1. Overview
A Site-to-Site IPSec VPN is used to connect between two Local Area Networks (LANs) of a company offices or branches which are geographically separated. The data traffic flows between each location or site is over the internet or public network with a secure VPN tunnel. An advanced encryption algorithms technique is used to create this secure VPN tunnel. In some case, IP subnet of the LAN in one office is exactly the same as IP subnet of LAN in another office.
In this article will show how to configure site-to-site IPSec VPN on Cisco ASA firewalls IOS version 9.x to allow connection between two office locations which are the company head office and its branch and they have the same IP subnet in their LANs.
2. Prerequisites
To start this configuration, it is supposes that:
a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
In the real word scenario, it is assumed that:
a. You had reached an agreement about configuration information to be implemented on Cisco ASA firewall appliances in both locations. The easy way to reach this agreement is to fill in the IPSec VPN form as in this Link. IPSec VPN Site-to-Site Form
b. You have scheduled for a specific date and time to start this implementation and accepted it in both parties.
3. Lab Scenario Set up
To demonstrate configuring IPSec VPN site-to-site on Cisco ASA firewall with IOS version 9.x, we will set up a GNS3 lab as the following diagram.
There are two Cisco ASA firewall appliances. HQ-FW01 locates in head office and BR-FW01 locates in branch office. The IP of LAN in head office and branch office is exactly the same which is 10.10.10.0/24. Due to this problem, NAT is configured on BR-FW01 to NAT LAN IP subnet from 10.10.10.20/32 to 172.16.10.20/32 instead. There is one router act as internet. The following is the IP configuration of each device.
On PC1
PC1> ip 10.10.10.10/24 10.10.10.1
On HQ-FW01
#int g0/0
no sh
ip add 10.10.10.1 255.255.255.0
security-level 100
nameif inside
#int g0/1
no sh
ip add 203.200.200.2 255.255.255.252
security-level 0
nameif outside
#policy-map global_policy
class inspection_default
inspect icmp
inspect icmp erro
On Internet router
#int f0/0 no sh ip add 203.200.200.1 255.255.255.252 #in f0/1 no sh ip add 111.100.100.1 255.255.255.252
On BR-FW01
#int g0/0
no sh
ip add 10.10.10.1 255.255.255.0
nameif inside
#int g0/1
no sh
ip add 111.100.100.2 255.255.255.252
nameif outside
#policy-map global_policy
class inspection_default
inspect icmp
inspect icmp erro
On PC2
PC2> ip 10.10.10.20/24 10.10.10.1
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
| Firewall Type | Head Office | Branch Office |
| Manufacturer | Cisco | Cisco |
| Model | ASA 5555-X | ASA 5525-X |
| Version | 9.4 | 9.4 |
| Configuration | Head Office | Branch Office | ||
| Phase 1 | ||||
| IKE Encryption Algorithm | AES-256 | AES-256 | ||
| IKE Hash Algorithm | SHA-1 | SHA-1 | ||
| IKE Security Lifetime | 86400 | 86400 | ||
| Diffie-Hellman Group | 2 | 2 | ||
| Pre-shared key | vpn@Ho2Bo | vpn@Ho2Bo | ||
| Phase 2 | ||||
| IPSEC security protocol | ESP | ESP | ||
| IPSEC Encryption Algorithm | AES-256 | AES-256 | ||
| IPSEC Hash Algorithm | SHA-1 | SHA-1 | ||
| IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
| Perfect Forward Secrecy(PFS) (Optional) | PFS □ Yes □ No | Group □ 2(default) □ 5 □ 7 | PFS □ Yes □ No | Group □ 2 (default) □ 5 □ 7 |
| IP Addressing | Head Office | Branch Office |
| Peer IP address | 203.200.200.2 | 111.100.100.2 |
| Local IP address | 172.16.20.10/32 | 172.16.10.20/32 |
5. Configuration
5.1 Configure Default Route
Apply the the following default router configuration on HQ-FW01.
#route outside 0.0.0.0 0.0.0.0 203.200.200.1
Apply the the following default router configuration on BR-FW01.
#route outside 0.0.0.0 0.0.0.0 111.100.100.1
Now both HQ-FW01 and BR-FW01 should be able to ping their public IP each other.
HQ-FW01# ping 111.100.100.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 111.100.100.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms BR-FW01# ping 203.200.200.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 203.200.200.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 m
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both HQ-FW01 and BR-FW01.
#crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on HQ-FW01 to create a transform set name “HQ-TRSET01-AES256-SHA”.
#crypto ipsec ikev1 transform-set HQ-TRSET01-AES256-SHA esp-aes-256 esp-sha-hmac
Apply the follow configuration on BR-FW01 to create a transform set name “BR-TRSET01-AES256-SHA”.
