Symptom
You need an affordable solution to connect multiple locations with dynamic IPs to a central VPN server.
Problem
FlexVPN/DMVPN would solve this but central IOS routers cost plenty of money and offer only a limited HA solution. You would need a HSEC license if you want to go for over 85Mbit and 225 tunnels. Also firewall management via CLI is a mess.
If you have dynamic IPs (e.g. with 4G) and don't want to go for certificates, you have to use PSK. The downside is that every PSK has to be the same via DefaultL2LGroup. To avoid this, we create IKEv2 tunnel groups and set the isakmp ID on the clients to the name of the tunnel group.
Proposal
The ASA (esp. 5515-X) is quite affordable, handling multiple tunnels with high throughput. Also it offers really good HA with Active/Standby failover including stateful IPSEC failover. On the downside it doesn't support FlexVPN, so the config part on the routers is quite big.
On the client side we use 880 Branch Routers which support all needed features.
Solution
On the ASA we configure the following (only crypto parts)
Specify the subnets:
access-list outside_cryptomap extended permit ip object OUR-NET object CLIENT-NET
Set up a new proposal:
crypto ipsec ikev2 ipsec-proposal AES256-SHA1-256
protocol esp encryption aes-256
protocol esp integrity sha-256 sha-1
Tunnelgroup:
tunnel-group dynamicvpn1 type ipsec-l2l
tunnel-group dynamicvpn1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Crypto map:
crypto dynamic-map dynamicvpn1 1 match address outside_cryptomap
crypto dynamic-map dynamicvpn1 1 set pfs group5
crypto dynamic-map dynamicvpn1 1 set ikev2 ipsec-proposal AES256-SHA1-256 AES256 AES192 AES
crypto dynamic-map dynamicvpn1 1 set reverse-route
crypto map outside_map 1 ipsec-isakmp dynamic dynamicvpn1
Enable it:
crypto map outside_map interface outside
crypto ikev2 enable outside
On the client side (also only crypto parts)
Proposals:
crypto ikev2 proposal proposal1
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256 sha1
group 14 5
crypto ikev2 policy policy1
proposal proposal1
Key:
crypto ikev2 keyring kyr1
peer peer1
address ASA-IP
pre-shared-key local ******
pre-shared-key remote ******
Profile:
crypto ikev2 profile profile1
match identity remote address ASA-IP 255.255.255.255
identity local key-id dynamicvpn1
authentication local pre-share
authentication remote pre-share
keyring local kyr1
Transform set (Phase2 Proposal):
crypto ipsec transform-set trans esp-aes esp-sha-hmac
mode tunnel
Crypto map:
crypto map cmap 1 ipsec-isakmp
set peer ASA-IP
set transform-set trans
set ikev2-profile profile1
match address vpnlist
ACL:
ip access-list extended vpnlist
permit ip OUT-NET 0.0.0.255 REMOTE-NET 0.0.0.255
Bind it to the outside interface
interface Gi0
crypto map cmap
Now you can check the connection with
ping remote-ip source Vlan1
References
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
http://priority-zero.blogspot.de/2013/10/cisco-asa-to-juniper-ssg-ikev2-ipsec.html
http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/115934-technote-ikev2-00.html
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html
https://myitmicroblog.svbtle.com/ikev2-vpn-s2s-ios-and-asa
P.S.: Don't be to harsh if you find any errors, this is my first post to give something back to the community :)
P.P.S.: This also work with a Juniper SSG5 as client!