fbpx

Cisco ASA Site-to-Site IKEv1 IPsec VPN

· >

How to configure Cisco ASA Site-to-Site IKEv1 IPsec VPN

Cisco ASA (Adaptive Security Appliance) is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. In our previous lesson we learnt about Cisco ASA security levels and configuring access control lists. One common use case for the ASA is to set up a site-to-site VPN using the Internet Key Exchange version 1 (IKEv1) protocol to connect two remote networks securely.

To set up a site-to-site VPN on a Cisco ASA using IKEv1, you’ll need to follow these general steps:

  1. Define the encryption and authentication methods to be used for the VPN. This includes specifying the encryption algorithm, the hash algorithm, and the authentication method (pre-shared key or digital certificates).
  2. Define the transform set, which is a combination of encryption and authentication methods.
  3. Create a crypto map, which defines the security associations (SAs) for the VPN. This includes specifying the peer’s IP address, the transform set, and any other relevant settings.
  4. Apply the crypto map to the interface that connects to the Internet.
  5. Configure the IKE policy, which defines the parameters for the IKE negotiation. This includes specifying the IKE version, the encryption and hash algorithms, and the authentication method.
  6. Define a tunnel-group, representing the remote VPN peer
  7. Configure access-list to permit or deny specific traffic.
  8. Verify the VPN status to check if it is active and if any error occurred

1. Encryption and Authentication Methods

When setting up a VPN, it’s important to choose appropriate encryption and authentication methods to ensure the security of the connection.

Encryption is used to protect the data that is sent over the VPN by encoding it so that it cannot be read by anyone who intercepts the traffic. Common encryption algorithms used in VPNs include Advanced Encryption Standard (AES), Data Encryption Standard (DES), and Triple Data Encryption Standard (3DES).

The hash algorithm is used to ensure the integrity of the data by creating a fixed-size output, called a hash, from the input data. Common hash algorithms used in VPNs include Secure Hash Algorithm (SHA) and Message Digest 5 (MD5).

Authentication is used to verify the identity of the VPN peers and ensure that only authorized users can access the VPN. Authentication methods include pre-shared keys and digital certificates.

A pre-shared key (PSK) is a password that is shared between the VPN peers and is used to authenticate the connection. PSKs can be relatively easy to guess, so they’re generally not considered as secure as digital certificates.

Digital certificates are a more secure method of authentication that is based on public key infrastructure (PKI). A digital certificate contains a public key and other identifying information, and it is issued by a trusted third party known as a certificate authority (CA). The certificate is installed on the VPN device, and it can be used to authenticate the device to other VPN peers.

In the Cisco ASA configuration, the encryption and authentication methods are defined in the crypto ikev1 policy command.

crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

2. Creating IPsec Transform Set

A transform set is a combination of encryption and authentication methods that are used in a VPN connection. It defines the security protocols and algorithms that will be used to protect the data that is sent over the VPN.

In the Cisco ASA configuration, the transform set is defined using the crypto ipsec ikev1 transform-set command.

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

Here, ESP-AES-SHA is the name of the transform set, esp-aes is the encryption algorithm (Advanced Encryption Standard in ESP), esp-sha-hmac is the hash algorithm used for integrity checking.

The transform set is then referenced in the crypto map command, where it is associated with the specific VPN peer.

crypto map VPN 10 ipsec-isakmp 
 set peer 192.168.1.1
 set ikev1 transform-set ESP-AES-SHA
 match address VPN-TRAFFIC

In this example, The transform set ESP-AES-SHA is associated with the VPN peer with IP address 192.168.1.1. The ‘match address’ command is used to specify the ACL (Access Control List) to match the traffic that will be protected by this map.

3. Creating Crypto Map

A crypto map is a set of security associations (SAs) that are used to define the parameters for a VPN connection. The crypto map includes information such as the peer’s IP address, the transform set to be used, and other settings that are used to establish and maintain the VPN connection.

In the Cisco ASA configuration, the crypto map is created using the crypto map command.

crypto map VPN 10 ipsec-isakmp 
 set peer 192.168.1.1
 set ikev1 transform-set ESP-AES-SHA
 match address VPN-TRAFFIC

Here, “VPN” is the name of the crypto map, 10 is the priority of the map (used in case you have multiple maps) and “ipsec-isakmp” is the protocol used to establish the VPN connection (in this case, IKEv1).

The set peer command is used to specify the IP address of the VPN peer. The set ikev1 transform-set command is used to specify the transform set to be used for the VPN connection. The match address command is used to specify the ACL (Access Control List) to match the traffic that will be protected by this map.

Once the crypto map is created, it must be applied to the interface that connects to the Internet, in order to take effect.

interface GigabitEthernet0/0
 crypto map VPN

4. Configure IKE Policy

The Internet Key Exchange (IKE) protocol is used to establish and manage security associations (SAs) for a VPN connection. It negotiates the parameters for the VPN connection, such as the encryption and authentication methods, and establishes the SAs that are used to encrypt and authenticate the data that is sent over the VPN.

In the Cisco ASA configuration, the IKE policy is configured using the crypto ikev1 policy command.

crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

Here, “10” is the priority of the IKE policy. The authentication pre-share command is used to specify that a pre-shared key (PSK) will be used for authentication. The encryption aes command is used to specify that the Advanced Encryption Standard (AES) algorithm will be used for encryption. The hash sha command is used to specify that the Secure Hash Algorithm (SHA) will be used for integrity checking. The group 2 command is used to specify the Diffie-Hellman group that will be used for the key exchange (which is used to generate the shared secret key) and the lifetime 86400 is the time in seconds during which this policy will be valid.

It’s also possible to use digital certificates for authentication, in which case you will use the command authentication rsa-sig and also configure the CA trustpoint and certificate information on the ASA accordingly.

Once the IKE policy is configured, the command crypto ikev1 enable is used to enable the IKEv1 process on the specified interface (in this case the outside interface)

crypto ikev1 enable outside

It’s also possible to configure multiple IKE policies to support different types of VPN peers with different requirements, using the priority value in the command. The highest priority policy that matches the remote peer will be used to establish the VPN connection.

5. Define Tunnel Group

In Cisco ASA, a tunnel-group is a logical representation of the remote VPN peer, it’s used to group together all the configuration related to a specific remote VPN peer.

A tunnel-group is defined using the tunnel-group command. The command takes the IP address of the remote VPN peer as an argument.

tunnel-group 192.168.1.1 type ipsec-l2l

Once the tunnel-group is defined, you can specify the additional settings and options that are related to this specific VPN peer such as the pre-shared key and IPsec attributes

tunnel-group 192.168.1.1 ipsec-attributes
 ikev1 pre-shared-key cisco

You can also specify other options such as split-tunneling, default-group-policy, tunnel-group-map, etc. The tunnel-group-map option is used to assign different Group Policies to different Tunnel-Groups

6. Configure Access Control List to Allow VPN Traffic

An access control list (ACL) is a set of rules that are used to control which packets are allowed to enter or leave a network. In the context of a VPN, an ACL can be used to specify which traffic should be protected by the VPN and which traffic should be sent outside the VPN.

In Cisco ASA, an ACL is configured using the access-list command. The command takes the name of the ACL and a set of rules as arguments.

access-list VPN-TRAFFIC extended permit ip host 192.168.10.0 host 192.168.20.0

Here, “VPN-TRAFFIC” is the name of the ACL, the extended keyword specifies that this is an extended access list and permit is the action that will be taken on matching traffic, which is to allow this traffic. The ip host specifies the source and destination IP addresses that this rule applies to. In this case, the source IP is “192.168.10.0” and the destination IP is “192.168.20.0”.

It’s also possible to use other options such as deny, permit tcp, permit udp or to specify the destination port, source port, and other options.

The ACL is then referenced in the crypto map command, where it is used to match the traffic that will be protected by the VPN:

crypto map VPN 10 ipsec-isakmp 
 set peer 192.168.1.1
 set ikev1 transform-set ESP-AES-SHA
 match address VPN-TRAFFIC

With this configuration, the VPN will only encrypt and authenticate the traffic that matches the “VPN-TRAFFIC” ACL.

7. IPSec Configuration Verification Commands

Once you have configured a VPN on a Cisco ASA, it’s important to verify that the VPN is active and that there are no errors or issues.

One way to check the status of the VPN is to use the show crypto ipsec sa command, which displays information about the security associations (SAs) that have been established for the VPN.

asa# show crypto ipsec sa

This command will display the status of the SAs, the encryption and authentication algorithms that are being used, the number of packets that have been sent and received, and other information. If the SAs are “active”, it means that the VPN is up and running.

You can also use the show crypto isakmp sa command to display the status of the Internet Key Exchange (IKE) security associations.

asa# show crypto isakmp sa

This command will display the status of the IKE SAs, the encryption and authentication algorithms that are being used, and the number of packets that have been sent and received. If the SAs are “ACTIVE”, it means that the IKE negotiation was successful, and the VPN is up and running.

Another command you can use is show vpn-sessiondb to display the VPN session information, you can filter the output using different parameters like the username, the tunnel-group and so on.

asa# show vpn-sessiondb

You can also use the show run command to verify the configuration and check for any typos or errors in the configuration. In this article we learnt how to configure IPsec Site to Site VPN on Cisco ASA. Hope you have fully understood all components, if you have any query, write down in comments.

Cisco ASA VLANs and Sub-Interfaces

Configure VLANs and Sub-Interfaces on Cisco ASA

in Cisco ASA
Jan 10, 2023   ·  

How to configure Cisco ASA Object Group for Access-List

in Cisco ASA
Dec 30, 2022   ·  
Cisco ASA Access Control list (ACL) Introduction

Cisco ASA Access Control list (ACL) Introduction

in Cisco ASA
Dec 30, 2022   ·  
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments