techspacekh October 1, 2017

1. Overview

In the previous article you have seen how to configure site-to-site IPSec VPN IKEv2 between two Cisco ASA firewalls running IOS version 9.x. Sometime you may need to run IKEv1 and IKEv2 at the same time for some reasons and it is absolutely possible to do so on Cisco ASA firewall.

In this article will show how to configure site-to-site IPSec VPN using IKEv1 and IKEv2 at the same time on a single Cisco ASA firewalls IOS version 9.x.

2. Prerequisites

To start this configuration, it is supposes that:

a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM

b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.

c. You already have site-to-site IPSec VPN using IKEv2 up and running. If you don’t, please follow this link first. Configuring Site-to-Site IPSec IKEv2 VPN Between Cisco ASA Firewalls IOS Version 9.x

3. Lab Scenario Set up

To demonstrate combining IKEv1 and IKEv2 IPSec VPN site-to-site on a single Cisco ASA firewall with IOS version 9.x, we will set up a GNS3 lab as the following diagram.

There are three Cisco ASA firewall appliances. FW-VPN01 locates in head office, FW-VPN02 locates in branch office 01, and FW-VPN03 locates in branch office 02. There is one router act as internet. IKEv2 is already implemented between FW-VPN01 and FW-VPN02. In this article we will focus only configuring IKEv1 IPSec VPN on FW-VPN01 which is already configured with IKEv2 and FW-VPN03. The following is the IP configuration of each device.

On PC3

PC1> ip 30.30.30.10/24 30.30.30.1

On FW-VPN03

#int g0/0
   no sh
   ip add 30.30.30.1 255.255.255.0
   security-level 100
   nameif inside
#int g0/1
   no sh
   ip add 201.201.201.1 255.255.255.252
   security-level 0
   nameif outside
#policy-map global_policy
   class inspection_default
      inspect icmp
      inspect icmp error

On Internet router

#in f1/0
   no sh
   ip add 201.201.201.2 255.255.255.252

4. IPSec VPN Site-to-Site Form

The following is the information that IPSec IKEv1 VPN site-to-site will be used to in the configuration.

VPN Setting
3.1 Network settings
			Head Office	Branch Office
Tunnel Peer IP	Primary		100.100.100.1	201.201.201.2
	Secondary		N/A	N/A
Device Manufacturer			Cisco	Cisco
Device Model			ASA 5525-X	ASA 5525-X
Device Software Version			9.8	9.8
3.2 IKE settings
IKE Version			1
Encryption algorithm			AES-256
Integrity algorithm			SHA
PRF algorithm			N/A
Authentication method			PSK (Will share privately)
DH group			Group 2 (1024)
IKE lifetime			28800 sec
3.3 IPSEC settings
PFS			Yes (group 2)
Encryption algorithm			AES-256
Integrity algorithm			SHA
SA Lifetime			3600 sec
2.4 Encryption domain
Head Office			Branch Office
Local IP Address		Port	Local IP Addresses		Port
10.10.10.0/24		any	30.30.30.0/24		any

5. Configuration

5.1 Configure Default Route

Apply the the following default router configuration on FW-VPN03.

#route outside 0.0.0.0 0.0.0.0 201.201.201.2

Now both FW-VPN01 and FW-VPN03 should be able to ping their public IP each other.

FW-VPN01# ping 201.201.201.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

FW-VPN03# ping 100.100.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

5.2 Set Up ISAKMP Policy

Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both FW-VPN01 and FW-VPN03.

#crypto ikev1 policy 11
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 2880

5.3 Create IPSec Transform Set

Next we need to create a transform set to establishes the encryption and authentication for IPSec IKEv2 tunnel. Apply the follow configuration on FW-VPN01 to create a transform set name “HQ-TRSET02-AES256-SHA”.

#crypto ipsec ikev1 transform-set HQ-TRSET02-AES256-SHA esp-aes-256 esp-sha-hmac

Apply the follow configuration on FW-VPN03 to create a transform set name “BR-TRSET01-AES256-SHA”.

#crypto ipsec ikev1 transform-set BR02-TRSET01-AES256-SHA esp-aes-256 esp-sha-hmac

5.4 Create ACL For VPN Tunnel

It is time to create an ACL now to match the traffic for IPSec VPN tunnel.

Based on the form above, the following is the ACL to be created on FW-VPN01.

#object-group network BR02-Network
   network-object 30.30.30.0 255.255.255.0
#access-list ACL-HQ2BR02 extended permit ip object-group HQ-Network object-group BR02-Network

The following is the ACL to be created on FW-VPN03.

#object-group network HQ-Network 
   network-object 10.10.10.0 255.255.255.0 
#object-group network BR02-Network 
   network-object 30.30.30.0 255.255.255.0 
#access-list ACL-BR022HQ extended permit ip object-group BR02-Network object-group HQ-Network

5.5 Create VPN Tunnel Group

Now create a tunnel group for IPSec IKEv1 VPN site-to-site connection.
Apply the following tunnel group configuration on FW-VPN01.

#tunnel-group 201.201.201.1 type ipsec-l2l
#tunnel-group 201.201.201.1 ipsec-attributes
 ikev1 pre-shared-key vpn@Ho2Bo02

Apply the following tunnel group configuration on FW-VPN03.

#tunnel-group 100.100.100.1 type ipsec-l2l
#tunnel-group 100.100.100.1 ipsec-attributes
 ikev1 pre-shared-key vpn@Ho2Bo02

5.6 Configure and Apply Crypto Map

The final step is to configure the crypto map to combine IPsec IKEv1 transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “outside” of each Cisco ASA firewall.

The following are the commands to be executed on FW-VPN01.

#crypto map HQ-VPN 2 match address ACL-HQ2BR02
#crypto map HQ-VPN 2 set peer 201.201.201.1
#crypto map HQ-VPN 2 set ikev1 transform-set HQ-TRSET02-AES256-SHA
#crypto map HQ-VPN 2 set pfs group2
#crypto map HQ-VPN 2 set security-association lifetime seconds 3600
#crypto ikev1 enable outside

The following are the commands to be executed on FW-VPN02.

#crypto map BR02-VPN 1 match address ACL-BR022HQ
#crypto map BR02-VPN 1 set peer 100.100.100.1
#crypto map BR02-VPN 1 set ikev1 transform-set BR02-TRSET01-AES256-SHA 
#crypto map BR02-VPN 1 set pfs group2
#crypto map BR02-VPN 1 set security-association lifetime seconds 3600
#crypto map BR02-VPN interface outside 
#crypto ikev1 enable outside

5.7 Test and Verify the Configuration

To bring up the IPSec IKEv1 VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC3 in branch office.

PC1> ping 30.30.30.10
84 bytes from 20.20.20.10 icmp_seq=1 ttl=64 time=22.258 ms
84 bytes from 20.20.20.10 icmp_seq=2 ttl=64 time=21.300 ms
84 bytes from 20.20.20.10 icmp_seq=3 ttl=64 time=18.744 ms
84 bytes from 20.20.20.10 icmp_seq=4 ttl=64 time=20.940 ms
84 bytes from 20.20.20.10 icmp_seq=5 ttl=64 time=19.979 ms

As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on FW-VPN01.

#sh vpn-sessiondb detail l2l filter ipaddress 201.201.201.1

Session Type: LAN-to-LAN Detailed

Connection : 201.201.201.1
Index : 1 IP Addr : 201.201.201.1
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 756 Bytes Rx : 672
Login Time : 17:11:14 UTC Sun Oct 1 2017
Duration : 0h:00m:29s

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
 Tunnel ID : 1.1
 UDP Src Port : 500 UDP Dst Port : 500
 IKE Neg Mode : Main Auth Mode : preSharedKeys
 Encryption : AES256 Hashing : SHA1
 Rekey Int (T): 2880 Seconds Rekey Left(T): 2851 Seconds
 D/H Group : 2
 Filter Name :

IPsec:
 Tunnel ID : 1.2
 Local Addr : 10.10.10.0/255.255.255.0/0/0
 Remote Addr : 30.30.30.0/255.255.255.0/0/0
 Encryption : AES256 Hashing : SHA1
 Encapsulation: Tunnel PFS Group : 2
 Rekey Int (T): 3600 Seconds Rekey Left(T): 3571 Seconds
 Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
 Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
 Bytes Tx : 756 Bytes Rx : 672
 Pkts Tx : 9 Pkts Rx : 8

And with the following command on FW-VPN03.

# sh vpn-sessiondb detail l2l filter ipaddress 100.100.100.1

Session Type: LAN-to-LAN Detailed

Connection : 100.100.100.1
Index : 1 IP Addr : 100.100.100.1
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 672 Bytes Rx : 756
Login Time : 17:11:13 UTC Sun Oct 1 2017
Duration : 0h:01m:27s

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
 Tunnel ID : 1.1
 UDP Src Port : 500 UDP Dst Port : 500
 IKE Neg Mode : Main Auth Mode : preSharedKeys
 Encryption : AES256 Hashing : SHA1
 Rekey Int (T): 2880 Seconds Rekey Left(T): 2793 Seconds
 D/H Group : 2
 Filter Name :

IPsec:
 Tunnel ID : 1.2
 Local Addr : 30.30.30.0/255.255.255.0/0/0
 Remote Addr : 10.10.10.0/255.255.255.0/0/0
 Encryption : AES256 Hashing : SHA1
 Encapsulation: Tunnel PFS Group : 2
 Rekey Int (T): 3600 Seconds Rekey Left(T): 3513 Seconds
 Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
 Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
 Bytes Tx : 672 Bytes Rx : 756
 Pkts Tx : 8 Pkts Rx : 9

6. Conclusion

Now you should be able to configure IPSec IKEv2 and IKEV1 to work at the same time for VPN site-to-site on a single Cisco ASA firewall appliance with IOS version 9.x. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments

Configuring Site-to-Site IPSec IKEv2 and IKEv1 VPN On a Single Cisco ASA Firewalls Running IOS Version 9.x