Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
39641
Views
30
Helpful
2
Comments

Basic L2L configuration - Platform independent Approach

Praveena Shanubhogue
Level 1
Level 1

‎06-27-2012 07:34 AM - edited ‎08-29-2017 12:24 AM

 


Goal is to put all the pieces of VPN creation together in platform independent manner and show how to configure each piece in IOS and ASA.

 

We will use this Topology:

 

10.1.1.0/24------- (in)ASA(out) ----------------Gig0/0 Router------20.1.1.0/24
                                             10.2.2.1              10.2.2.2     
                                                     >>>IPSec<<<

 

VPN Anatomy:


IKEv1

  •     Phase 1 - Encrypts Phase 2 negotiations

         > Protocol Suite - Policy Set
         > Phase-1 Authentication Material
         > Phase-1 Keepalives

  •     Phase 2 - Encrypts Data

         > Protocol Suite - Transform Set
         > Interesting traffic - Pair of Subnets
         > PFS - Perfect Forward secrecy
         > Lifetime Settings


Phase 1


Single bi-directional SA is created between the VPN Peers, and is a control channel for:


>  Phase-1 keepalives
>  DH-Key Calculation
>  Phase-2 SA creation and rekey

 

Phase-1 Protocol Suite


Protocol Suite contains 5 fields:

 

  •     Authentication Method
  •     Encryption Algorithm
  •     Hashing Algorithm
  •     Diffie-Hellman Group
  •     Lifetime in Seconds

 


ASA:
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 1200

IOS:
crypto isakmp policy 10
 encr 3des
 !hash sha   <<< Not visible since it is default
 authentication pre-share
 group 2
 lifetime 1200


Defaults:


ASA:
#show run crypto isakmp
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

IOS:
#show crypto isakmp policy
Protection suite of priority 20
    encryption algorithm:    DES - Data Encryption Standard (56 bit keys).
    hash algorithm:        Secure Hash Standard
    authentication method:    Rivest-Shamir-Adleman Signature
    Diffie-Hellman group:    #1 (768 bit)
    lifetime:        86400 seconds, no volume limit


Phase-1 Authentication Material


Types of Peer Authentication Supported:


IOS:

 

  pre-share -  Pre-Shared Key
  rsa-encr   -  Rivest-Shamir-Adleman Encryption aka RSA Keys
  rsa-sig     -  Rivest-Shamir-Adleman Signature aka Digital Certificate


ASA:

 

  crack    -   set auth crack aka Challenge/Response for Authenticated Cryptographic Keys (Seldom Used)
  pre-share -   set auth pre-share
  rsa-sig    - set auth rsa-sig aka Digital Certificate

 

IOS:
Two Ways:
crypto isakmp key 0 cisco123 address 10.2.2.1

or 

crypto keyring k1
  pre-shared-key address 10.2.2.1 key cisco123

PS: Keyring is used only when ISAKMP profiles are used.

ASA:
tunnel-group 10.2.2.2 type ipsec-l2l
tunnel-group 10.2.2.2 ipsec-attributes
 pre-shared-key cisco123

 

Phase 1 Keepalive


IOS:
> Disbaled by default.
> Two modes of operation:
    - On-Demand - Default way of operation, when enabled
    - Periodic


ASA:


> Enabled by default.
> Works only in On-Demand mode.


IOS:
On demand:
  crypto isakmp keepalive 10 2

Periodic:
  crypto isakmp keepalive 10 2 periodic

ASA:
tunnel-group 10.42.1.1 ipsec-attributes
 isakmp keepalive threshold 10 retry 2

To disable keepalive:
tunnel-group 10.42.1.1 ipsec-attributes
 isakmp keepalive disable


Phase-2


Two unidirectional Security Associations are created for each pair of security identities, which encrypt or decrypt traffic.


Phase-2 transform set


> Encryption and Hashing algorithm used for traffic encryption and integrity check
> Mode of operation - Tunnel Mode (Default in both IOS and ASA) or transport Mode


IOS:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
  mode tunnel 

! 'mode tunnel' is default and need not be keyed in

 

ASA:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

To change to transport mode:
crypto ipsec transform-set ESP-3DES-SHA more transport


Phase-2 Interesting traffic definition


This is a selection ACL, containing a set of ACEs defining Local Encryption Domain (aka Proxy Identity) and Remote Encryption Domain (Proxy Identity).


ASA:
access-list crypto10 permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255

IOS:
ip access-list extended crypto10
  permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255


Binding Phase-2 Altogether


ASA:
crypto map crymap 10 match address crypto10
crypto map crymap 10 set peer 10.2.2.2
crypto map crymap 10 set transform-set ESP-3DES-SHA

crypto map crymap interface out

IOS:
crypto map crymap 10 ipsec-isakmp 
 set peer 10.2.2.1
 set transform-set ESP-3DES-SHA 
 match address crypto10

interface Gig0/0
  crypto map crymap


Phase-2 Perfect Forward Secrecy (PFS) [Optional]


This is an optional setting. Instead of making use of DH Keys Calculated during Phase-1, PFS forces DH-Key calculation during Phase-2 Setup as well as Phase-2 Rekey.


ASA:
crypto map crymap 10 set pfs group2

!ASA: Default pfs, when enabled, is group2. So the cli will not show it unless 'show run all' is executed.

 

IOS:

crypto map crymap 10 ipsec-isakmp 
 setpfs group2

 

Phase-2 Lifetime Setting

 

This is SA rekey lifetime setting.Both ASA and IOS have system-wide default values for this, however this can be changed for each VPN peers.

 

Defaults

ASA:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

 

IOS:
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association lifetime seconds 3600

 

Changing Phase-2 lifetime:

ASA:
crypto map crymap 10 set security-association lifetime seconds 7200
crypto map crymap 10 set security-association lifetime kilobytes 2147483647

 

IOS:
crypto map crymap 10 ipsec-isakmp 
 set security-association lifetime seconds 7200
 set security-association lifetime kilobytes 2147483647

 

 

NAT Exemption

If either of these two devices are performing NAT, then the Crypto ACL needs to be exempted from NAT.

 


ASA:

8.2 and Prior Versions:

The interface behind which the interesting LAN for VPN (Local Proxy identity exists), we will need to configure either a NAT exemption statement (preferred) or an identity NAT statement (not so preferred, but will work just fine):

NAT exemption:

access-list nonat-inside permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255
nat (inside) 0 access-list nonat-inside

Identity NAT:

access-list crypto10-id-nat permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255

static (inside, outside) 10.1.1.0 access-list crypto10-id-nat
 


8.3 and Later Versions:

Just to make sure, NAT exemption happens at any cost, it is suggested that you put the statement shown below at the top (Notice '1' just before 'source static' keywords):

object network obj-10.1.1.0-24
   subnet 10.1.1.0 255.255.255.0

object network obj-20.1.1.0-24
   subnet 20.1.1.0 255.255.255.0

nat (inside,outside) 1 source static obj-10.1.1.0-24  obj-10.1.1.0-24 destination static obj-20.1.1.0-24 obj-20.1.1.0-24 route-lookup

Note: Route-lookup is optional, and is due to a behavior change in route-lookup sequence from 8.4.1 and prior to 8.4.2 and beyond.

 

IOS:

Most Common NAT implementation will have:

LAN Interface:
   
   ip nat inside

interface Gig0/0:
    ip nat outside

ip nat inside source list 1 interface interface Gig0/0 overload

Note: If route-map is used in place of (access-)list, modify the ACL that the route-map is based upon.

Nat exemption approach would be:


1. Write an extended ACL first


Example:

Existing ACL (Leave it in the config for now):

 ip access-list standard 1
     permit 20.1.1.0 0.0.0.255

Complementing Extended ACL would be:
 ip access-list extended 101
    permit ip 20.1.1.0 0.0.0.255 any
 


2. Incorporate NAT-Exemption Logic in the extended ACL .i.e deny the VPN flow from getting NAT'ed, for access-list 101 is a selection ACL.


ip access-list extended 101
    1 deny ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

now 'show access-list 101':
 #show access-list 101
Extended IP access list 101
    1 deny ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
    10 permit ip 20.1.1.0 0.0.0.255 any

Key is to make sure that the deny statement goes to the top

3. Use the exetended ACL in the NAT statement first:

 ip nat inside source list 101 interface interface Gig0/0 overload

4. Now remove the old NAT Statement:

 no ip nat inside source list 1 interface interface Gig0/0 overload

>>> This will warn you with a question indicating whether you would like to remove the dynamic NAT entried created by this nat statement. Answer 'yes'

5. With that you may remove the old standard ACL, if it is not being used anywhere else in the config:

 no ip access-list standard 1

 

 

VPN Status and Statistics:

Now the first packet that matches the interesting traffic passing through the device will bring the Tunnel up (One bidirectional Phase-1 SA, and Two unidirectional Phase-2 SAs)

 

Show commands:

ASA:
Check Config:
show run crypto
show run crypto isakmp
show run crypto ipsec
show run crypto map

Check Tunnel Status:
show crypto isakmp sa
show crypto ipsec sa

 

IOS:
Check Config:
show run | sec crypto
show crypto isakmp policy
show crypto map

Check Tunnel Status:
show crypto isakmp sa
show crypto ipsec sa
show crypto session detail
Labels:
Comments
Tormod Macleod
Level 1
Level 1
‎08-11-2015 02:44 AM

I found this really useful.

 

Thanks Praveena
 

zhengjinkai1985
Level 1
Level 1
‎09-03-2017 12:41 AM
Very good summary! Thanks for your efforts. typo: crypto ipsec transform-set ESP-3DES-SHA more transport crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents