How to create a site to site VPN from an ASA to an ASA
Branch Office End - IKE Policy
The first step is to create the IKE Policy that will be used to determine the encryption and authorisation. The CLI for this is
Create a crypto policy for IKE version 1 using a pre shared key, 3DES encryption, SHA hashing, Group 2 Diff-Helleman and a key lifetime of 43200 seconds.
crypto ikev1 policy 1
auth pre-share
encry 3des
hash sha
group 2
lifetime 43200
exit
The the IKE version 1 policy is assigned to the outside interface
crypto ikev1 enable outside
Create a crypto policy for IKE version 2 using a pre shared key, 3DES encryption, SHA PRF, Group 2 Diff-Helleman and a key lifetime of 43200 seconds.
crypto ikev2 policy 1
encryp 3des
group 2
prf sha
lifetime seconds 43200
exit
The the IKE version 2 policy is assigned to the outside interface
crypto ikev2 enable outside
Now you need a transform set that contains the combinations of encryption that can be used. In this example we use ESP-3DES and ESP-MD5-HMAC for the IKE 1 proposal and 3DES, AES and DES for the IKE 2 proposal.
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption 3des aes des
protocol esp integrity sha-1
Create a crypto policy for IKE version 1 using a pre shared key, 3DES encryption, SHA hashing, Group 2 Diff-Helleman and a key lifetime of 43200 seconds.
crypto ikev1 policy 1
auth pre-share
encry 3des
hash sha
group 2
lifetime 43200
exit
The the IKE version 1 policy is assigned to the outside interface
crypto ikev1 enable outside
Create a crypto policy for IKE version 2 using a pre shared key, 3DES encryption, SHA PRF, Group 2 Diff-Helleman and a key lifetime of 43200 seconds.
crypto ikev2 policy 1
encryp 3des
group 2
prf sha
lifetime seconds 43200
exit
The the IKE version 2 policy is assigned to the outside interface
crypto ikev2 enable outside
Now you need a transform set that contains the combinations of encryption that can be used. In this example we use ESP-3DES and ESP-MD5-HMAC for the IKE 1 proposal and 3DES, AES and DES for the IKE 2 proposal.
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption 3des aes des
protocol esp integrity sha-1
Branch End - ACL and Tunnel Group
So that the ASA can encrypt the correct traffic we need to create an ACL for the traffic that is across the VPN tunnel. In this example I am going to encrypt the traffic from the 192.168.1.0/24 subnet to the 192.168.14.0 subnet.
access-list acl-ipsec-traffic extended permit ip 192.168.1.0 255.255.255.0 192.168.14.0 255.255.255.0
As this is the Branch Office end we need to add a tunnel group with the IP address of the Head End ASA and set this to a Lan to LAN (l2l) type and add the pre shared key.
tunnel-group 94.175.xx.xx type ipsec-l2l
Adding pre shared key.
tunnel-group 94.175.xx.xx ipsec-attributes
ikev1 pre-shared-key Jn88&^%fgy7771w
access-list acl-ipsec-traffic extended permit ip 192.168.1.0 255.255.255.0 192.168.14.0 255.255.255.0
As this is the Branch Office end we need to add a tunnel group with the IP address of the Head End ASA and set this to a Lan to LAN (l2l) type and add the pre shared key.
tunnel-group 94.175.xx.xx type ipsec-l2l
Adding pre shared key.
tunnel-group 94.175.xx.xx ipsec-attributes
ikev1 pre-shared-key Jn88&^%fgy7771w
Branch End - Crypto Map
Now we need to create a crypto map that can be assigned to an interface to tell the ASA what to do with the traffic we want to encrypt.
First I name my crypto map and assign it map number 1, then I match this to the ACL we created so that map will only execute for our traffic
crypto map crypto-map-ebc 1 match address acl-ipsec-traffic
Set the peer IP address for the Tunnel to connect to
crypto map crypto-map-ebc 1 set peer 94.175.232.166
Set the transform set to be used in the IKE proposals
crypto map crypto-map-ebc 1 set ikev transform-set vpn-transform-set
crypto map crypto-map-ebc 1 set ikev2 ipsec-proposal secure
Assign the crypto map to our outside or Internet facing interface
crypto map crypto-map-ebc interface outside
First I name my crypto map and assign it map number 1, then I match this to the ACL we created so that map will only execute for our traffic
crypto map crypto-map-ebc 1 match address acl-ipsec-traffic
Set the peer IP address for the Tunnel to connect to
crypto map crypto-map-ebc 1 set peer 94.175.232.166
Set the transform set to be used in the IKE proposals
crypto map crypto-map-ebc 1 set ikev transform-set vpn-transform-set
crypto map crypto-map-ebc 1 set ikev2 ipsec-proposal secure
Assign the crypto map to our outside or Internet facing interface
crypto map crypto-map-ebc interface outside
Branch End - Exclude Traffic from PAT or NAT
By default the ASA will execute PAT or NAT statements before it will a crypto map so we need to exclude our traffic from the PAT/NAT process and this is done with a NAT exemption.
