Since I still have my ASA lab up, let’s play with two types of VPNs.
Here is tonight’s topology
Site to Site VPN
R01
A site to site VPN uses a ACL to match what traffic is going to be encrypted.
R01(config)#ip access-list extended VPN_R01_TO_ASA01 R01(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
For the phase 1 settings we’ll use 3DES encryption, SHA1 hash, and DH group 2. We’ll also use pre-share keys for authentication.
R01(config)#crypto isakmp policy 100 R01(config-isakmp)# encr 3des R01(config-isakmp)# hash sha R01(config-isakmp)# authentication pre-share R01(config-isakmp)# group 2 R01(config-isakmp)#exit
We’ll use 3DES and SHA1 for phase 2 as well.
R01(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac R01(cfg-crypto-trans)#exit
Next we set a pre-share key for ASA01’s WAN IP address.
R01(config)#crypto isakmp key meowcat address 200.11.254.11
Now that all the pieces are configured, we need to make a crypto map to tie everything together.
The reverse-route is a handy feature that generates a static route for the VPN so we can redistribute it into other routing protocols.
R01(config)#crypto map VPN 100 ipsec-isakmp R01(config-crypto-map)# set peer 200.11.254.11 R01(config-crypto-map)# set transform-set ESP-3DES-SHA R01(config-crypto-map)# set pfs group2 R01(config-crypto-map)# set reverse-route tag 100 R01(config-crypto-map)#exit
Lastly we enable the VPN on our outside interface.
R01(config)#int g0/1.1254
R01(config-subif)#crypto map VPN
ASA01
The ASA follows a similar logic, we make a ACL that matches the VPN traffic.
ASA01(config)# access-list VPN_ASA01_TO_R01 extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
Then we make a phase 1 and 2 policy that matches what we did on the router.
ASA01(config)# crypto ikev1 policy 100 ASA01(config-ikev1-policy)# authentication pre-share ASA01(config-ikev1-policy)# encryption 3des ASA01(config-ikev1-policy)# hash sha ASA01(config-ikev1-policy)# group 2 ASA01(config-ikev1-policy)# lifetime 86400 ASA01(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
We will also have to enable IKEv1 on the firewall.
ASA01(config)# crypto ikev1 enable outside
On a ASA we define a pre-share key in a tunnel-group
ASA01(config)# tunnel-group 200.1.254.1 ipsec-attributes ASA01(config-tunnel-ipsec)# ikev1 pre-shared-key meowcat ASA01(config-tunnel-ipsec)# exit
Then we make a crypto map that ties everything together.
crypto map VPN 100 match address VPN_ASA01_TO_R01 crypto map VPN 100 set pfs crypto map VPN 100 set peer 200.1.254.1 crypto map VPN 100 set ikev1 transform-set ESP-3DES-SHA crypto map VPN 100 set reverse-route crypto map VPN interface outside
Testing
Now the VPN is setup we can ping from S01 to S11
cisco@S01:~$ ping 192.168.11.100 -c 5 PING 192.168.11.100 (192.168.11.100) 56(84) bytes of data. 64 bytes from 192.168.11.100: icmp_seq=1 ttl=63 time=260 ms 64 bytes from 192.168.11.100: icmp_seq=2 ttl=63 time=243 ms 64 bytes from 192.168.11.100: icmp_seq=3 ttl=63 time=269 ms 64 bytes from 192.168.11.100: icmp_seq=4 ttl=63 time=301 ms 64 bytes from 192.168.11.100: icmp_seq=5 ttl=63 time=307 ms
The VPN is up when we see QM_IDLE as a connection status.
R01#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 200.1.254.1 200.11.254.11 QM_IDLE 1008 ACTIVE ASA01(config)# show isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 200.1.254.1 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE
We can see the reverse route working by looking at the routing table.
ASA01(config)# show route static Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, + - replicated route Gateway of last resort is 200.11.254.254 to network 0.0.0.0 S* 0.0.0.0 0.0.0.0 [1/0] via 200.11.254.254, outside V 192.168.10.0 255.255.255.0 connected by VPN (advertised), outside
VTI VPN
The problem with site to site VPNs is that we have to manually entering what networks to encrypt with a crypto map, ASAs now support a routed VPN called a VTI to make things more dynamic. Currently it supports BGP routing and will likely support other protocols as we go.
