Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
4799
Views
0
Helpful
10
Comments

IKEv2: Central hub ASA with multiple IOS spokes/clients (dynamic IP)

Michael Muenz
Level 5
Level 5
‎04-13-2016 06:28 AM

Symptom

You need an affordable solution to connect multiple locations with dynamic IPs to a central VPN server.

Problem

FlexVPN/DMVPN would solve this but central IOS routers cost plenty of money and offer only a limited HA solution. You would need a HSEC license if you want to go for over 85Mbit and 225 tunnels. Also firewall management via CLI is a mess.

If you have dynamic IPs (e.g. with 4G) and don't want to go for certificates, you have to use PSK. The downside is that every PSK has to be the same via DefaultL2LGroup. To avoid this, we create IKEv2 tunnel groups and set the isakmp ID on the clients to the name of the tunnel group.

Proposal

The ASA (esp. 5515-X) is quite affordable, handling multiple tunnels with high throughput. Also it offers really good HA with Active/Standby failover including stateful IPSEC failover. On the downside it doesn't support FlexVPN, so the config part on the routers is quite big. 

On the client side we use 880 Branch Routers which support all needed features. 

Solution

On the ASA we configure the following (only crypto parts)

Specify the subnets:

access-list outside_cryptomap extended permit ip object OUR-NET object CLIENT-NET

Set up a new proposal:

crypto ipsec ikev2 ipsec-proposal AES256-SHA1-256
 protocol esp encryption aes-256
 protocol esp integrity sha-256 sha-1

Tunnelgroup:

tunnel-group dynamicvpn1 type ipsec-l2l
tunnel-group dynamicvpn1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Crypto map:

crypto dynamic-map dynamicvpn1 1 match address outside_cryptomap
crypto dynamic-map dynamicvpn1 1 set pfs group5
crypto dynamic-map dynamicvpn1 1 set ikev2 ipsec-proposal AES256-SHA1-256 AES256 AES192 AES
crypto dynamic-map dynamicvpn1 1 set reverse-route
crypto map outside_map 1 ipsec-isakmp dynamic dynamicvpn1

Enable it:

crypto map outside_map interface outside
crypto ikev2 enable outside

On the client side (also only crypto parts)

Proposals:

crypto ikev2 proposal proposal1
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha256 sha1
 group 14 5

crypto ikev2 policy policy1
 proposal proposal1

Key:

crypto ikev2 keyring kyr1
 peer peer1
 address ASA-IP
 pre-shared-key local ******
 pre-shared-key remote ******

Profile:

crypto ikev2 profile profile1
 match identity remote address ASA-IP 255.255.255.255
 identity local key-id dynamicvpn1
 authentication local pre-share
 authentication remote pre-share
 keyring local kyr1

Transform set (Phase2 Proposal):

crypto ipsec transform-set trans esp-aes esp-sha-hmac
 mode tunnel

Crypto map:

 crypto map cmap 1 ipsec-isakmp
 set peer ASA-IP
 set transform-set trans
 set ikev2-profile profile1
 match address vpnlist

ACL:

ip access-list extended vpnlist
 permit ip OUT-NET 0.0.0.255 REMOTE-NET 0.0.0.255

Bind it to the outside interface

interface Gi0
 crypto map cmap

Now you can check the connection with

ping remote-ip source Vlan1

References

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

http://priority-zero.blogspot.de/2013/10/cisco-asa-to-juniper-ssg-ikev2-ipsec.html

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/115934-technote-ikev2-00.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html

https://myitmicroblog.svbtle.com/ikev2-vpn-s2s-ios-and-asa

P.S.: Don't be to harsh if you find any errors, this is my first post to give something back to the community :)

P.P.S.: This also work with a Juniper SSG5 as client!

Labels:
0 Helpful
10 Comments
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents