1. Overview
A Site-to-Site IPSec VPN is used to connect between two Local Area Networks (LANs) of a company offices or branches which are geographically separated. The data traffic flows between each location or site is over the internet or public network with a secure VPN tunnel. An advanced encryption algorithms technique is used to create this secure VPN tunnel.
In this article will show how to configure site-to-site IPSec VPN on Cisco ASA firewalls IOS version 9.x to allow connection between two office locations which are the company head office and its branch.
2. Prerequisites
To start this configuration, it is supposes that:
a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
In the real word scenario, it is assumed that:
a. You had reached an agreement about configuration information to be implemented on Cisco ASA firewall appliances in both locations. The easy way to reach this agreement is to fill in the IPSec VPN form as in this Link. IPSec VPN Site-to-Site Form
b. You have scheduled for a specific date and time to start this implementation and accepted it in both parties.
3. Lab Scenario Set up
To demonstrate configuring IPSec VPN site-to-site on Cisco ASA firewall with IOS version 9.x, we will set up a GNS3 lab as the following diagram.
There are two Cisco ASA firewall appliances. HOFW01 locates in head office and BOFW01 locates in branch office. There is one router act as internet. The following is the IP configuration of each device.
On PC1
PC1> ip 10.10.10.10/24 10.10.10.1
On HOFW01
#int g0/0 no sh ip add 10.10.10.1 255.255.255.0 security-level 100 nameif inside #int g0/1 no sh ip add 203.200.200.2 255.255.255.252 security-level 0 nameif outside #policy-map global_policy class inspection_default inspect icmp inspect icmp erro
On Internet router
#int f0/0 no sh ip add 203.200.200.1 255.255.255.252 #in f0/1 no sh ip add 111.100.100.1 255.255.255.252
On BOFW01
#int g0/0 no sh ip add 172.16.100.1 255.255.255.0 nameif inside #int g0/1 no sh ip add 111.100.100.2 255.255.255.252 nameif outside #policy-map global_policy class inspection_default inspect icmp inspect icmp erro
On PC2
PC2> ip 172.16.100.10/24 172.16.100.1
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
Firewall Type | Head Office | Branch Office |
Manufacturer | Cisco | Cisco |
Model | ASA 5555-X | ASA 5525-X |
Version | 9.4 | 9.4 |
Configuration | Head Office | Branch Office | ||
Phase 1 | ||||
IKE Encryption Algorithm | AES-256 | AES-256 | ||
IKE Hash Algorithm | SHA-1 | SHA-1 | ||
IKE Security Lifetime | 86400 | 86400 | ||
Diffie-Hellman Group | 2 | 2 | ||
Pre-shared key | vpn@Ho2Bo | vpn@Ho2Bo | ||
Phase 2 | ||||
IPSEC security protocol | ESP | ESP | ||
IPSEC Encryption Algorithm | AES-256 | AES-256 | ||
IPSEC Hash Algorithm | SHA-1 | SHA-1 | ||
IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
Perfect Forward Secrecy(PFS) (Optional) | PFS □ Yes □ No | Group □ 2(default) □ 5 □ 7 | PFS □ Yes □ No | Group □ 2 (default) □ 5 □ 7 |
IP Addressing | Head Office | Branch Office |
Peer IP address | 203.200.200.2 | 111.100.100.2 |
Local IP address | 10.10.10.10/32 | 172.16.100.10/32 |
5. Configuration
5.1 Configure Default Route
Apply the the following default router configuration on HOFW01.
#route outside 0.0.0.0 0.0.0.0 203.200.200.1
Apply the the following default router configuration on BOFW01.
#route outside 0.0.0.0 0.0.0.0 111.100.100.1
Now both HOFW01 and BOFW01 should be able to ping their public IP each other.
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command on both HOFW01 and BOFW01.
#crypto ikev1 policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on HOFW01 to create a transform set name “HO-TRSET01-AES256-SHA”.
#crypto ipsec ikev1 transform-set HO-TRSET01-AES256-SHA esp-aes-256 esp-sha-hmac
Apply the follow configuration on BOFW01 to create a transform set name “BO-TRSET01-AES256-SHA”.
#crypto ipsec ikev1 transform-set BO-TRSET01-AES256-SHA esp-aes-256 esp-sha-hmac
5.4 Create ACL For VPN Tunnel
It is time to create an ACL now to match the traffic for IPSec VPN tunnel.
Based on the form above, the following is the ACL to be created on HOFW01.
#object-group network HO-Server network-object host 10.10.10.10 #object-group network BO-Server network-object host 172.16.100.10 #access-list ACL-HO2BO extended permit ip object-group HO-Server object-group BO-Server
The following is the ACL to be created on BOFW01.
#object-group network HO-Server network-object host 10.10.10.10 #object-group network BO-Server network-object host 172.16.100.10 #access-list ACL-BO2HO extended permit ip object-group BO-Server object-group HO-Server
5.5 Create VPN Tunnel Group
Now create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
Apply the following tunnel group configuration on HOFW01.
#tunnel-group 111.100.100.2 type ipsec-l2l #tunnel-group 111.100.100.2 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo
Apply the following tunnel group configuration on BOFW01.
#tunnel-group 203.200.200.2 type ipsec-l2l #tunnel-group 203.200.200.2 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo
5.6 Configure and Apply Crypto Map
The final step is to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface “outside” of each Cisco ASA firewall.
The following are the commands to be executed on HOFW01.
#crypto map HO-VPN 1 match address ACL-HO2BO #crypto map HO-VPN 1 set peer 111.100.100.2 #crypto map HO-VPN 1 set ikev1 transform-set HO-TRSET01-AES256-SHA #crypto map HO-VPN interface outside #crypto ikev1 enable outside
The following are the commands to be executed on BOFW01.
#crypto map HO-VPN 1 match address ACL-BO2HO #crypto map HO-VPN 1 set peer 203.200.200.2 #crypto map HO-VPN 1 set ikev1 transform-set BO-TRSET01-AES256-SHA #crypto map HO-VPN interface outside #crypto ikev1 enable outside
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in branch office.
As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HOFW01.
#sh vpn-sessiondb detail l2l filter ipaddress 111.100.100.2
And with the following command on BOFW01.
#sh vpn-sessiondb detail l2l filter ipaddress 203.200.200.2
*** 10 is the IPSec Security Lifetime. Even thought we did not configure the value of 28800, it is come by default. Anyway, we can change it. Check section 5.8 below for how to change it.
5.8 IPSec Security Lifetime and PFS (Optional)
If IPSec security lifetime and PFS is require, the following are their the commands.
On HOFW01
#crypto map HO-VPN 1 set security-association lifetime seconds 86400 #crypto map HO-VPN 1 set pfs
On BOFW01
#crypto map HO-VPN 1 set security-association lifetime seconds 86400 #crypto map HO-VPN 1 set pfs
As we can see below the IPSec security lifetime is now changed from its default value of 28800 to the new specified value of 86400. Also, we can see PFS information now. Group 2 is the default value of PFS and we can change it other if we want.
5.9. IPSec VPN With Dynamic NAT on Cisco ASA Firewall
Normal, Dynamic NAT is configured on Cisco ASA firewall to provide internet access to all computers within a specific subnet in the Local Area Network (LAN). In this case, we need to configure NAT Exemption to exclude IPSec VPN traffic fron Dynamic NAT otherwise VPN tunnel would not be up.
# nat (inside,outside) 1 source static HO-Server HO-Server destination static BO-Server BO-Server no-proxy-arp route-lookup # nat (inside,outside) 2 source dynamic HO-Server interface
6. Conclusion
Now you should be able to configure IPSec VPN site-to-site on Cisco ASA firewall appliance with IOS version 9.x. It is recommended that you try it by your own self using GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.