Configuring Site-to-Site IPSec IKEv2 VPN Between Cisco ASA Firewalls IOS Version 9.x

1. Overview

 

IKEv2 is the new standard for configuring IPSec VPN and Cisco ASA firewall is fully support it. It has security and performance enhancement over IKEv1.

In this article will show how to configure site-to-site IPSec VPN IKEv2 on Cisco ASA firewalls IOS version 9.x to allow connection between two office locations which are the company head office and its branch.

2. Prerequisites

 

To start this configuration, it is supposes that:

a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM

b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.

3. Lab Scenario Set up

 

To demonstrate configuring IPSec IKEv2 VPN site-to-site on Cisco ASA firewall with IOS version 9.x, we will set up a GNS3 lab as the following diagram.

There are two Cisco ASA firewall appliances. FW-VPN01 locates in head office and FW-VPN02 locates in branch office. There is one router act as internet. The following is the IP configuration of each device.

On PC1

PC1> ip 10.10.10.10/24 10.10.10.1

On FW-VPN01

#int g0/0
   no sh
   ip add 10.10.10.1 255.255.255.0
   security-level 100
   nameif inside
#int g0/1
   no sh
   ip add 100.100.100.1 255.255.255.252
   security-level 0
   nameif outside
#policy-map global_policy
   class inspection_default
      inspect icmp
      inspect icmp error

On Internet router

#int f0/0
   no sh
   ip add 100.100.100.2 255.255.255.252
#in f0/1
   no sh
   ip add 200.200.200.2 255.255.255.252

On FW-VPN02

 

#int g0/0
   no sh
   ip add 20.20.20.1 255.255.255.0
   nameif inside
#int g0/1
   no sh
   ip add 200.200.200.1 255.255.255.252
   nameif outside
#policy-map global_policy
   class inspection_default
      inspect icmp
      inspect icmp error

On PC2

PC2> ip 20.20.20.10/24 20.20.20.1

4. IPSec VPN Site-to-Site Form

 

The following is the information that IPSec IKEv2 VPN site-to-site will be used to in the configuration.

VPN Setting

3.1 Network settings

Head Office Branch Office
Tunnel Peer IP Primary 100.100.100.1  200.200.200.2
Secondary N/A  N/A
Device Manufacturer Cisco  Cisco
Device Model ASA 5525-X  ASA 5525-X
Device Software Version 9.8  9.8

3.2 IKE settings

IKE Version 2
Encryption algorithm AES-256
Integrity algorithm SHA-256
PRF algorithm SHA-256
Authentication method PSK (Will share privately)
DH group Group 2 (1024)
IKE lifetime 28800 sec
3.3 IPSEC settings
PFS Yes (group 2)
Encryption algorithm AES-256
Integrity algorithm SHA-256
SA Lifetime 3600 sec

2.4 Encryption domain

Head Office

Branch Office

Local IP Address Port Local IP Addresses Port
 10.10.10.0/24  any  20.20.20.0/24  any

 

5. Configuration

5.1 Configure Default Route

 

Apply the the following default router configuration on FW-VPN01.

#route outside 0.0.0.0 0.0.0.0 100.100.100.2

Apply the the following default router configuration on FW-VPN02.

#route outside 0.0.0.0 0.0.0.0 200.200.200.2

Now both FW-VPN01 and FW-VPN02 should be able to ping their public IP each other.

FW-VPN01# ping 200.200.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

FW-VPN02# ping 100.100.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

5.2 Set Up ISAKMP Policy

 

Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both FW-VPN01 and FW-VPN02.

#crypto ikev2 policy 10
   encryption aes-256
   integrity sha256
   group 2
   prf sha256
   lifetime seconds 28800

5.3 Create IPSec Transform Set

 

Next we need to create a transform set to establishes the encryption and authentication for IPSec IKEv2 tunnel. Apply the follow configuration on FW-VPN01 to create a transform set name “HQ-TRSET01-AES256-SHA256”.

#crypto ipsec ikev2 ipsec-proposal HQ-TRSET01-AES256-SHA256
   protocol esp encryption aes-256
   protocol esp integrity sha-256

Apply the follow configuration on FW-VPN02 to create a transform set name “BR-TRSET01-AES256-SHA256”.

#crypto ipsec ikev2 ipsec-proposal BR-TRSET01-AES256-SHA256
   protocol esp encryption aes-256
   protocol esp integrity sha-256

5.4 Create ACL For VPN Tunnel

 

It is time to create an ACL now to match the traffic for IPSec VPN tunnel. Based on the form above, the following is the ACL to be created on FW-VPN01.

#object-group network HQ-Network
   network-object 10.10.10.0 255.255.255.0
#object-group network BR-Network
   network-object 20.20.20.0 255.255.255.0
#access-list ACL-HQ2BR extended permit ip object-group HQ-Network object-group BR-Network

The following is the ACL to be created on FW-VPN02.

#object-group network HQ-Network 
   network-object 10.10.10.0 255.255.255.0 
#object-group network BR-Network 
   network-object 20.20.20.0 255.255.255.0 
#access-list ACL-BR2HQ extended permit ip object-group BR-Network object-group HQ-Network

5.5 Create VPN Tunnel Group

 

Now create a tunnel group for IPSec IKEv2 VPN site-to-site connection. Pre-shred key authentication is to be configured here. In IKEv2 there are two pre-shared keys to be configured, remote-authentication and local-authentication and they have to be the same. It is also one of the security enhancement of IKEv2.

In the following configuration, we use two different pre-shared keys between remote-authentication and local-authentication.


Apply the following tunnel group configuration on FW-VPN01.