First you will need to declare some objects for the local and remote networks.
object network obj-inside
subnet 192.168.1.0 255.255.255.0
exit
object network obj-remote
subnet 192.168.14.0 255.255.255.0
exit
Now we can create a NAT statement with number 1 so it is the first to be executed that tells the ASA to not NAT our traffic and to pass this directly to the outside interface. This translates the source back to the source and the desintation back to the destination.
nat (inside,outside) 1 source static obj-inside obj-inside destination static obj-remote obj-remote
First you will need to declare some objects for the local and remote networks.
object network obj-inside
subnet 192.168.1.0 255.255.255.0
exit
object network obj-remote
subnet 192.168.14.0 255.255.255.0
exit
Now we can create a NAT statement with number 1 so it is the first to be executed that tells the ASA to not NAT our traffic and to pass this directly to the outside interface. This translates the source back to the source and the desintation back to the destination.
nat (inside,outside) 1 source static obj-inside obj-inside destination static obj-remote obj-remote
Branch End - Optional ACL
You may have an outbound ACL for traffic from the inside to the outside, if so you will need to add a rule for the tunnel traffic, here I have allowed all TCP traffic across the tunnel.
access-list acl-inside-to-outside extended permit tcp object obj-inside object obj-remote
access-list acl-inside-to-outside extended permit tcp object obj-inside object obj-remote
Head End - IKE Policy
The IKE Policy is created as at the Branch End, this matches the Branch End so that the policy can agree.
crypto ikev1 policy 1
auth pre-share
encry 3des
hash sha
group 2
lifetime 43200
exit
crypto ikev1 enable outside
crypto ikev2 policy 1
encryp 3des
group 2
prf sha
lifetime seconds 43200
exit
crypto ikev2 enable outside
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ikev1 policy 1
auth pre-share
encry 3des
hash sha
group 2
lifetime 43200
exit
crypto ikev1 enable outside
crypto ikev2 policy 1
encryp 3des
group 2
prf sha
lifetime seconds 43200
exit
crypto ikev2 enable outside
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
protocol esp encryption 3des
protocol esp integrity sha-1 md5
Head End - ACL and Tunnel Group
Because we are using a dynamic crypto map at the Head End we do not need to specify the traffic to be encrypted because the tunnel is started at the Branch End and therefore the ASA knows the source and destination IP of the packets. So we just need to create the Tunnel Group, now because we do not know the IP address at the Branch End we have to add the Tunnel Group information to the Default Tunnel Group. Note that the pre shared key is the same as the Branch End.
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key Jn88&^%fgy7771w
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key Jn88&^%fgy7771w
Head End - Crypto Map
The crypto map at the Head End is a dynamic crypto map, this means it can answer any incoming IP address tunnel.
Set the IKE Proposal for IKE version 1 and IKE version 2.
crypto dynamic-map dynamic-map-ipsec 1 set ikev1 transform-set vpn-transform-set
crypto dynamic-map dynamic-map-ipsec 1 set ikev2 ipsec-proposal vpn-transform-set
Allow the tunnel to inject the routing table from the Branch End to allow access back to remote subnets.
crypto dynamic-map dynamic-map-ipsec 1 set reverse-route
Create a crypto map called crypto-map-dynamic, assign it number 1 and then assign our dynamic crypto map to it.
crypto map crypto-map-dynamic 1 ipsec-isakmp dynamic dynamic-map-ipsec
Assign the crypto map to the outside interface
crypto map crypto-map-dynamic interface outside
Set the IKE Proposal for IKE version 1 and IKE version 2.
crypto dynamic-map dynamic-map-ipsec 1 set ikev1 transform-set vpn-transform-set
crypto dynamic-map dynamic-map-ipsec 1 set ikev2 ipsec-proposal vpn-transform-set
Allow the tunnel to inject the routing table from the Branch End to allow access back to remote subnets.
crypto dynamic-map dynamic-map-ipsec 1 set reverse-route
Create a crypto map called crypto-map-dynamic, assign it number 1 and then assign our dynamic crypto map to it.
crypto map crypto-map-dynamic 1 ipsec-isakmp dynamic dynamic-map-ipsec
Assign the crypto map to the outside interface
crypto map crypto-map-dynamic interface outside
Head End - Exclude Traffic from PAT or NAT
Once again we need to exclude traffic for the tunnel from the PAT/NAT
object network obj-remote
subnet 192.168.1.0 255.255.255.0
exit
object network obj-inside
subnet 192.168.14.0 255.255.255.0
exit
nat (inside,outside) 1 source static obj-inside obj-inside destination static obj-remote obj-remote
object network obj-remote
subnet 192.168.1.0 255.255.255.0
exit
object network obj-inside
subnet 192.168.14.0 255.255.255.0
exit
nat (inside,outside) 1 source static obj-inside obj-inside destination static obj-remote obj-remote
Test the Tunnel
You should now find your tunnel is up and passing traffic. If not then it is time to start debugging, here is a helpful guide.
Excellent post, it helped me with the appropriate nat statements that are used in 8.3+ code. Thanks. Worked like a charm on two 5505's running 8.4.
ReplyDeletegood post.. let me point out one config mistake.. correct me if i am wrong...
ReplyDeletein Head End Crypto Map
we have to give
crypto dynamic-map dynamic-map-ipsec 1 set ikev1 transform-set vpn-transform-set
instead of
crypto dynamic-map dynamic-map-ipsec 1 set ikev1 transform-set ESP-3DES-MD5
how to add a second remote at the head end for another remote to connect?
ReplyDeletehow to add a second remote at the head end for another remote to connect?
ReplyDeletehow do you add another remote vpn tunnel on the head end to allow second, third remote sites and so on?
ReplyDelete