#crypto ipsec ikev1 transform-set BR-TRSET01-AES256-SHA esp-aes-256 esp-sha-hmac
5.4 Create ACL For VPN Tunnel
It is time to create an ACL now to match the traffic for IPSec VPN tunnel.
Based on the form above, the following is the ACL to be created on HQ-FW01.
#object-group network HQ-Server network-object host 172.16.20.10 #object-group network BR-Server network-object host 172.16.10.20 #access-list ACL-HQ2BR extended permit ip object-group HQ-Server object-group BR-Server
The following is the ACL to be created on BR-FW01.
#object-group network HQ-Server network-object host 172.16.20.10 #object-group network BR-Server network-object host 172.16.10.20 #access-list ACL-BR2HQ extended permit ip object-group BR-Server object-group HQ-Server
Now we need to configure NAT the local IP to another IP, so the client computer in head office can see this computer in another network, not its own network. If the computers in head office and branch office use the same IP subnet, the VPN tunnel will never established.
# object-group network BR-LocalServerIP network-object host 10.10.10.20 # nat (inside,outside) source static BR-LocalServerIP BR-Server
We have to do the same on Cisco ASA firewall, HQ-FW01 in head office, otherwise, client in branch office cannot initiate the VPN connection unless client in head office initiate the VPN connection to make the tunnel up.
# object-group network HQ-LocalServerIP network-object host 10.10.10.10 # nat (inside,outside) source static HQ-LocalServerIP HQ-Server
5.5 Create VPN Tunnel Group
Now create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
Apply the following tunnel group configuration on HQ-FW01.
#tunnel-group 111.100.100.2 type ipsec-l2l #tunnel-group 111.100.100.2 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo
Apply the following tunnel group configuration on BR-FW01.
#tunnel-group 203.200.200.2 type ipsec-l2l #tunnel-group 203.200.200.2 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo
5.6 Configure and Apply Crypto Map
The final step is to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “outside” of each Cisco ASA firewall.
The following are the commands to be executed on HQ-FW01.
#crypto map HQ-VPN 1 match address ACL-HQ2BR #crypto map HQ-VPN 1 set peer 111.100.100.2 #crypto map HQ-VPN 1 set ikev1 transform-set HQ-TRSET01-AES256-SHA #crypto map HQ-VPN interface outside #crypto ikev1 enable outside
The following are the commands to be executed on BR-FW01.
#crypto map HQ-VPN 1 match address ACL-BR2HQ #crypto map HQ-VPN 1 set peer 203.200.200.2 #crypto map HQ-VPN 1 set ikev1 transform-set BR-TRSET01-AES256-SHA #crypto map HQ-VPN interface outside #crypto ikev1 enable outside
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in branch office.
PC1> ping 172.16.10.20 172.16.10.20 icmp_seq=1 timeout 84 bytes from 172.16.10.20 icmp_seq=2 ttl=64 time=26.187 ms 84 bytes from 172.16.10.20 icmp_seq=3 ttl=64 time=21.405 ms 84 bytes from 172.16.10.20 icmp_seq=4 ttl=64 time=19.522 ms 84 bytes from 172.16.10.20 icmp_seq=5 ttl=64 time=21.457 ms
As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HQ-FW01.
# sh vpn-sessiondb detail l2l filter ipaddress 111.100.100.2 Session Type: LAN-to-LAN Detailed Connection : 111.100.100.2 Index : 1 IP Addr : 111.100.100.2 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 336 Bytes Rx : 336 Login Time : 16:21:52 UTC Tue Jun 20 2017 Duration : 0h:02m:26s IKEv1 Tunnels: 1 IPsec Tunnels: 1 IKEv1: Tunnel ID : 1.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : AES256 Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 86254 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 1.2 Local Addr : 10.10.10.10/255.255.255.255/0/0 Remote Addr : 172.16.10.20/255.255.255.255/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28654 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Bytes Tx : 336 Bytes Rx : 336 Pkts Tx : 4 Pkts Rx : 4
And with the following command on BR-FW01.
# sh vpn-sessiondb detail l2l filter ipaddress 203.200.200.2 Session Type: LAN-to-LAN Detailed Connection : 203.200.200.2 Index : 1 IP Addr : 203.200.200.2 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 336 Bytes Rx : 336 Login Time : 16:21:52 UTC Tue Jun 20 2017 Duration : 0h:03m:08s IKEv1 Tunnels: 1 IPsec Tunnels: 1 IKEv1: Tunnel ID : 1.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : AES256 Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 86212 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 1.2 Local Addr : 172.16.10.20/255.255.255.255/0/0 Remote Addr : 10.10.10.10/255.255.255.255/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28612 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 26 Minutes Bytes Tx : 336 Bytes Rx : 336 Pkts Tx : 4 Pkts Rx : 4
6. Conclusion
Now you should be able to configure IPSec VPN site-to-site with dubplicated local IP subnet on Cisco ASA firewall appliance with IOS version 9.x. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
