set security-association lifetime seconds 3600
set transform-set VPN_TEST_TS
set pfs group24
set ikev2-profile VPN_TEST_IKEV2_PROFILE
!
interface Tunnel6
 ip address 169.254.0.57 255.255.255.252 <-- I do not know how to specify dynamic IP here
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet1 <-- "outside" ethernet
 tunnel mode ipsec ipv4
 tunnel destination 200.200.200.1
 tunnel protection ipsec profile VPN_TEST_VTI
!
ip route 192.168.100.0 255.255.255.0 Tunnel6 <-- remote network
end

That VPN config works between 2x Cisco CSRs, but it doesn't work between 1x CSR and 1x ASA.

0 RESPUESTAS 0
Review Cisco Networking for a $25 gift card