Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
5
Helpful
1
Replies

Assistance on VPN site to site connection

jay1991
Level 1
Level 1

‎05-22-2018 07:49 AM - edited ‎03-12-2019 05:18 AM

We have received form from third party, they want us to configure VPN connection with their system

Their VPN details:

1. Technical Information

Name / FQDN VPN Concentrator

IP Address (GW) *.*.*.*

VPN Device Description Cisco ASA 5555

VPN Device Version Version 9.2(4)

Encryption Domain (e.g. *.*.*.*/24 ) *.*.*.*/*.*.*.*

2. Tunnel Properties

PHASE 1

Authentication Method Pre-Shared Key

Encryption Scheme IKE

Diffie-Hellman Group Group 2

Encryption Algorithm ESP-AES-256

Hashing Algorithm SHA-1

Main or Aggressive Mode Main Mode

Lifetime (for renegotiation) 86400 seconds

PHASE 2

Encapsulation (ESP or AH) ESP

Encryption Algorithm AES-256

Authentication Algorithm SHA-1

Perfect Forward Secrecy NO PFS
Lifetime (for renegotiation) 3600 seconds
Lifesize in KB (for renegotiation) Not used
Key Exchange For Subnets? Yes

 

We have deployed CSR 1000V on aws, with assistance of Yang youtube video tutorials, third party are asking for encryption domain, which confuse me. I am a programmer with background in networking I did it in university, Can somebody assist me on how to archive this connection, I will add more details if needed. If you have more resources help me please.

 

 

 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎05-22-2018 08:10 AM

Hi,

When they say "encryption domain" they are probably asking what source ip addresses are you sending traffic from and where to.

 

I assume you've configured a crypto map on your CSR1000v? In which case you would define an ACL. In this example 10.1.0.0 and 10.1.1.0 is your networks and 192.168.0.0 is the third party network.

 

ip access-list extended ENCRYPTION_DOMAIN
 permit ip 10.1.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255

 

You'd then reference that ACL called ENCRYPTION_DOMAIN in the crypto map you've probably already created.


crypto map VPN 10 ipsec-isakmp
 match address ENCRYPTION_DOMAIN

 

Post your full config if you need further assistance.

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents