1. Overview
In the previous article you have seen how to configure site-to-site IPSec VPN IKEv2 between two Cisco ASA firewalls running IOS version 9.x. Sometime you may need to run IKEv1 and IKEv2 at the same time for some reasons and it is absolutely possible to do so on Cisco ASA firewall.
In this article will show how to configure site-to-site IPSec VPN using IKEv1 and IKEv2 at the same time on a single Cisco ASA firewalls IOS version 9.x.
2. Prerequisites
To start this configuration, it is supposes that:
a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
c. You already have site-to-site IPSec VPN using IKEv2 up and running. If you don’t, please follow this link first. Configuring Site-to-Site IPSec IKEv2 VPN Between Cisco ASA Firewalls IOS Version 9.x
3. Lab Scenario Set up
To demonstrate combining IKEv1 and IKEv2 IPSec VPN site-to-site on a single Cisco ASA firewall with IOS version 9.x, we will set up a GNS3 lab as the following diagram.
There are three Cisco ASA firewall appliances. FW-VPN01 locates in head office, FW-VPN02 locates in branch office 01, and FW-VPN03 locates in branch office 02. There is one router act as internet. IKEv2 is already implemented between FW-VPN01 and FW-VPN02. In this article we will focus only configuring IKEv1 IPSec VPN on FW-VPN01 which is already configured with IKEv2 and FW-VPN03. The following is the IP configuration of each device.
On PC3
PC1> ip 30.30.30.10/24 30.30.30.1
On FW-VPN03
#int g0/0 no sh ip add 30.30.30.1 255.255.255.0 security-level 100 nameif inside #int g0/1 no sh ip add 201.201.201.1 255.255.255.252 security-level 0 nameif outside #policy-map global_policy class inspection_default inspect icmp inspect icmp error
On Internet router
#in f1/0 no sh ip add 201.201.201.2 255.255.255.252
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec IKEv1 VPN site-to-site will be used to in the configuration.
VPN Setting |
|||||
3.1 Network settings |
|||||
Head Office | Branch Office | ||||
Tunnel Peer IP | Primary | 100.100.100.1 | 201.201.201.2 | ||
Secondary | N/A | N/A | |||
Device Manufacturer | Cisco | Cisco | |||
Device Model | ASA 5525-X | ASA 5525-X | |||
Device Software Version | 9.8 | 9.8 | |||
3.2 IKE settings |
|||||
IKE Version | 1 | ||||
Encryption algorithm | AES-256 | ||||
Integrity algorithm | SHA | ||||
PRF algorithm | N/A | ||||
Authentication method | PSK (Will share privately) | ||||
DH group | Group 2 (1024) | ||||
IKE lifetime | 28800 sec | ||||
3.3 IPSEC settings | |||||
PFS | Yes (group 2) | ||||
Encryption algorithm | AES-256 | ||||
Integrity algorithm | SHA | ||||
SA Lifetime | 3600 sec | ||||
2.4 Encryption domain |
|||||
Head Office |
Branch Office |
||||
Local IP Address | Port | Local IP Addresses | Port | ||
10.10.10.0/24 | any | 30.30.30.0/24 | any | ||
5. Configuration
5.1 Configure Default Route
Apply the the following default router configuration on FW-VPN03.
#route outside 0.0.0.0 0.0.0.0 201.201.201.2
Now both FW-VPN01 and FW-VPN03 should be able to ping their public IP each other.
FW-VPN01# ping 201.201.201.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms FW-VPN03# ping 100.100.100.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both FW-VPN01 and FW-VPN03.
#crypto ikev1 policy 11 authentication pre-share encryption aes-256 hash sha group 2 lifetime 2880
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec IKEv2 tunnel. Apply the follow configuration on FW-VPN01 to create a transform set name “HQ-TRSET02-AES256-SHA”.
#crypto ipsec ikev1 transform-set HQ-TRSET02-AES256-SHA esp-aes-256 esp-sha-hmac
Apply the follow configuration on FW-VPN03 to create a transform set name “BR-TRSET01-AES256-SHA”.
#crypto ipsec ikev1 transform-set BR02-TRSET01-AES256-SHA esp-aes-256 esp-sha-hmac
5.4 Create ACL For VPN Tunnel
It is time to create an ACL now to match the traffic for IPSec VPN tunnel.
Based on the form above, the following is the ACL to be created on FW-VPN01.
#object-group network BR02-Network network-object 30.30.30.0 255.255.255.0 #access-list ACL-HQ2BR02 extended permit ip object-group HQ-Network object-group BR02-Network
The following is the ACL to be created on FW-VPN03.
#object-group network HQ-Network network-object 10.10.10.0 255.255.255.0 #object-group network BR02-Network network-object 30.30.30.0 255.255.255.0 #access-list ACL-BR022HQ extended permit ip object-group BR02-Network object-group HQ-Network
5.5 Create VPN Tunnel Group
Now create a tunnel group for IPSec IKEv1 VPN site-to-site connection.
Apply the following tunnel group configuration on FW-VPN01.
#tunnel-group 201.201.201.1 type ipsec-l2l #tunnel-group 201.201.201.1 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo02
Apply the following tunnel group configuration on FW-VPN03.
#tunnel-group 100.100.100.1 type ipsec-l2l #tunnel-group 100.100.100.1 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo02
5.6 Configure and Apply Crypto Map
The final step is to configure the crypto map to combine IPsec IKEv1 transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “outside” of each Cisco ASA firewall.
The following are the commands to be executed on FW-VPN01.
#crypto map HQ-VPN 2 match address ACL-HQ2BR02 #crypto map HQ-VPN 2 set peer 201.201.201.1 #crypto map HQ-VPN 2 set ikev1 transform-set HQ-TRSET02-AES256-SHA #crypto map HQ-VPN 2 set pfs group2 #crypto map HQ-VPN 2 set security-association lifetime seconds 3600 #crypto ikev1 enable outside
The following are the commands to be executed on FW-VPN02.
#crypto map BR02-VPN 1 match address ACL-BR022HQ #crypto map BR02-VPN 1 set peer 100.100.100.1 #crypto map BR02-VPN 1 set ikev1 transform-set BR02-TRSET01-AES256-SHA #crypto map BR02-VPN 1 set pfs group2 #crypto map BR02-VPN 1 set security-association lifetime seconds 3600 #crypto map BR02-VPN interface outside #crypto ikev1 enable outside
5.7 Test and Verify the Configuration
To bring up the IPSec IKEv1 VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC3 in branch office.
PC1> ping 30.30.30.10 84 bytes from 20.20.20.10 icmp_seq=1 ttl=64 time=22.258 ms 84 bytes from 20.20.20.10 icmp_seq=2 ttl=64 time=21.300 ms 84 bytes from 20.20.20.10 icmp_seq=3 ttl=64 time=18.744 ms 84 bytes from 20.20.20.10 icmp_seq=4 ttl=64 time=20.940 ms 84 bytes from 20.20.20.10 icmp_seq=5 ttl=64 time=19.979 ms
As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on FW-VPN01.
#sh vpn-sessiondb detail l2l filter ipaddress 201.201.201.1Session Type: LAN-to-LAN Detailed Connection : 201.201.201.1 Index : 1 IP Addr : 201.201.201.1 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 756 Bytes Rx : 672 Login Time : 17:11:14 UTC Sun Oct 1 2017 Duration : 0h:00m:29s IKEv1 Tunnels: 1 IPsec Tunnels: 1 IKEv1: Tunnel ID : 1.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : AES256 Hashing : SHA1 Rekey Int (T): 2880 Seconds Rekey Left(T): 2851 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 1.2 Local Addr : 10.10.10.0/255.255.255.0/0/0 Remote Addr : 30.30.30.0/255.255.255.0/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel PFS Group : 2 Rekey Int (T): 3600 Seconds Rekey Left(T): 3571 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Bytes Tx : 756 Bytes Rx : 672 Pkts Tx : 9 Pkts Rx : 8
And with the following command on FW-VPN03.
# sh vpn-sessiondb detail l2l filter ipaddress 100.100.100.1Session Type: LAN-to-LAN Detailed Connection : 100.100.100.1 Index : 1 IP Addr : 100.100.100.1 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 672 Bytes Rx : 756 Login Time : 17:11:13 UTC Sun Oct 1 2017 Duration : 0h:01m:27s IKEv1 Tunnels: 1 IPsec Tunnels: 1 IKEv1: Tunnel ID : 1.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : AES256 Hashing : SHA1 Rekey Int (T): 2880 Seconds Rekey Left(T): 2793 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 1.2 Local Addr : 30.30.30.0/255.255.255.0/0/0 Remote Addr : 10.10.10.0/255.255.255.0/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel PFS Group : 2 Rekey Int (T): 3600 Seconds Rekey Left(T): 3513 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Bytes Tx : 672 Bytes Rx : 756 Pkts Tx : 8 Pkts Rx : 9
6. Conclusion
Now you should be able to configure IPSec IKEv2 and IKEV1 to work at the same time for VPN site-to-site on a single Cisco ASA firewall appliance with IOS version 9.x. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.