1. Overview
In the previous article we had implemented a IPSec VPN site-to-site between head office and branch office. Normally as the business grow, there are more branch offices to be created. So, we need to configure another IPSec VPN site-to-site between head office and the new created branch office.
In this article will show how to add more peer to exiting IPSec site-to-site tunnel in head office with the configuration of IPSec site-to-site on branch office on Cisco ASA 9.x.
2. Prerequisites
In this document, it is assumed that:
a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
c. You are already have IPSec VPN site-to-site tunnel currently up and running. If you don’t, you may would like to read the previous article about Configuring Site-to-Site IPSec VPN Between Cisco ASA Firewalls IOS Version 9.x
3. Network Diagram and IP Configuration
The following is the network diagram after adding one new branch office more.
Cisco ASA firewall appliance that locates in new branch office name is “BOFW02”. The following is the IP configuration for each relevant device.
On PC3
PC3> ip 192.168.10.10/24 192.168.10.1
On BOFW02
#int g0/0 nameif inside no sh security-level 100 ip add 192.168.10.1 255.255.255.0 #int g0/1 nameif outside no sh security-level 0 ip add 117.168.98.2 255.255.255.252
On Internet router
#int f1/0 ip add 117.168.98.1 255.255.255.252
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site between head office and new branch office will be used to in the configuration.
| Firewall Type | Head Office | New Branch Office |
| Manufacturer | Cisco | Cisco |
| Model | ASA 5555-X | ASA 5525-X |
| Version | 9.4 | 9.4 |
| Configuration | Head Office | New Branch Office | ||
| Phase 1 | ||||
| IKE Encryption Algorithm | 3DES | 3DES | ||
| IKE Hash Algorithm | SHA-1 | SHA-1 | ||
| IKE Security Lifetime | 14400 | 14400 | ||
| Diffie-Hellman Group | 2 | 2 | ||
| Pre-shared key | vpn@Ho2Bo2 | vpn@Ho2Bo2 | ||
| Phase 2 | ||||
| IPSEC security protocol | ESP | ESP | ||
| IPSEC Encryption Algorithm | 3DES | 3DES | ||
| IPSEC Hash Algorithm | MD5 | MD5 | ||
| IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
| Perfect Forward Secrecy(PFS) (Optional) | PFS □ No | Group □ 2(default) □ 5 □ 7 | PFS □ No | Group □ 2 (default) □ 5 □ 7 |
| IP Addressing | Head Office | New Branch Office |
| Peer IP address | 203.200.200.2 | 117.168.98.2 |
| Local IP address | 10.10.10.10/32 | 192.168.10.10/32 |
5. Configuration
5.1 Configure Default Route
Configure default router on BOFW02 as the following.
#route outside 0 0 117.168.98.1
Now BOFW02 should be able to ping to public IP address of HOFW01 locates in head office.
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on HOFW01, head office firewall.
#crypto ikev1 policy 2 authentication pre-share encryption 3des hash sha group 2 lifetime 14400
The the following command on BOFW02, new branch office firewall.
#crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 14400
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on HOFW01 to create a transform set name “HO-TRSET01-3DES-MD5”.
#crypto ipsec ikev1 transform-set HO-TRSET01-3DES-MD5 esp-3des esp-md5-hmac
Apply the follow configuration on BOFW01 to create a transform set name “BO-TRSET01-3DES-MD5”.
#crypto ipsec ikev1 transform-set BO2-TRSET01-3DES-MD5 esp-3des esp-md5-hmac
5.4 Create ACL For VPN Tunnel
Create the following ACL to much traffic between head office and new branch office.
On HOFW01
#object-group network BO2-Server network-object host 192.168.10.10 #access-list ACL-HO2BO2 extended permit ip object-group HO-Server object-group BO2-Server
On BOFW02
#object-group network HO-Server network-object host 10.10.10.10 #object-group network BO2-Server network-object host 192.168.10.10 #access-list ACL-BO22HO extended permit ip object-group BO2-Server object-group HO-Server
5.5 Create VPN Tunnel Group
Now create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
Apply the following tunnel group configuration on HOFW01.
#tunnel-group 117.168.98.2 type ipsec-l2l #tunnel-group 117.168.98.2 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo2
Apply the following tunnel group configuration on BOFW02.
#tunnel-group 203.200.200.2 type ipsec-l2l #tunnel-group 203.200.200.2 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo2
5.6 Configure and Apply Crypto Map
The final step is to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “outside” of each Cisco ASA firewall.
As on HOFW01 already had an IPSec VPN tunnel in place and already applied to “outside” interface, now we just need to add more peer by increasing the sequence number as the following.
#crypto map HO-VPN 2 match address ACL-HO2BO2 #crypto map HO-VPN 2 set peer 117.168.98.2 #crypto map HO-VPN 2 set ikev1 transform-set HO-TRSET01-3DES-MD5
The following are the commands to be executed on BOFW02.
#crypto map BO2-VPN 1 match address ACL-BO22HO #crypto map BO2-VPN 1 set peer 203.200.200.2 #crypto map BO2-VPN 1 set ikev1 transform-set BO2-TRSET01-3DES-MD5 #crypto map BO2-VPN interface outside #crypto ikev1 enable outside
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC3 in new branch office.
As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HOFW01.
#sh vpn-sessiondb detail l2l filter ipaddress 117.168.98.2
And with the following command on BOFW02.
#sh vpn-sessiondb detail l2l filter ipaddress 203.200.200.2
6. Conclusion
Now you should know about how to and add more peer to existing IPSec VPN site-to-site tunnel on Cisco ASA firewall appliance with IOS version 9.x. It is recommended that you practice it on GNS3 MV to improve your confidence. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
