A Tale of Two VPNs

Standard

Since I still have my ASA lab up, let’s play with two types of VPNs.
Here is tonight’s topology

Site to Site VPN

R01

A site to site VPN uses a ACL to match what traffic is going to be encrypted.

R01(config)#ip access-list extended VPN_R01_TO_ASA01
 R01(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

For the phase 1 settings we’ll use 3DES encryption, SHA1 hash, and DH group 2. We’ll also use pre-share keys for authentication.

 R01(config)#crypto isakmp policy 100
 R01(config-isakmp)# encr 3des
 R01(config-isakmp)# hash sha
 R01(config-isakmp)# authentication pre-share
 R01(config-isakmp)# group 2
 R01(config-isakmp)#exit

We’ll use 3DES and SHA1 for phase 2 as well.

R01(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 R01(cfg-crypto-trans)#exit

Next we set a pre-share key for ASA01’s WAN IP address.

R01(config)#crypto isakmp key meowcat address 200.11.254.11

Now that all the pieces are configured, we need to make a crypto map to tie everything together.
The reverse-route is a handy feature that generates a static route for the VPN so we can redistribute it into other routing protocols.

R01(config)#crypto map VPN 100 ipsec-isakmp 
 R01(config-crypto-map)# set peer 200.11.254.11
 R01(config-crypto-map)# set transform-set ESP-3DES-SHA 
 R01(config-crypto-map)# set pfs group2
 R01(config-crypto-map)# set reverse-route tag 100
 R01(config-crypto-map)#exit

Lastly we enable the VPN on our outside interface.

R01(config)#int g0/1.1254
R01(config-subif)#crypto map VPN

ASA01

The ASA follows a similar logic, we make a ACL that matches the VPN traffic.

ASA01(config)# access-list VPN_ASA01_TO_R01 extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0

Then we make a phase 1 and 2 policy that matches what we did on the router.

ASA01(config)# crypto ikev1 policy 100
 ASA01(config-ikev1-policy)# authentication pre-share
 ASA01(config-ikev1-policy)# encryption 3des
 ASA01(config-ikev1-policy)# hash sha
 ASA01(config-ikev1-policy)# group 2
 ASA01(config-ikev1-policy)# lifetime 86400
 ASA01(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

We will also have to enable IKEv1 on the firewall.

ASA01(config)# crypto ikev1 enable outside

On a ASA we define a pre-share key in a tunnel-group

 ASA01(config)# tunnel-group 200.1.254.1 ipsec-attributes
 ASA01(config-tunnel-ipsec)# ikev1 pre-shared-key meowcat
 ASA01(config-tunnel-ipsec)# exit

Then we make a crypto map that ties everything together.

 crypto map VPN 100 match address VPN_ASA01_TO_R01
 crypto map VPN 100 set pfs 
 crypto map VPN 100 set peer 200.1.254.1 
 crypto map VPN 100 set ikev1 transform-set ESP-3DES-SHA
 crypto map VPN 100 set reverse-route
 crypto map VPN interface outside

Testing

Now the VPN is setup we can ping from S01 to S11

 cisco@S01:~$ ping 192.168.11.100 -c 5
 PING 192.168.11.100 (192.168.11.100) 56(84) bytes of data.
 64 bytes from 192.168.11.100: icmp_seq=1 ttl=63 time=260 ms
 64 bytes from 192.168.11.100: icmp_seq=2 ttl=63 time=243 ms
 64 bytes from 192.168.11.100: icmp_seq=3 ttl=63 time=269 ms
 64 bytes from 192.168.11.100: icmp_seq=4 ttl=63 time=301 ms
 64 bytes from 192.168.11.100: icmp_seq=5 ttl=63 time=307 ms

The VPN is up when we see QM_IDLE as a connection status.

R01#show crypto isakmp sa 
 IPv4 Crypto ISAKMP SA
 dst src state conn-id status
 200.1.254.1 200.11.254.11 QM_IDLE 1008 ACTIVE
 
 ASA01(config)# show isakmp sa 
 
 IKEv1 SAs:
 
 Active SA: 1
 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 Total IKE SA: 1
 
 1 IKE Peer: 200.1.254.1
 Type : L2L Role : initiator 
 Rekey : no State : MM_ACTIVE

We can see the reverse route working by looking at the routing table.

ASA01(config)# show route static 
 
 Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route, + - replicated route
 Gateway of last resort is 200.11.254.254 to network 0.0.0.0
 
 S* 0.0.0.0 0.0.0.0 [1/0] via 200.11.254.254, outside
 V 192.168.10.0 255.255.255.0 connected by VPN (advertised), outside

VTI VPN

The problem with site to site VPNs is that we have to manually entering what networks to encrypt with a crypto map, ASAs now support a routed VPN called a VTI to make things more dynamic. Currently it supports BGP routing and will likely support other protocols as we go.

R01

We’ll reuse the phase 1 and 2 settings from the site to site to save a bit of time and then add a preshare key for ASA02

R01(config)#crypto isakmp key meowcat address 200.12.254.12

Next we’ll make a IPSEC profile for the VTI

R01(config)#crypto ipsec profile VTI
 R01(ipsec-profile)# set transform-set ESP-3DES-SHA 
 R01(ipsec-profile)# set pfs group2

A VTI is a tunnel so we’ll make Tunnel12, give it an IP and attach the ipsec profile to it.

R01(config)#interface Tunnel12
 R01(config-if)# ip address 10.1.12.1 255.255.255.0
 R01(config-if)# tunnel source GigabitEthernet0/1.1254
 R01(config-if)# tunnel mode ipsec ipv4
 R01(config-if)# tunnel destination 200.12.254.12
 R01(config-if)# tunnel protection ipsec profile VTI

Since this is a routing VPN we’ll setup BGP across the tunnel and advertise the LAN network.

 R01(config)#router bgp 100
 R01(config-router)# bgp log-neighbor-changes
 R01(config-router)# network 192.168.10.0
 R01(config-router)# neighbor 10.1.12.12 remote-as 100

ASA02

On the ASA side we’ll use the same phase 1 and 2 settings from above and add a tunnel-group entry for R01, don’t forget to enable ISAKMP!

 ASA02(config)# tunnel-group 200.1.254.1 ipsec-attributes
 ASA02(config-tunnel-ipsec)# ikev1 pre-shared-key meowcat
 ASA02(config-tunnel-ipsec)# exit

Next we need a ipsec profile

 ASA02(config)# crypto ipsec profile VTI
 ASA02(config-ipsec-profile)# set ikev1 transform-set ESP-3DES-SHA
 ASA02(config-ipsec-profile)# set pfs group2

Then we make a tunnel interface like we did on the router

 ASA02(config)# interface Tunnel12
 ASA02(config-if)# nameif VPN
 ASA02(config-if)# ip address 10.1.12.12 255.255.255.0 
 ASA02(config-if)# tunnel source interface outside
 ASA02(config-if)# tunnel destination 200.1.254.1
 ASA02(config-if)# tunnel mode ipsec ipv4
 ASA02(config-if)# tunnel protection ipsec profile VTI

Lastly we just need BGP on the ASA

ASA02(config)# router bgp 100
 ASA02(config-router)# bgp log-neighbor-changes
 ASA02(config-router)# address-family ipv4 unicast
 ASA02(config-router-af)# neighbor 10.1.12.1 remote-as 100
 ASA02(config-router-af)# neighbor 10.1.12.1 activate
 ASA02(config-router-af)# network 192.168.12.0
 ASA02(config-router-af)# no auto-summary
 ASA02(config-router-af)# no synchronization
 ASA02(config-router-af)# exit-address-family

Testing

Once BGP comes up we can now ping from S01 to S12

cisco@S01:~$ ping 192.168.12.100 -c 5 
 PING 192.168.12.100 (192.168.12.100) 56(84) bytes of data.
 64 bytes from 192.168.12.100: icmp_seq=1 ttl=63 time=268 ms
 64 bytes from 192.168.12.100: icmp_seq=2 ttl=63 time=193 ms
 64 bytes from 192.168.12.100: icmp_seq=3 ttl=63 time=151 ms
 64 bytes from 192.168.12.100: icmp_seq=4 ttl=63 time=262 ms
 64 bytes from 192.168.12.100: icmp_seq=5 ttl=63 time=305 ms
 
 --- 192.168.12.100 ping statistics ---
 5 packets transmitted, 5 received, 0% packet loss, time 4006ms
 rtt min/avg/max/mdev = 151.800/236.337/305.269/55.486 ms

And we can see the BGP working as it should

ASA02(config-router)# show bgp
 
 BGP table version is 9, local router ID is 200.12.254.12
 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
 r RIB-failure, S Stale, m multipath
 Origin codes: i - IGP, e - EGP, ? - incomplete
 
 Network Next Hop Metric LocPrf Weight Path
 *>i192.168.10.0 10.1.12.1 0 100 0 i
 *> 192.168.12.0 0.0.0.0 0 32768 i

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.