1. Overview
IKEv2 is the new standard for configuring IPSec VPN and Cisco ASA firewall is fully support it. It has security and performance enhancement over IKEv1.
In this article will show how to configure site-to-site IPSec VPN IKEv2 on Cisco ASA firewalls IOS version 9.x to allow connection between two office locations which are the company head office and its branch.
2. Prerequisites
To start this configuration, it is supposes that:
a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
3. Lab Scenario Set up
To demonstrate configuring IPSec IKEv2 VPN site-to-site on Cisco ASA firewall with IOS version 9.x, we will set up a GNS3 lab as the following diagram.
There are two Cisco ASA firewall appliances. FW-VPN01 locates in head office and FW-VPN02 locates in branch office. There is one router act as internet. The following is the IP configuration of each device.
On PC1
PC1> ip 10.10.10.10/24 10.10.10.1
On FW-VPN01
#int g0/0
no sh
ip add 10.10.10.1 255.255.255.0
security-level 100
nameif inside
#int g0/1
no sh
ip add 100.100.100.1 255.255.255.252
security-level 0
nameif outside
#policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
On Internet router
#int f0/0 no sh ip add 100.100.100.2 255.255.255.252 #in f0/1 no sh ip add 200.200.200.2 255.255.255.252
On FW-VPN02
#int g0/0
no sh
ip add 20.20.20.1 255.255.255.0
nameif inside
#int g0/1
no sh
ip add 200.200.200.1 255.255.255.252
nameif outside
#policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
On PC2
PC2> ip 20.20.20.10/24 20.20.20.1
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec IKEv2 VPN site-to-site will be used to in the configuration.
|
VPN Setting |
|||||
|
3.1 Network settings |
|||||
| Head Office | Branch Office | ||||
| Tunnel Peer IP | Primary | 100.100.100.1 | 200.200.200.2 | ||
| Secondary | N/A | N/A | |||
| Device Manufacturer | Cisco | Cisco | |||
| Device Model | ASA 5525-X | ASA 5525-X | |||
| Device Software Version | 9.8 | 9.8 | |||
|
3.2 IKE settings |
|||||
| IKE Version | 2 | ||||
| Encryption algorithm | AES-256 | ||||
| Integrity algorithm | SHA-256 | ||||
| PRF algorithm | SHA-256 | ||||
| Authentication method | PSK (Will share privately) | ||||
| DH group | Group 2 (1024) | ||||
| IKE lifetime | 28800 sec | ||||
| 3.3 IPSEC settings | |||||
| PFS | Yes (group 2) | ||||
| Encryption algorithm | AES-256 | ||||
| Integrity algorithm | SHA-256 | ||||
| SA Lifetime | 3600 sec | ||||
|
2.4 Encryption domain |
|||||
|
Head Office |
Branch Office |
||||
| Local IP Address | Port | Local IP Addresses | Port | ||
| 10.10.10.0/24 | any | 20.20.20.0/24 | any | ||
5. Configuration
5.1 Configure Default Route
Apply the the following default router configuration on FW-VPN01.
#route outside 0.0.0.0 0.0.0.0 100.100.100.2
Apply the the following default router configuration on FW-VPN02.
#route outside 0.0.0.0 0.0.0.0 200.200.200.2
Now both FW-VPN01 and FW-VPN02 should be able to ping their public IP each other.
FW-VPN01# ping 200.200.200.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms FW-VPN02# ping 100.100.100.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both FW-VPN01 and FW-VPN02.
#crypto ikev2 policy 10 encryption aes-256 integrity sha256 group 2 prf sha256 lifetime seconds 28800
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec IKEv2 tunnel. Apply the follow configuration on FW-VPN01 to create a transform set name “HQ-TRSET01-AES256-SHA256”.
#crypto ipsec ikev2 ipsec-proposal HQ-TRSET01-AES256-SHA256 protocol esp encryption aes-256 protocol esp integrity sha-256
Apply the follow configuration on FW-VPN02 to create a transform set name “BR-TRSET01-AES256-SHA256”.
#crypto ipsec ikev2 ipsec-proposal BR-TRSET01-AES256-SHA256 protocol esp encryption aes-256 protocol esp integrity sha-256
5.4 Create ACL For VPN Tunnel
It is time to create an ACL now to match the traffic for IPSec VPN tunnel. Based on the form above, the following is the ACL to be created on FW-VPN01.
#object-group network HQ-Network network-object 10.10.10.0 255.255.255.0 #object-group network BR-Network network-object 20.20.20.0 255.255.255.0 #access-list ACL-HQ2BR extended permit ip object-group HQ-Network object-group BR-Network
The following is the ACL to be created on FW-VPN02.
#object-group network HQ-Network network-object 10.10.10.0 255.255.255.0 #object-group network BR-Network network-object 20.20.20.0 255.255.255.0 #access-list ACL-BR2HQ extended permit ip object-group BR-Network object-group HQ-Network
5.5 Create VPN Tunnel Group
Now create a tunnel group for IPSec IKEv2 VPN site-to-site connection. Pre-shred key authentication is to be configured here. In IKEv2 there are two pre-shared keys to be configured, remote-authentication and local-authentication and they have to be the same. It is also one of the security enhancement of IKEv2.
In the following configuration, we use two different pre-shared keys between remote-authentication and local-authentication.
Apply the following tunnel group configuration on FW-VPN01.
#tunnel-group 200.200.200.1 type ipsec-l2l #tunnel-group 200.200.200.1 ipsec-attributes ikev2 remote-authentication pre-shared-key vpn@Ho2Bo1111 ikev2 local-authentication pre-shared-key vpn@Ho2Bo2222
Apply the following tunnel group configuration on FW-VPN02.
#tunnel-group 100.100.100.1 type ipsec-l2l #tunnel-group 100.100.100.1 ipsec-attributes ikev2 remote-authentication pre-shared-key vpn@Ho2Bo1111 ikev2 local-authentication pre-shared-key vpn@Ho2Bo2222
5.6 Configure and Apply Crypto Map
The final step is to configure the crypto map to combine IPsec IKEv2 transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “outside” of each Cisco ASA firewall.
The following are the commands to be executed on FW-VPN01.
#crypto map HQ-VPN 1 match address ACL-HQ2BR #crypto map HQ-VPN 1 set peer 200.200.200.1 #crypto map HQ-VPN 1 set ikev2 ipsec-proposal HQ-TRSET01-AES256-SHA256 #crypto map HQ-VPN 1 set pfs group2 #crypto map HQ-VPN 1 set security-association lifetime seconds 3600 #crypto map HQ-VPN interface outside #crypto ikev2 enable outside
The following are the commands to be executed on FW-VPN02.
#crypto map BR-VPN 1 match address ACL-BR2HQ #crypto map BR-VPN 1 set peer 100.100.100.1 #crypto map BR-VPN 1 set ikev2 ipsec-proposal BR-TRSET01-AES256-SHA256 #crypto map BR-VPN 1 set pfs group2 #crypto map BR-VPN 1 set security-association lifetime seconds 3600 #crypto map BR-VPN interface outside #crypto ikev2 enable outside
5.7 Test and Verify the Configuration
To bring up the IPSec IKEv2 VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in branch office.
PC1> ping 20.20.20.10 84 bytes from 20.20.20.10 icmp_seq=1 ttl=64 time=22.258 ms 84 bytes from 20.20.20.10 icmp_seq=2 ttl=64 time=21.300 ms 84 bytes from 20.20.20.10 icmp_seq=3 ttl=64 time=18.744 ms 84 bytes from 20.20.20.10 icmp_seq=4 ttl=64 time=20.940 ms 84 bytes from 20.20.20.10 icmp_seq=5 ttl=64 time=19.979 ms
As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on FW-VPN01.
#sh vpn-sessiondb detail l2l filter ipaddress 200.200.200.1 Session Type: LAN-to-LAN Detailed Connection : 200.200.200.1 Index : 1 IP Addr : 200.200.200.1 Protocol : IKEv2 IPsec Encryption : IKEv2: (1)AES256 IPsec: (1)AES256 Hashing : IKEv2: (1)SHA256 IPsec: (1)SHA256 Bytes Tx : 1176 Bytes Rx : 1092 Login Time : 06:15:54 UTC Sun Oct 1 2017 Duration : 0h:01m:17s IKEv2 Tunnels: 1 IPsec Tunnels: 1 IKEv2: Tunnel ID : 1.1 UDP Src Port : 500 UDP Dst Port : 500 Rem Auth Mode: preSharedKeys Loc Auth Mode: preSharedKeys Encryption : AES256 Hashing : SHA256 Rekey Int (T): 28800 Seconds Rekey Left(T): 28723 Seconds PRF : SHA256 D/H Group : 2 Filter Name : IPsec: Tunnel ID : 1.2 Local Addr : 10.10.10.0/255.255.255.0/0/0 Remote Addr : 20.20.20.0/255.255.255.0/0/0 Encryption : AES256 Hashing : SHA256 Encapsulation: Tunnel PFS Group : 2 Rekey Int (T): 3600 Seconds Rekey Left(T): 3522 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607999 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Bytes Tx : 1176 Bytes Rx : 1092 Pkts Tx : 14 Pkts Rx : 13
And with the following command on FW-VPN02.
# sh vpn-sessiondb detail l2l filter ipaddress 100.100.100.1 Session Type: LAN-to-LAN Detailed Connection : 100.100.100.1 Index : 1 IP Addr : 100.100.100.1 Protocol : IKEv2 IPsec Encryption : IKEv2: (1)AES256 IPsec: (1)AES256 Hashing : IKEv2: (1)SHA256 IPsec: (1)SHA256 Bytes Tx : 1092 Bytes Rx : 1176 Login Time : 06:15:54 UTC Sun Oct 1 2017 Duration : 0h:02m:17s IKEv2 Tunnels: 1 IPsec Tunnels: 1 IKEv2: Tunnel ID : 1.1 UDP Src Port : 500 UDP Dst Port : 500 Rem Auth Mode: preSharedKeys Loc Auth Mode: preSharedKeys Encryption : AES256 Hashing : SHA256 Rekey Int (T): 28800 Seconds Rekey Left(T): 28663 Seconds PRF : SHA256 D/H Group : 2 Filter Name : IPsec: Tunnel ID : 1.2 Local Addr : 20.20.20.0/255.255.255.0/0/0 Remote Addr : 10.10.10.0/255.255.255.0/0/0 Encryption : AES256 Hashing : SHA256 Encapsulation: Tunnel PFS Group : 2 Rekey Int (T): 3600 Seconds Rekey Left(T): 3462 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607999 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Bytes Tx : 1092 Bytes Rx : 1176 Pkts Tx : 13 Pkts Rx : 14
6. Conclusion
Now you should be able to configure IPSec IKEv2 VPN site-to-site on Cisco ASA firewall appliance with IOS version 9.x. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
