06-27-2012 07:34 AM - edited 08-29-2017 12:24 AM
Goal is to put all the pieces of VPN creation together in platform independent manner and show how to configure each piece in IOS and ASA.
We will use this Topology:
10.1.1.0/24------- (in)ASA(out) ----------------Gig0/0 Router------20.1.1.0/24
10.2.2.1 10.2.2.2
>>>IPSec<<<
> Protocol Suite - Policy Set
> Phase-1 Authentication Material
> Phase-1 Keepalives
> Protocol Suite - Transform Set
> Interesting traffic - Pair of Subnets
> PFS - Perfect Forward secrecy
> Lifetime Settings
Single bi-directional SA is created between the VPN Peers, and is a control channel for:
> Phase-1 keepalives
> DH-Key Calculation
> Phase-2 SA creation and rekey
Protocol Suite contains 5 fields:
ASA:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1200
IOS:
crypto isakmp policy 10
encr 3des
!hash sha <<< Not visible since it is default
authentication pre-share
group 2
lifetime 1200
Defaults:
ASA:
#show run crypto isakmp
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
IOS:
#show crypto isakmp policy
Protection suite of priority 20
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Types of Peer Authentication Supported:
IOS:
pre-share - Pre-Shared Key
rsa-encr - Rivest-Shamir-Adleman Encryption aka RSA Keys
rsa-sig - Rivest-Shamir-Adleman Signature aka Digital Certificate
ASA:
crack - set auth crack aka Challenge/Response for Authenticated Cryptographic Keys (Seldom Used)
pre-share - set auth pre-share
rsa-sig - set auth rsa-sig aka Digital Certificate
IOS:
Two Ways:
crypto isakmp key 0 cisco123 address 10.2.2.1
or
crypto keyring k1
pre-shared-key address 10.2.2.1 key cisco123
PS: Keyring is used only when ISAKMP profiles are used.
ASA:
tunnel-group 10.2.2.2 type ipsec-l2l
tunnel-group 10.2.2.2 ipsec-attributes
pre-shared-key cisco123
IOS:
> Disbaled by default.
> Two modes of operation:
- On-Demand - Default way of operation, when enabled
- Periodic
ASA:
> Enabled by default.
> Works only in On-Demand mode.
IOS:
On demand:
crypto isakmp keepalive 10 2
Periodic:
crypto isakmp keepalive 10 2 periodic
ASA:
tunnel-group 10.42.1.1 ipsec-attributes
isakmp keepalive threshold 10 retry 2
To disable keepalive:
tunnel-group 10.42.1.1 ipsec-attributes
isakmp keepalive disable
Two unidirectional Security Associations are created for each pair of security identities, which encrypt or decrypt traffic.
> Encryption and Hashing algorithm used for traffic encryption and integrity check
> Mode of operation - Tunnel Mode (Default in both IOS and ASA) or transport Mode
IOS:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
! 'mode tunnel' is default and need not be keyed in
ASA:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
To change to transport mode:
crypto ipsec transform-set ESP-3DES-SHA more transport
This is a selection ACL, containing a set of ACEs defining Local Encryption Domain (aka Proxy Identity) and Remote Encryption Domain (Proxy Identity).
ASA:
access-list crypto10 permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255
IOS:
ip access-list extended crypto10
permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
ASA:
crypto map crymap 10 match address crypto10
crypto map crymap 10 set peer 10.2.2.2
crypto map crymap 10 set transform-set ESP-3DES-SHA
crypto map crymap interface out
IOS:
crypto map crymap 10 ipsec-isakmp
set peer 10.2.2.1
set transform-set ESP-3DES-SHA
match address crypto10
interface Gig0/0
crypto map crymap
This is an optional setting. Instead of making use of DH Keys Calculated during Phase-1, PFS forces DH-Key calculation during Phase-2 Setup as well as Phase-2 Rekey.
ASA:
crypto map crymap 10 set pfs group2
!ASA: Default pfs, when enabled, is group2. So the cli will not show it unless 'show run all' is executed.
