cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7275
Views
10
Helpful
4
Replies

VPN Phase 1 and 2 Configuration

DSUK
Level 1
Level 1

Hi,

 

Hi,

 

We are a small development company that outsources our infrastructure support and recently had a Policy-based IKev1 VPN site to site connection setup to one of our software partners which has had some problems. Our software partner has asked for screen shots of the phase 1 and phase 2 configuration, but the support company that did the VPN setup is no longer contactable.

 

We were sent a Pre-Shared Key and the following parameters for both Phase 1 and Phase 2 below:

 

Phase 1/Main Mode:

!        IKE_ENCRYPTION_1      = aes-256

!        IKE_INTEGRITY_1          = sha256

!        IKE_DHGROUP_1          = 2

!        IKE_SALIFETIME_1         = 28800

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Phase 2/Quick Mode:

!        IPsec_ENCRYPTION_1       = aes-256

!        IPsec_INTEGRITY_1           = sha-256

!        IPsec_PFSGROUP_1           = None

!        IPsec_SALIFETIME              = 3600

!        IPsec_KB_SALIFETIME       = 102400000

 

We have admin access to the Cisco ASA 5512 ver 9.6 via ASDM ver 7.9 but have no idea where to go look for the information requested so it can be verified and screen shots taken. 

 

Any help would be appreciated.

 

Many thanks.

2 Accepted Solutions

Accepted Solutions

Hi,
If you login to the CLI of the ASA and run the command "show run crypto" this will list all the crypto configuration on the ASA. You will be looking for an ikev1 policy e.g "crypto ikev1 policy 10" and the ipsec transform-set e.g "crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac" and the "crypto map" configuration.

HTH

View solution in original post

What kind of probelms are you experiencing with the VPN?

This configuration is IKEv2 for the ASA.  An integrity of sha256 is only available in IKEv2 on ASA.  You can use the following show commands to view your configuration, I have provided a sample configuration and show commands for the different sections. Depending on how large your configuration is you might need to filter the output using a | include <value> or | begin <value> at the end of each command. (the x.x.x.x in the configuration is the public IP of the remote VPN site)

 

show run object id LOCAL-NET

show run object id REMOTE-NET

show run crypto

show run NAT

show run group-policy

show run tunnel-group

 

object network LOCAL-NET

 subnet 172.1.1.0 255.255.255.0

object network REMOTE-NET

 subnet 192.168.1.0 255.255.255.0

 

access-list crypto-ACL extended permit ip object-group LOCAL-NET object-group REMOTE-NET

 

nat (inside,outside) source static LOCAL-NET LOCAL-NET destination static REMOTE-NET REMOTE-NET route-lookup

 

crypto ipsec ikev2 ipsec-proposal IKEv2-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 5 match address crypto-ACL
crypto map outside_map 5 set peer x.x.x.x
crypto map outside_map 5 set ikev2 ipsec-proposal IKEv2-PROPOSAL
crypto map outside_map 5 set security-association lifetime kilobytes 102400000
crypto map outside_map interface outside

crypto ikev2 enable outside

 

crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 prf sha256
 lifetime seconds 28800

group-policy l2l_IKEv2_GrpPolicy internal
group-policy l2l_IKEv2_GrpPolicy attributes
 vpn-tunnel-protocol ikev2

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
 default-group-policy l2l_IKEv2_GrpPolicy
tunnel-group x.x.x.x ipsec-attributes
 ikev2 remote-authentication pre-shared-key VerySecretPassword
 ikev2 local-authentication pre-shared-key VerySecretPassword

 

If you need a more indepth look into what is happening when trying to bring up the VPN you can run a debug.  This is not system intensive so you should be good to do this during working hours.

debug crypto condition peer x.x.x.x

debug crypto ikev2 platform 127

debug crypto ikev2 protocol 127

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Hi,
If you login to the CLI of the ASA and run the command "show run crypto" this will list all the crypto configuration on the ASA. You will be looking for an ikev1 policy e.g "crypto ikev1 policy 10" and the ipsec transform-set e.g "crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac" and the "crypto map" configuration.

HTH

Many thanks

What kind of probelms are you experiencing with the VPN?

This configuration is IKEv2 for the ASA.  An integrity of sha256 is only available in IKEv2 on ASA.  You can use the following show commands to view your configuration, I have provided a sample configuration and show commands for the different sections. Depending on how large your configuration is you might need to filter the output using a | include <value> or | begin <value> at the end of each command. (the x.x.x.x in the configuration is the public IP of the remote VPN site)

 

show run object id LOCAL-NET

show run object id REMOTE-NET

show run crypto

show run NAT

show run group-policy

show run tunnel-group

 

object network LOCAL-NET

 subnet 172.1.1.0 255.255.255.0

object network REMOTE-NET

 subnet 192.168.1.0 255.255.255.0

 

access-list crypto-ACL extended permit ip object-group LOCAL-NET object-group REMOTE-NET

 

nat (inside,outside) source static LOCAL-NET LOCAL-NET destination static REMOTE-NET REMOTE-NET route-lookup

 

crypto ipsec ikev2 ipsec-proposal IKEv2-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 5 match address crypto-ACL
crypto map outside_map 5 set peer x.x.x.x
crypto map outside_map 5 set ikev2 ipsec-proposal IKEv2-PROPOSAL
crypto map outside_map 5 set security-association lifetime kilobytes 102400000
crypto map outside_map interface outside

crypto ikev2 enable outside

 

crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 prf sha256
 lifetime seconds 28800

group-policy l2l_IKEv2_GrpPolicy internal
group-policy l2l_IKEv2_GrpPolicy attributes
 vpn-tunnel-protocol ikev2

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
 default-group-policy l2l_IKEv2_GrpPolicy
tunnel-group x.x.x.x ipsec-attributes
 ikev2 remote-authentication pre-shared-key VerySecretPassword
 ikev2 local-authentication pre-shared-key VerySecretPassword

 

If you need a more indepth look into what is happening when trying to bring up the VPN you can run a debug.  This is not system intensive so you should be good to do this during working hours.

debug crypto condition peer x.x.x.x

debug crypto ikev2 platform 127

debug crypto ikev2 protocol 127

--
Please remember to select a correct answer and rate helpful posts

Many thanks Marius.

It seems as though the VPN was setup correctly. Issue the connection of 2 SQL DBs on either side of the VPN.