#tunnel-group 200.200.200.1 type ipsec-l2l
#tunnel-group 200.200.200.1 ipsec-attributes
  ikev2 remote-authentication pre-shared-key vpn@Ho2Bo1111
  ikev2 local-authentication pre-shared-key vpn@Ho2Bo2222

Apply the following tunnel group configuration on FW-VPN02.

#tunnel-group 100.100.100.1 type ipsec-l2l
#tunnel-group 100.100.100.1 ipsec-attributes
  ikev2 remote-authentication pre-shared-key vpn@Ho2Bo1111
  ikev2 local-authentication pre-shared-key vpn@Ho2Bo2222

5.6 Configure and Apply Crypto Map

 

The final step is to configure the crypto map to combine IPsec IKEv2 transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “outside” of each Cisco ASA firewall.
The following are the commands to be executed on FW-VPN01.

#crypto map HQ-VPN 1 match address ACL-HQ2BR
#crypto map HQ-VPN 1 set peer 200.200.200.1
#crypto map HQ-VPN 1 set ikev2 ipsec-proposal HQ-TRSET01-AES256-SHA256
#crypto map HQ-VPN 1 set pfs group2
#crypto map HQ-VPN 1 set security-association lifetime seconds 3600
#crypto map HQ-VPN interface outside 
#crypto ikev2 enable outside

The following are the commands to be executed on FW-VPN02.

#crypto map BR-VPN 1 match address ACL-BR2HQ
#crypto map BR-VPN 1 set peer 100.100.100.1
#crypto map BR-VPN 1 set ikev2 ipsec-proposal BR-TRSET01-AES256-SHA256 
#crypto map BR-VPN 1 set pfs group2
#crypto map BR-VPN 1 set security-association lifetime seconds 3600
#crypto map BR-VPN interface outside 
#crypto ikev2 enable outside

5.7 Test and Verify the Configuration

 

To bring up the IPSec IKEv2 VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in branch office.

PC1> ping 20.20.20.10
84 bytes from 20.20.20.10 icmp_seq=1 ttl=64 time=22.258 ms
84 bytes from 20.20.20.10 icmp_seq=2 ttl=64 time=21.300 ms
84 bytes from 20.20.20.10 icmp_seq=3 ttl=64 time=18.744 ms
84 bytes from 20.20.20.10 icmp_seq=4 ttl=64 time=20.940 ms
84 bytes from 20.20.20.10 icmp_seq=5 ttl=64 time=19.979 ms

As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on FW-VPN01.

#sh vpn-sessiondb detail l2l filter ipaddress 200.200.200.1

Session Type: LAN-to-LAN Detailed

Connection : 200.200.200.1
Index : 1 IP Addr : 200.200.200.1
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (1)AES256
Hashing : IKEv2: (1)SHA256 IPsec: (1)SHA256
Bytes Tx : 1176 Bytes Rx : 1092
Login Time : 06:15:54 UTC Sun Oct 1 2017
Duration : 0h:01m:17s

IKEv2 Tunnels: 1
IPsec Tunnels: 1

IKEv2:
 Tunnel ID : 1.1
 UDP Src Port : 500 UDP Dst Port : 500
 Rem Auth Mode: preSharedKeys
 Loc Auth Mode: preSharedKeys
 Encryption : AES256 Hashing : SHA256
 Rekey Int (T): 28800 Seconds Rekey Left(T): 28723 Seconds
 PRF : SHA256 D/H Group : 2
 Filter Name :

IPsec:
 Tunnel ID : 1.2
 Local Addr : 10.10.10.0/255.255.255.0/0/0
 Remote Addr : 20.20.20.0/255.255.255.0/0/0
 Encryption : AES256 Hashing : SHA256
 Encapsulation: Tunnel PFS Group : 2
 Rekey Int (T): 3600 Seconds Rekey Left(T): 3522 Seconds
 Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607999 K-Bytes
 Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
 Bytes Tx : 1176 Bytes Rx : 1092
 Pkts Tx : 14 Pkts Rx : 13

And with the following command on FW-VPN02.

# sh vpn-sessiondb detail l2l filter ipaddress 100.100.100.1

Session Type: LAN-to-LAN Detailed

Connection : 100.100.100.1
Index : 1 IP Addr : 100.100.100.1
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (1)AES256
Hashing : IKEv2: (1)SHA256 IPsec: (1)SHA256
Bytes Tx : 1092 Bytes Rx : 1176
Login Time : 06:15:54 UTC Sun Oct 1 2017
Duration : 0h:02m:17s

IKEv2 Tunnels: 1
IPsec Tunnels: 1

IKEv2:
 Tunnel ID : 1.1
 UDP Src Port : 500 UDP Dst Port : 500
 Rem Auth Mode: preSharedKeys
 Loc Auth Mode: preSharedKeys
 Encryption : AES256 Hashing : SHA256
 Rekey Int (T): 28800 Seconds Rekey Left(T): 28663 Seconds
 PRF : SHA256 D/H Group : 2
 Filter Name :

IPsec:
 Tunnel ID : 1.2
 Local Addr : 20.20.20.0/255.255.255.0/0/0
 Remote Addr : 10.10.10.0/255.255.255.0/0/0
 Encryption : AES256 Hashing : SHA256
 Encapsulation: Tunnel PFS Group : 2
 Rekey Int (T): 3600 Seconds Rekey Left(T): 3462 Seconds
 Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607999 K-Bytes
 Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes
 Bytes Tx : 1092 Bytes Rx : 1176
 Pkts Tx : 13 Pkts Rx : 14

6. Conclusion

 

Now you should be able to configure IPSec IKEv2 VPN site-to-site on Cisco ASA firewall appliance with IOS version 9.x. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments