A Tale of Two VPNs


Since I still have my ASA lab up, let’s play with two types of VPNs.
Here is tonight’s topology

Site to Site VPN


A site to site VPN uses a ACL to match what traffic is going to be encrypted.

R01(config)#ip access-list extended VPN_R01_TO_ASA01
 R01(config-ext-nacl)# permit ip

For the phase 1 settings we’ll use 3DES encryption, SHA1 hash, and DH group 2. We’ll also use pre-share keys for authentication.

 R01(config)#crypto isakmp policy 100
 R01(config-isakmp)# encr 3des
 R01(config-isakmp)# hash sha
 R01(config-isakmp)# authentication pre-share
 R01(config-isakmp)# group 2

We’ll use 3DES and SHA1 for phase 2 as well.

R01(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

Next we set a pre-share key for ASA01’s WAN IP address.

R01(config)#crypto isakmp key meowcat address

Now that all the pieces are configured, we need to make a crypto map to tie everything together.
The reverse-route is a handy feature that generates a static route for the VPN so we can redistribute it into other routing protocols.

R01(config)#crypto map VPN 100 ipsec-isakmp 
 R01(config-crypto-map)# set peer
 R01(config-crypto-map)# set transform-set ESP-3DES-SHA 
 R01(config-crypto-map)# set pfs group2
 R01(config-crypto-map)# set reverse-route tag 100

Lastly we enable the VPN on our outside interface.

R01(config)#int g0/1.1254
R01(config-subif)#crypto map VPN


The ASA follows a similar logic, we make a ACL that matches the VPN traffic.

ASA01(config)# access-list VPN_ASA01_TO_R01 extended permit ip

Then we make a phase 1 and 2 policy that matches what we did on the router.

ASA01(config)# crypto ikev1 policy 100
 ASA01(config-ikev1-policy)# authentication pre-share
 ASA01(config-ikev1-policy)# encryption 3des
 ASA01(config-ikev1-policy)# hash sha
 ASA01(config-ikev1-policy)# group 2
 ASA01(config-ikev1-policy)# lifetime 86400
 ASA01(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

We will also have to enable IKEv1 on the firewall.

ASA01(config)# crypto ikev1 enable outside

On a ASA we define a pre-share key in a tunnel-group

 ASA01(config)# tunnel-group ipsec-attributes
 ASA01(config-tunnel-ipsec)# ikev1 pre-shared-key meowcat
 ASA01(config-tunnel-ipsec)# exit

Then we make a crypto map that ties everything together.

 crypto map VPN 100 match address VPN_ASA01_TO_R01
 crypto map VPN 100 set pfs 
 crypto map VPN 100 set peer 
 crypto map VPN 100 set ikev1 transform-set ESP-3DES-SHA
 crypto map VPN 100 set reverse-route
 crypto map VPN interface outside


Now the VPN is setup we can ping from S01 to S11

 cisco@S01:~$ ping -c 5
 PING ( 56(84) bytes of data.
 64 bytes from icmp_seq=1 ttl=63 time=260 ms
 64 bytes from icmp_seq=2 ttl=63 time=243 ms
 64 bytes from icmp_seq=3 ttl=63 time=269 ms
 64 bytes from icmp_seq=4 ttl=63 time=301 ms
 64 bytes from icmp_seq=5 ttl=63 time=307 ms

The VPN is up when we see QM_IDLE as a connection status.

R01#show crypto isakmp sa 
 IPv4 Crypto ISAKMP SA
 dst src state conn-id status QM_IDLE 1008 ACTIVE
 ASA01(config)# show isakmp sa 
 IKEv1 SAs:
 Active SA: 1
 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 Total IKE SA: 1
 1 IKE Peer:
 Type : L2L Role : initiator 
 Rekey : no State : MM_ACTIVE

We can see the reverse route working by looking at the routing table.

ASA01(config)# show route static 
 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, + - replicated route
 Gateway of last resort is to network
 S* [1/0] via, outside
 V connected by VPN (advertised), outside


The problem with site to site VPNs is that we have to manually entering what networks to encrypt with a crypto map, ASAs now support a routed VPN called a VTI to make things more dynamic. Currently it supports BGP routing and will likely support other protocols as we go.


We’ll reuse the phase 1 and 2 settings from the site to site to save a bit of time and then add a preshare key for ASA02

R01(config)#crypto isakmp key meowcat address

Next we’ll make a IPSEC profile for the VTI

R01(config)#crypto ipsec profile VTI
 R01(ipsec-profile)# set transform-set ESP-3DES-SHA 
 R01(ipsec-profile)# set pfs group2

A VTI is a tunnel so we’ll make Tunnel12, give it an IP and attach the ipsec profile to it.

R01(config)#interface Tunnel12
 R01(config-if)# ip address
 R01(config-if)# tunnel source GigabitEthernet0/1.1254
 R01(config-if)# tunnel mode ipsec ipv4
 R01(config-if)# tunnel destination
 R01(config-if)# tunnel protection ipsec profile VTI

Since this is a routing VPN we’ll setup BGP across the tunnel and advertise the LAN network.

 R01(config)#router bgp 100
 R01(config-router)# bgp log-neighbor-changes
 R01(config-router)# network
 R01(config-router)# neighbor remote-as 100


On the ASA side we’ll use the same phase 1 and 2 settings from above and add a tunnel-group entry for R01, don’t forget to enable ISAKMP!

 ASA02(config)# tunnel-group ipsec-attributes
 ASA02(config-tunnel-ipsec)# ikev1 pre-shared-key meowcat
 ASA02(config-tunnel-ipsec)# exit

Next we need a ipsec profile

 ASA02(config)# crypto ipsec profile VTI
 ASA02(config-ipsec-profile)# set ikev1 transform-set ESP-3DES-SHA
 ASA02(config-ipsec-profile)# set pfs group2

Then we make a tunnel interface like we did on the router

 ASA02(config)# interface Tunnel12
 ASA02(config-if)# nameif VPN
 ASA02(config-if)# ip address 
 ASA02(config-if)# tunnel source interface outside
 ASA02(config-if)# tunnel destination
 ASA02(config-if)# tunnel mode ipsec ipv4
 ASA02(config-if)# tunnel protection ipsec profile VTI

Lastly we just need BGP on the ASA

ASA02(config)# router bgp 100
 ASA02(config-router)# bgp log-neighbor-changes
 ASA02(config-router)# address-family ipv4 unicast
 ASA02(config-router-af)# neighbor remote-as 100
 ASA02(config-router-af)# neighbor activate
 ASA02(config-router-af)# network
 ASA02(config-router-af)# no auto-summary
 ASA02(config-router-af)# no synchronization
 ASA02(config-router-af)# exit-address-family


Once BGP comes up we can now ping from S01 to S12

cisco@S01:~$ ping -c 5 
 PING ( 56(84) bytes of data.
 64 bytes from icmp_seq=1 ttl=63 time=268 ms
 64 bytes from icmp_seq=2 ttl=63 time=193 ms
 64 bytes from icmp_seq=3 ttl=63 time=151 ms
 64 bytes from icmp_seq=4 ttl=63 time=262 ms
 64 bytes from icmp_seq=5 ttl=63 time=305 ms
 --- ping statistics ---
 5 packets transmitted, 5 received, 0% packet loss, time 4006ms
 rtt min/avg/max/mdev = 151.800/236.337/305.269/55.486 ms

And we can see the BGP working as it should

ASA02(config-router)# show bgp
 BGP table version is 9, local router ID is
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
 r RIB-failure, S Stale, m multipath
 Origin codes: i - IGP, e - EGP, ? - incomplete
 Network Next Hop Metric LocPrf Weight Path
 *>i192.168.10.0 0 100 0 i
 *> 0 32768 i

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.