cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

IKEv2: Central hub ASA with multiple IOS spokes/clients (dynamic IP)

2478
Views
0
Helpful
10
Comments
Contributor

Symptom

You need an affordable solution to connect multiple locations with dynamic IPs to a central VPN server.

Problem

FlexVPN/DMVPN would solve this but central IOS routers cost plenty of money and offer only a limited HA solution. You would need a HSEC license if you want to go for over 85Mbit and 225 tunnels. Also firewall management via CLI is a mess.

If you have dynamic IPs (e.g. with 4G) and don't want to go for certificates, you have to use PSK. The downside is that every PSK has to be the same via DefaultL2LGroup. To avoid this, we create IKEv2 tunnel groups and set the isakmp ID on the clients to the name of the tunnel group.

Proposal

The ASA (esp. 5515-X) is quite affordable, handling multiple tunnels with high throughput. Also it offers really good HA with Active/Standby failover including stateful IPSEC failover. On the downside it doesn't support FlexVPN, so the config part on the routers is quite big. 

On the client side we use 880 Branch Routers which support all needed features. 

Solution

On the ASA we configure the following (only crypto parts)

Specify the subnets:

access-list outside_cryptomap extended permit ip object OUR-NET object CLIENT-NET

Set up a new proposal:

crypto ipsec ikev2 ipsec-proposal AES256-SHA1-256
protocol esp encryption aes-256
protocol esp integrity sha-256 sha-1

Tunnelgroup:

tunnel-group dynamicvpn1 type ipsec-l2l
tunnel-group dynamicvpn1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Crypto map:

crypto dynamic-map dynamicvpn1 1 match address outside_cryptomap
crypto dynamic-map dynamicvpn1 1 set pfs group5
crypto dynamic-map dynamicvpn1 1 set ikev2 ipsec-proposal AES256-SHA1-256 AES256 AES192 AES
crypto dynamic-map dynamicvpn1 1 set reverse-route
crypto map outside_map 1 ipsec-isakmp dynamic dynamicvpn1

Enable it:

crypto map outside_map interface outside
crypto ikev2 enable outside

On the client side (also only crypto parts)

Proposals:

crypto ikev2 proposal proposal1
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256 sha1
group 14 5

crypto ikev2 policy policy1
proposal proposal1

Key:

crypto ikev2 keyring kyr1
peer peer1
address ASA-IP
pre-shared-key local ******
pre-shared-key remote ******

Profile:

crypto ikev2 profile profile1
match identity remote address ASA-IP 255.255.255.255
identity local key-id dynamicvpn1
authentication local pre-share
authentication remote pre-share
keyring local kyr1

Transform set (Phase2 Proposal):

crypto ipsec transform-set trans esp-aes esp-sha-hmac
mode tunnel

Crypto map:

 crypto map cmap 1 ipsec-isakmp
set peer ASA-IP
set transform-set trans
set ikev2-profile profile1
match address vpnlist

ACL:

ip access-list extended vpnlist
permit ip OUT-NET 0.0.0.255 REMOTE-NET 0.0.0.255

Bind it to the outside interface

interface Gi0
crypto map cmap

Now you can check the connection with

ping remote-ip source Vlan1

References

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

http://priority-zero.blogspot.de/2013/10/cisco-asa-to-juniper-ssg-ikev2-ipsec.html

http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/115934-technote-ikev2-00.html

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html

https://myitmicroblog.svbtle.com/ikev2-vpn-s2s-ios-and-asa

P.S.: Don't be to harsh if you find any errors, this is my first post to give something back to the community :)

P.P.S.: This also work with a Juniper SSG5 as client!

10 Comments
Frequent Contributor

If I have multiple sites  do I have to do something like:

tunnel-group dynamicvpn2 type ipsec-l2l
tunnel-group dynamicvpn2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group dynamicvpn3 type ipsec-l2l
tunnel-group dynamicvpn3 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

crypto dynamic-map dynamicvpn2 1 match address outside_cryptomap2
crypto dynamic-map dynamicvpn2 1 set pfs group5
crypto dynamic-map dynamicvpn2 1 set ikev2 ipsec-proposal AES256-SHA1-256 AES256 AES192 AES
crypto dynamic-map dynamicvpn2 1 set reverse-route

crypto dynamic-map dynamicvpn3 1 match address outside_cryptomap3
crypto dynamic-map dynamicvpn3 1 set pfs group5
crypto dynamic-map dynamicvpn3 1 set ikev2 ipsec-proposal AES256-SHA1-256 AES256 AES192 AES
crypto dynamic-map dynamicvpn3 1 set reverse-route
crypto map outside_map 2 ipsec-isakmp dynamic dynamicvpn2
Crypto map outside_map 3 ipsec-isakmp dynamic dynamicvpn3
 
Contributor
crypto dynamic-map dynamicvpn2 2 match address outside_cryptomap2
crypto dynamic-map dynamicvpn2 2 set pfs group5
crypto dynamic-map dynamicvpn2 2 set ikev2 ipsec-proposal AES256-SHA1-256 AES256 AES192 AES
crypto dynamic-map dynamicvpn2 2 set reverse-route
crypto dynamic-map dynamicvpn3 3 match address outside_cryptomap3
crypto dynamic-map dynamicvpn3 3 set pfs group5
crypto dynamic-map dynamicvpn3 3 set ikev2 ipsec-proposal AES256-SHA1-256 AES256 AES192 AES
crypto dynamic-map dynamicvpn3 3 set reverse-route
crypto map outside_map 2 ipsec-isakmp dynamic dynamicvpn2
Crypto map outside_map 3 ipsec-isakmp dynamic dynamicvpn3

It should look like this.

Contributor

Triple WAN failover:

https://supportforums.cisco.com/blog/13030756/ikev2-triple-wan-failover-between-ios-spoke-and-asa-hub

Thanks for posting this Michael, very nice! 

I have a similar situation (c881 routers) and was looking to migrate them off the defaultl2l policy.  I'll definitely try this sometime this week.  Have you tried this on IOS 9.8 with a VTI or heard of anyone using that IOS in production yet?

Thanks,

Andrew

Contributor

No, didn't try it yet since I don't need the features it offers to me. 

If you do, please come back with a short review!

Beginner

How monitoring this spokes if they have dynamic IP???

Contributor

You can ping the LAN IPs of the spokes to monitor them.

I do this via smokeping to also visualize latency.

Beginner

Hi - I have a question.  HUB ASA is configured using dynamic crypto-map, why do you need to match the "interesting traffic access list"using below two lines?  Assuming split-tunnel-acl or vpn filter is not required on spoke site.

crypto dynamic-map dynamicvpn2 2 match address outside_cryptomap2

crypto dynamic-map dynamicvpn2 2 match address outside_cryptomap3

 

If matching interesting traffic is not needed, then we should able to "re-use" the same crypto dynamic-map for all spoke sites, assuming, all spoke sites are using the same pfs and ikev2 ipsec-proposal settings as shown below.  Am I right?

 

crypto dynamic-map dynamicvpn 1 set pfs group5
crypto dynamic-map dynamicvpn 1 set ikev2 ipsec-proposal AES256-SHA1-256 AES256 AES192 AES
crypto dynamic-map dynamicvpn 1 set reverse-route  

 

 

Thanks

Contributor

When you use for every client/branch a separate group you can set different keys and different restrictions (like ACLs). Surely you can use only one without identification, but then every client must use the same PSK, then this scenario can easiy be done with standard IKEv1.

Beginner

Thanks for your response Michael.  I appreciated.

 

I understand the benefit of using separate group and different settings to provide a more granular level but in my case, I don't need that.  Currently,  I am using same crypto dynamic-map for all spoke sites in IKEv1, I would like to migrate them to IKEv2 and just want to clarify it will behavior the same with no conflict in IKEv2 without using the proxy acl in hub site.