IOS:
crypto map crymap 10 ipsec-isakmp
setpfs group2
This is SA rekey lifetime setting.Both ASA and IOS have system-wide default values for this, however this can be changed for each VPN peers.
Defaults
ASA:
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
IOS:
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association lifetime seconds 3600
Changing Phase-2 lifetime:
ASA:
crypto map crymap 10 set security-association lifetime seconds 7200
crypto map crymap 10 set security-association lifetime kilobytes 2147483647
IOS:
crypto map crymap 10 ipsec-isakmp
set security-association lifetime seconds 7200
set security-association lifetime kilobytes 2147483647
If either of these two devices are performing NAT, then the Crypto ACL needs to be exempted from NAT.
ASA:
8.2 and Prior Versions:
The interface behind which the interesting LAN for VPN (Local Proxy identity exists), we will need to configure either a NAT exemption statement (preferred) or an identity NAT statement (not so preferred, but will work just fine):
NAT exemption:
access-list nonat-inside permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255
nat (inside) 0 access-list nonat-inside
Identity NAT:
access-list crypto10-id-nat permit ip 10.1.1.0 255.255.255.0 20.1.1.0 255.255.255
static (inside, outside) 10.1.1.0 access-list crypto10-id-nat
8.3 and Later Versions:
Just to make sure, NAT exemption happens at any cost, it is suggested that you put the statement shown below at the top (Notice '1' just before 'source static' keywords):
object network obj-10.1.1.0-24
subnet 10.1.1.0 255.255.255.0
object network obj-20.1.1.0-24
subnet 20.1.1.0 255.255.255.0
nat (inside,outside) 1 source static obj-10.1.1.0-24 obj-10.1.1.0-24 destination static obj-20.1.1.0-24 obj-20.1.1.0-24 route-lookup
Note: Route-lookup is optional, and is due to a behavior change in route-lookup sequence from 8.4.1 and prior to 8.4.2 and beyond.
IOS:
Most Common NAT implementation will have:
LAN Interface:
ip nat inside
interface Gig0/0:
ip nat outside
ip nat inside source list 1 interface interface Gig0/0 overload
Note: If route-map is used in place of (access-)list, modify the ACL that the route-map is based upon.
Nat exemption approach would be:
1. Write an extended ACL first
Example:
Existing ACL (Leave it in the config for now):
ip access-list standard 1
permit 20.1.1.0 0.0.0.255
Complementing Extended ACL would be:
ip access-list extended 101
permit ip 20.1.1.0 0.0.0.255 any
2. Incorporate NAT-Exemption Logic in the extended ACL .i.e deny the VPN flow from getting NAT'ed, for access-list 101 is a selection ACL.
ip access-list extended 101
1 deny ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
now 'show access-list 101':
#show access-list 101
Extended IP access list 101
1 deny ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255
10 permit ip 20.1.1.0 0.0.0.255 any
Key is to make sure that the deny statement goes to the top
3. Use the exetended ACL in the NAT statement first:
ip nat inside source list 101 interface interface Gig0/0 overload
4. Now remove the old NAT Statement:
no ip nat inside source list 1 interface interface Gig0/0 overload
>>> This will warn you with a question indicating whether you would like to remove the dynamic NAT entried created by this nat statement. Answer 'yes'
5. With that you may remove the old standard ACL, if it is not being used anywhere else in the config:
no ip access-list standard 1
Now the first packet that matches the interesting traffic passing through the device will bring the Tunnel up (One bidirectional Phase-1 SA, and Two unidirectional Phase-2 SAs)
ASA:
Check Config:
show run crypto
show run crypto isakmp
show run crypto ipsec
show run crypto map
Check Tunnel Status:
show crypto isakmp sa
show crypto ipsec sa
IOS:
Check Config:
show run | sec crypto
show crypto isakmp policy
show crypto map
Check Tunnel Status:
show crypto isakmp sa
show crypto ipsec sa
show crypto session detail
I found this really useful.
Thanks Praveena
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: