Cisco VPN Lab Series:

Cisco VPN LAB 1 : Simple Easy VPN Example between Routers and Comparison with DMVPN
Cisco VPN LAB 2 : IPSec VPN Example Between Two ASA 8.4.2
Cisco VPN LAB 3 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software

 Protocols and standards used in IPsec protocol suite:

– ESP (Encapsulation Security Payload)
– AH (Authentication header)
– IKE (Internet Key Exchange) – IKE phase 1 is used to secure management channel and setup the vpn channel
– encryption algorithms (DES,3DES,AES)
– DH (Diffie-Hellman group)
– Hash algorithms (MD5,SH1)
– SA (Security association)

– IPSEC -IPSEC or (IKE phase 2) is used to secure the real data thats wants to be secured.

 

Topology

 

Configuratio:

1. ASA842-1

asa842-1(config)#  sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa842-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 description WAN
 nameif WAN
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 description LAN
 nameif LAN
 security-level 100
 ip address 11.11.11.11 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive

!!!create access control lists to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt.
!!!for no-natting traffic , new command will be something like “nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN
access-list 102 extended permit ip host 11.11.11.12 host 22.22.22.23 log
pager lines 24
logging enable
logging buffered debugging
mtu WAN 1500
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route WAN 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

!!! IKE Phase 2 IPSEC Transform-set
crypto ipsec ikev1 transform-set myset1 esp-des esp-sha-hmac 

!!! create a “Cryptomap” to handle “Phase 2” of the VPN Tunnel, that also will use 3DES and SHA and PFS.
crypto map outside_map 1 match address 102
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.2 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set myset1

!!! Apply that Cryptomap to the outside interface.
crypto map outside_map interface WAN

!!! Enable IKEv1 on WAN Interface
crypto ikev1 enable WAN

!!! create a policy that will setup how “Phase 1” of the VPN tunnel will be established
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!!!create a “Tunnel Group” to tell the firewall its a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. Tunnel group name must be peer gateway’s ip address.
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
 ikev1 pre-shared-key ****
*
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:4d98c8c61ec98419f0152f3c7193373d
: end

2. ASA842-2

asa842-2(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa842-2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 description WAN
 nameif WAN
 security-level 0
 ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet1
 description LAN
 nameif LAN
 security-level 100
 ip address 22.22.22.22 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list 102 extended permit ip host 22.22.22.23 host 11.11.11.12
pager lines 24
mtu WAN 1500 
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route WAN 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset1 esp-des esp-sha-hmac
crypto map outside_map 1 match address 102
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set myset1
crypto map outside_map interface WAN
crypto ikev1 enable WAN
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:688f0053e33cccccd01e3cacdf9c0fff
: end

3. Logging and Verification

asa842-1(config)# show crypto ipsec sa
interface: WAN
    Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1

      access-list 102 extended permit ip host 11.11.11.12 host 22.22.22.23 log
      local ident (addr/mask/prot/port): (11.11.11.12/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (22.22.22.23/255.255.255.255/0/0)
      current_peer: 1.1.1.2

      #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 1.1.1.2/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 373F0E5C
      current inbound spi : 9F4A47B4

    inbound esp sas:
      spi: 0x9F4A47B4 (2672445364)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28791)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000003
    outbound esp sas:
      spi: 0x373F0E5C (926879324)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28791)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

asa842-1(config)# sh log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 639 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled
 1.1.1.2, IP = 1.1.1.2, constructing pfs ke payload
%ASA-7-715001: Group = 1.1.1.2, IP = 1.1.1.2, constructing proxy ID
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, Transmitting Proxy Id:
  Local host:  11.11.11.12  Protocol 0  Port 0
  Remote host: 22.22.22.23  Protocol 0  Port 0
%ASA-7-714007: Group = 1.1.1.2, IP = 1.1.1.2, IKE Initiator sending Initial Contact
%ASA-7-715046: Group = 1.1.1.2, IP = 1.1.1.2, constructing qm hash payload
%ASA-7-714004: Group = 1.1.1.2, IP = 1.1.1.2, IKE Initiator sending 1st QM pkt: msg id = 7dde16b5
%ASA-7-713236: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7dde16b5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 324
%ASA-7-713236: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=7dde16b5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 296
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing ke payload
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, processing ISA_KE for PFS in phase 2
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
%ASA-7-714011: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
11.11.11.12
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
%ASA-7-714011: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
22.22.22.23
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, loading all IPSEC SAs
%ASA-7-715001: Group = 1.1.1.2, IP = 1.1.1.2, Generating Quick Mode Key!
%ASA-7-715001: Group = 1.1.1.2, IP = 1.1.1.2, Generating Quick Mode Key!
%ASA-5-713049: Group = 1.1.1.2, IP = 1.1.1.2, Security negotiation complete for LAN-to-LAN Group (1.1.1.2)  Initiator, Inbound SPI = 0x9f4a47b4, Outbound SPI = 0x373f0e5c
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, oakley constructing final quick mode
%ASA-7-714006: Group = 1.1.1.2, IP = 1.1.1.2, IKE Initiator sending 3rd QM pkt: msg id = 7dde16b5
%ASA-7-713236: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7dde16b5) with payloads : HDR + HASH (8) + NONE (0) total length : 76
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x373F0E5C) between 1.1.1.1 and 1.1.1.2 (user= 1.1.1.2) has been created.
%ASA-7-715007: Group = 1.1.1.2, IP = 1.1.1.2, IKE got a KEY_ADD msg for SA: SPI = 0x373f0e5c
%ASA-7-746012: user-identity: Add IP-User mapping 1.1.1.2 – LOCAL1.1.1.2 Succeeded – VPN user
%ASA-7-746012: user-identity: Add IP-User mapping 22.22.22.23 – LOCAL1.1.1.2 Succeeded – VPN user
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x9F4A47B4) between 1.1.1.1 and 1.1.1.2 (user= 1.1.1.2) has been created.
%ASA-7-715077: Group = 1.1.1.2, IP = 1.1.1.2, Pitcher: received KEY_UPDATE, spi 0x9f4a47b4
%ASA-7-715080: Group = 1.1.1.2, IP = 1.1.1.2, Starting P2 rekey timer: 24480 seconds.
%ASA-5-713120: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 2 COMPLETED (msgid=7dde16b5)
%ASA-5-752016: IKEv1 was successful at setting up a tunnel.  Map Tag = outside_map. Map Sequence Number = 1.
%ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 1.
%ASA-7-609001: Built local-host LAN:11.11.11.12
%ASA-7-609001: Built local-host WAN:22.22.22.23
%ASA-6-302020: Built outbound ICMP connection for faddr 22.22.22.23/0(LOCAL1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-6-302020: Built inbound ICMP connection for faddr 22.22.22.23/0(LOCAL1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-6-302021: Teardown ICMP connection for faddr 22.22.22.23/0(LOCAL1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-6-302021: Teardown ICMP connection for faddr 22.22.22.23/0(LOCAL1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-7-609002: Teardown local-host WAN:22.22.22.23 duration 0:00:02
%ASA-7-609002: Teardown local-host LAN:11.11.11.12 duration 0:00:02
%ASA-7-111009: User ‘enable_15’ executed cmd: show crypto ipsec sa

By Jon

Leave a Reply

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Powered By
Best Wordpress Adblock Detecting Plugin | CHP Adblock