1. Overview
In some environments of site-to-site IPSec VPN, it is required to guarantee the up time of the VPN connection. To serve this objective, we can use WAN redundancy links with IP SLA tracking to automatically switch over the VPN connection from one ISP to another ISP.
In this article will show how to configure site-to-site IPSec VPN on Cisco ASA firewalls IOS version 9.x over two WAN links with IP SLA tracking to have redundancy connection between two office locations.
2. Prerequisites
To start this configuration, it is supposes that:
a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
In the real word scenario, it is assumed that:
a. You had reached an agreement about configuration information to be implemented on Cisco ASA firewall appliances in both locations. The easy way to reach this agreement is to fill in the IPSec VPN form as in this Link. IPSec VPN Site-to-Site Form
b. You have scheduled for a specific date and time to start this implementation and accepted it in both parties.
3. Lab Scenario Set up
To demonstrate configuring IPSec VPN site-to-site with IP SLA tracking the availability of WAN links on Cisco ASA firewall with IOS version 9.x, we will set up a GNS3 lab as the following diagram.
There are two Cisco ASA firewall appliances. FW-VPN01 locates in head office and FW-VPN02 locates in branch office. There is two routers act as two different internet connection for dual WAN redundancy. The following is the IP configuration of each device.
On PC1
PC1> ip 10.10.10.10/24 10.10.10.1 PC1> save
On FW-VPN01
#int g0/0
no sh
ip add 10.10.10.1 255.255.255.0
security-level 100
nameif inside
#int g0/1
no sh
ip add 100.100.100.1 255.255.255.252
security-level 0
nameif outside-isp01
#int g0/2
no sh
ip add 101.101.101.1 255.255.255.252
security-level 0
nameif outside-isp02
#policy-map global_policy
class inspection_default
inspect icmp
inspect icmp erro
On Internet router of ISP01
#int f0/0 no sh ip add 100.100.100.2 255.255.255.252 #in f0/1 no sh ip add 200.200.200.2 255.255.255.252
On Internet router of ISP02
#int f0/0
no sh
ip add 101.101.101.2 255.255.255.252
#in f0/1
no sh
ip add 201.201.201.2 255.255.255.252
On FW-VPN02
#int g0/0
no sh
ip add 20.20.20.1 255.255.255.0
nameif inside
#int g0/1
no sh
ip add 200.200.200.1 255.255.255.252
nameif outside-isp01
#int g0/2
no sh
ip add 201.201.201.1 255.255.255.252
nameif outside-isp02
#policy-map global_policy
class inspection_default
inspect icmp
inspect icmp erro
On PC2
PC2> ip 20.20.20.10/24 20.20.20.1 PC1> save
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
| Firewall Type | Head Office | Branch Office |
| Manufacturer | Cisco | Cisco |
| Model | ASA 5555-X | ASA 5525-X |
| Version | 9.4 | 9.4 |
| Configuration | Head Office | Branch Office | ||
| Phase 1 | ||||
| IKE Encryption Algorithm | AES-256 | AES-256 | ||
| IKE Hash Algorithm | SHA-1 | SHA-1 | ||
| IKE Security Lifetime | 86400 | 86400 | ||
| Diffie-Hellman Group | 2 | 2 | ||
| Pre-shared key | vpn@Ho2Bo | vpn@Ho2Bo | ||
| Phase 2 | ||||
| IPSEC security protocol | ESP | ESP | ||
| IPSEC Encryption Algorithm | AES-256 | AES-256 | ||
| IPSEC Hash Algorithm | SHA-1 | SHA-1 | ||
| IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
| Perfect Forward Secrecy(PFS) (Optional) | PFS □ Yes □ No | Group □ 2(default) □ 5 □ 7 | PFS □ Yes □ No | Group □ 2 (default) □ 5 □ 7 |
| IP Addressing | Head Office | Branch Office |
| Peer IP address | 100.100.100.1 (Primary)
101.101.101.1 (Seconday) |
200.200.200.1 (Primary)
201.201.201.1 (Seconday) |
| Local IP address | 10.10.10.10/32 | 20.20.20.10/32 |
5. Configuration
5.1 Configure IP SLA Tracking And Default Route
Apply the the following IP SLA tracking and default router configuration on FW-VPN01.
#sla monitor 20 type echo protocol ipIcmpEcho 200.200.200.1 interface outside-isp01 num-packets 3 frequency 10 #sla monitor schedule 20 life forever start-time now #track 1 rtr 20 reachability #route outside-isp01 0.0.0.0 0.0.0.0 100.100.100.2 track 1 #route outside-isp02 0.0.0.0 0.0.0.0 101.101.101.2 2
Apply the the following IP SLA tracking and default router configuration on FW-VPN02.
#sla monitor 20 type echo protocol ipIcmpEcho 100.100.100.1 interface outside-isp01 num-packets 3 frequency 10 #sla monitor schedule 20 life forever start-time now #track 1 rtr 20 reachability #route outside-isp01 0.0.0.0 0.0.0.0 200.200.200.2 track 1 #route outside-isp02 0.0.0.0 0.0.0.0 201.201.201.2 2
Now both FW-VPN01 and FW-VPN02 should be able to ping their public IP each other via ISP01 connection.
#sh route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 100.100.100.2 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 100.100.100.2, outside-isp01 C 10.10.10.0 255.255.255.0 is directly connected, inside L 10.10.10.1 255.255.255.255 is directly connected, inside C 100.100.100.0 255.255.255.252 is directly connected, outside-isp01 L 100.100.100.1 255.255.255.255 is directly connected, outside-isp01 C 101.101.101.0 255.255.255.252 is directly connected, outside-isp02 L 101.101.101.1 255.255.255.255 is directly connected, outside-isp02 FW-VPN01(config)#ping 200.200.200.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms FW-VPN01(config)#
In case that the connection of ISP01 is unavailable, both FW-VPN01 and FW-VPN02 should be able to ping their public IP each other via ISP02 connection.
#sh route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 101.101.101.2 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [2/0] via 101.101.101.2, outside-isp02 C 10.10.10.0 255.255.255.0 is directly connected, inside L 10.10.10.1 255.255.255.255 is directly connected, inside C 100.100.100.0 255.255.255.252 is directly connected, outside-isp01 L 100.100.100.1 255.255.255.255 is directly connected, outside-isp01 C 101.101.101.0 255.255.255.252 is directly connected, outside-isp02 L 101.101.101.1 255.255.255.255 is directly connected, outside-isp02 FW-VPN01(config)#ping 201.201.201.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 201.201.201.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 10/20/30 ms
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both FW-VPN01 and FW-VPN02.
#crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on FW-VPN01 to create a transform set name “HQ-TRSET01-AES256-SHA”.
#crypto ipsec ikev1 transform-set HQ-TRSET01-AES256-SHA esp-aes-256 esp-sha-hmac
Apply the follow configuration on FW-VPN02 to create a transform set name “BR-TRSET01-AES256-SHA”.
#crypto ipsec ikev1 transform-set BR-TRSET01-AES256-SHA esp-aes-256 esp-sha-hmac
5.4 Create ACL For VPN Tunnel
It is time to create an ACL now to match the traffic for IPSec VPN tunnel. Based on the form above, the following is the ACL to be created on FW-VPN01.
#object-group network HQ-Server network-object host 10.10.10.10 #object-group network BR-Server network-object host 20.20.20.10 #access-list ACL-HQ2BR extended permit ip object-group HQ-Server object-group BR-Server
The following is the ACL to be created on BOFW01.
#object-group network HQ-Server network-object host 10.10.10.10 #object-group network BR-Server network-object host 20.20.20.10 #access-list ACL-BR2HQ extended permit ip object-group BR-Server object-group HQ-Server
5.5 Create VPN Tunnel Group
Now create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
Apply the following tunnel group configuration on FW-VPN01.
#tunnel-group 200.200.200.1 type ipsec-l2l #tunnel-group 200.200.200.1 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo #tunnel-group 201.201.201.1 type ipsec-l2l #tunnel-group 201.201.201.1 ipsec-attributes ikev1 pre-shared-key vpn@Ho2B
Apply the following tunnel group configuration on FW-VPN02.
#tunnel-group 100.100.100.1 type ipsec-l2l #tunnel-group 100.100.100.1 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo #tunnel-group 101.101.101.1 type ipsec-l2l #tunnel-group 101.101.101.1 ipsec-attributes ikev1 pre-shared-key vpn@Ho2B
5.6 Configure and Apply Crypto Map
The final step is to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “outside-isp01” and “outside-isp02” of each Cisco ASA firewall.
The following are the commands to be executed on FW-VPN01.
#crypto map HQ-VPN-ISP01 1 match address ACL-HQ2BR #crypto map HQ-VPN-ISP01 1 set peer 200.200.200.1 #crypto map HQ-VPN-ISP01 1 set ikev1 transform-set HQ-TRSET01-AES256-SHA #crypto map HQ-VPN-ISP01 interface outside-isp01 #crypto ikev1 enable outside-isp01 #crypto map HQ-VPN-ISP02 1 match address ACL-HQ2BR #crypto map HQ-VPN-ISP02 1 set peer 201.201.201.1 #crypto map HQ-VPN-ISP02 1 set ikev1 transform-set HQ-TRSET01-AES256-SHA #crypto map HQ-VPN-ISP02 interface outside-isp02 #crypto ikev1 enable outside-isp02
The following are the commands to be executed on FW-VPN02.
#crypto map BR-VPN-ISP01 1 match address ACL-HQ2BR #crypto map BR-VPN-ISP01 1 set peer 100.100.100.1 #crypto map BR-VPN-ISP01 1 set ikev1 transform-set BR-TRSET01-AES256-SHA #crypto map BR-VPN-ISP01 interface outside-isp01 #crypto ikev1 enable outside-isp01 #crypto map BR-VPN-ISP02 1 match address ACL-HQ2BR #crypto map BR-VPN-ISP02 1 set peer 101.101.101.1 #crypto map BR-VPN-ISP02 1 set ikev1 transform-set BR-TRSET01-AES256-SHA #crypto map BR-VPN-ISP02 interface outside-isp02 #crypto ikev1 enable outside-isp02
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in branch office.
PC1> ping 20.20.20.10 84 bytes from 20.20.20.10 icmp_seq=1 ttl=64 time=15.960 ms 84 bytes from 20.20.20.10 icmp_seq=2 ttl=64 time=22.453 ms 84 bytes from 20.20.20.10 icmp_seq=3 ttl=64 time=19.003 ms 84 bytes from 20.20.20.10 icmp_seq=4 ttl=64 time=22.340 ms 84 bytes from 20.20.20.10 icmp_seq=5 ttl=64 time=20.339 ms
As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on FW-VPN01.
#sh vpn-sessiondb detail l2l filter ipaddress 200.200.200.1Session Type: LAN-to-LAN Detailed Connection : 200.200.200.1 Index : 1 IP Addr : 200.200.200.1 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 756 Bytes Rx : 756 Login Time : 07:05:36 UTC Sat Nov 4 2017 Duration : 0h:02m:57s IKEv1 Tunnels: 1 IPsec Tunnels: 1 IKEv1: Tunnel ID : 1.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : AES256 Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 86223 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 1.2 Local Addr : 10.10.10.10/255.255.255.255/0/0 Remote Addr : 20.20.20.10/255.255.255.255/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28623 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes Bytes Tx : 756 Bytes Rx : 756 Pkts Tx : 9 Pkts Rx : 9
And with the following command on FW-VPN02.
#sh vpn-sessiondb detail l2l filter ipaddress 100.100.100.1Session Type: LAN-to-LAN Detailed Connection : 100.100.100.1 Index : 1 IP Addr : 100.100.100.1 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 756 Bytes Rx : 756 Login Time : 07:05:35 UTC Sat Nov 4 2017 Duration : 0h:03m:56s IKEv1 Tunnels: 1 IPsec Tunnels: 1 IKEv1: Tunnel ID : 1.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : AES256 Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 86164 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 1.2 Local Addr : 20.20.20.10/255.255.255.255/0/0 Remote Addr : 10.10.10.10/255.255.255.255/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28564 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 26 Minutes Bytes Tx : 756 Bytes Rx : 756 Pkts Tx : 9 Pkts Rx : 9
We can test disconnect the ISP01 and we still can ping to the local IP of branch office.
PC1> ping 20.20.20.10 84 bytes from 20.20.20.10 icmp_seq=1 ttl=64 time=20.586 ms 84 bytes from 20.20.20.10 icmp_seq=2 ttl=64 time=18.387 ms 84 bytes from 20.20.20.10 icmp_seq=3 ttl=64 time=19.717 ms 84 bytes from 20.20.20.10 icmp_seq=4 ttl=64 time=21.326 ms 84 bytes from 20.20.20.10 icmp_seq=5 ttl=64 time=15.667 msFW-VPN01# sh vpn-sessiondb detail l2l filter ipaddress 200.200.200.1 INFO: There are presently no active sessions of the type specified FW-VPN01# sh vpn-sessiondb detail l2l filter ipaddress 201.201.201.1 Session Type: LAN-to-LAN Detailed Connection : 201.201.201.1 Index : 2 IP Addr : 201.201.201.1 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)AES256 IPsec: (1)AES256 Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 756 Bytes Rx : 672 Login Time : 07:11:33 UTC Sat Nov 4 2017 Duration : 0h:01m:01s IKEv1 Tunnels: 1 IPsec Tunnels: 1 IKEv1: Tunnel ID : 2.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : AES256 Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 86339 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 2.2 Local Addr : 10.10.10.10/255.255.255.255/0/0 Remote Addr : 20.20.20.10/255.255.255.255/0/0 Encryption : AES256 Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 28800 Seconds Rekey Left(T): 28739 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes Bytes Tx : 756 Bytes Rx : 672 Pkts Tx : 9 Pkts Rx : 8
6. Conclusion
Now you should be able to configure fail over IPSec VPN site-to-site with with dual WAN links and IP SLA on Cisco ASA firewall appliance with IOS version 9.x. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