R01
We’ll reuse the phase 1 and 2 settings from the site to site to save a bit of time and then add a preshare key for ASA02
R01(config)#crypto isakmp key meowcat address 200.12.254.12
Next we’ll make a IPSEC profile for the VTI
R01(config)#crypto ipsec profile VTI R01(ipsec-profile)# set transform-set ESP-3DES-SHA R01(ipsec-profile)# set pfs group2
A VTI is a tunnel so we’ll make Tunnel12, give it an IP and attach the ipsec profile to it.
R01(config)#interface Tunnel12 R01(config-if)# ip address 10.1.12.1 255.255.255.0 R01(config-if)# tunnel source GigabitEthernet0/1.1254 R01(config-if)# tunnel mode ipsec ipv4 R01(config-if)# tunnel destination 200.12.254.12 R01(config-if)# tunnel protection ipsec profile VTI
Since this is a routing VPN we’ll setup BGP across the tunnel and advertise the LAN network.
R01(config)#router bgp 100 R01(config-router)# bgp log-neighbor-changes R01(config-router)# network 192.168.10.0 R01(config-router)# neighbor 10.1.12.12 remote-as 100
ASA02
On the ASA side we’ll use the same phase 1 and 2 settings from above and add a tunnel-group entry for R01, don’t forget to enable ISAKMP!
ASA02(config)# tunnel-group 200.1.254.1 ipsec-attributes ASA02(config-tunnel-ipsec)# ikev1 pre-shared-key meowcat ASA02(config-tunnel-ipsec)# exit
Next we need a ipsec profile
ASA02(config)# crypto ipsec profile VTI ASA02(config-ipsec-profile)# set ikev1 transform-set ESP-3DES-SHA ASA02(config-ipsec-profile)# set pfs group2
Then we make a tunnel interface like we did on the router
ASA02(config)# interface Tunnel12 ASA02(config-if)# nameif VPN ASA02(config-if)# ip address 10.1.12.12 255.255.255.0 ASA02(config-if)# tunnel source interface outside ASA02(config-if)# tunnel destination 200.1.254.1 ASA02(config-if)# tunnel mode ipsec ipv4 ASA02(config-if)# tunnel protection ipsec profile VTI
Lastly we just need BGP on the ASA
ASA02(config)# router bgp 100 ASA02(config-router)# bgp log-neighbor-changes ASA02(config-router)# address-family ipv4 unicast ASA02(config-router-af)# neighbor 10.1.12.1 remote-as 100 ASA02(config-router-af)# neighbor 10.1.12.1 activate ASA02(config-router-af)# network 192.168.12.0 ASA02(config-router-af)# no auto-summary ASA02(config-router-af)# no synchronization ASA02(config-router-af)# exit-address-family
Testing
Once BGP comes up we can now ping from S01 to S12
cisco@S01:~$ ping 192.168.12.100 -c 5 PING 192.168.12.100 (192.168.12.100) 56(84) bytes of data. 64 bytes from 192.168.12.100: icmp_seq=1 ttl=63 time=268 ms 64 bytes from 192.168.12.100: icmp_seq=2 ttl=63 time=193 ms 64 bytes from 192.168.12.100: icmp_seq=3 ttl=63 time=151 ms 64 bytes from 192.168.12.100: icmp_seq=4 ttl=63 time=262 ms 64 bytes from 192.168.12.100: icmp_seq=5 ttl=63 time=305 ms --- 192.168.12.100 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4006ms rtt min/avg/max/mdev = 151.800/236.337/305.269/55.486 ms
And we can see the BGP working as it should
ASA02(config-router)# show bgp BGP table version is 9, local router ID is 200.12.254.12 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, m multipath Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i192.168.10.0 10.1.12.1 0 100 0 i *> 192.168.12.0 0.0.0.0 0 32768 i