This post is the first in a series of two.
In this post I will walkthrough the configuration of a site-to-site IPSec VPN tunnel using a pair of ASAs. I’ll use the terms eastbound and westbound to describe traffic flowing across the tunnel, relative to the diagram below.
There is an error on this diagram, the tunnel (in blue) on the left should read 192.0.2.60 -> 192.0.2.129. I’ll fix this when I get the chance.
You may think of the tunnel as a logical version of a dedicated point-to-point serial connection between the two ASAs. Since our logical point-to-point link is traversing the Internet we use IPSec encryption to prevent snooping. Each end of the tunnel is on a different subnet (obviously).
A-END (HOME BASE)
Here we only have transit networks and we use static routes which scales well enough for this simple point-to-point link.
- For westbound traffic We have a default route to send all decapsulated tunnelled traffic received on the ASA out via the orange linknet to R1.
- For eastbound traffic, R1 has a static route for 10.1.0.0/24 (the B-End client subnet) pointing east to the ASA. The ASA will encapsulate traffic with this destination into the IPSec tunnel.
- Finally there is an eastbound default route for non-tunnelled traffic to reach any IPSec peers, remote management of the ASA and any other services.
B-End (Remote Site)
There is a default route on the B-End ASA sending everything via its westbound interface (outside). An ACL ensures everything from the local subnet (10.1.0.0/24) is encapsulated in the the tunnel. Eastbound return traffic will be de-encapsulated and then routed internally by the ASA so no ACL is needed.
! Phase 2 - ipsec tunnel for the data crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL protocol esp encryption aes-256 protocol esp integrity sha-1 ! Phase 1 - iskmp tunnel to encrypt initial ASA chatter crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 prf sha lifetime seconds 86400 ! light up crypto on the outside interface crypto ikev2 enable outside ! Define the B-END of the tunnel and configure PSK tunnel-group 192.0.2.129 type ipsec-l2l tunnel-group 192.0.2.129 ipsec-attributes ikev2 remote-authentication pre-shared-key B_END_KEY ikev2 local-authentication pre-shared-key A_END_KEY ! What traffic do we wish to send down the ipsec tunnel? access-list OUTSIDE_CRYPTOMAP_10 remark ACL to encrypt traffic from anywhere to B-END access-list OUTSIDE_CRYPTOMAP_10 extended permit ip any 10.1.0.0 255.255.255.0 ! Bring it all together and enable on the outside interface crypto map outside_map 10 match address OUTSIDE_CRYPTOMAP_10 crypto map outside_map 10 set peer 192.0.2.129 crypto map outside_map 10 set ikev2 ipsec-proposal MY_PROPOSAL crypto map outside_map interface outside ! Send tunneled traffic to the inside interface to be routed on the enterprise: route inside 0.0.0.0 0.0.0.0 192.0.2.1 tunneled
! crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL protocol esp encryption aes-256 protocol esp integrity sha-1 ! crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 prf sha lifetime seconds 86400 crypto ikev2 enable outside ! tunnel-group 192.0.2.6 type ipsec-l2l tunnel-group 192.0.2.6 ipsec-attributes ikev2 remote-authentication pre-shared-key A_END_KEY ikev2 local-authentication pre-shared-key B_END_KEY ! object-group network clients network-object 10.1.0.0 255.255.255.0 access-list clients-out extended permit ip object-group clients any access-list clients-out extended permit icmp any any access-list OUTSIDE_CRYPTOMAP_10 remark ACL to encrypt traffic from local net to anywhere access-list OUTSIDE_CRYPTOMAP_10 extended permit ip 10.1.0.0 255.255.255.0 any ! access-group clients-out in interface inside ! crypto map outside_map 10 match address OUTSIDE_CRYPTOMAP_10 crypto map outside_map 10 set peer 192.0.2.6 crypto map outside_map 10 set ikev2 ipsec-proposal MY_PROPOSAL crypto map outside_map interface outside !
interface GigabitEthernet0/0 nameif inside security-level 100 ip address 192.0.2.2 255.255.255.252 ! interface GigabitEthernet1/0 nameif outside security-level 0 ip address 192.0.2.6 255.255.255.252
interface GigabitEthernet0/0 nameif inside security-level 100 ip address 10.1.0.254 255.255.255.0 ! interface GigabitEthernet1/0 nameif outside security-level 0 ip address 192.0.2.129 255.255.255.252
Since the B-End is remote, it would be preferable to log over TCP as it would give more certainty as to the source of the packets. However, this can overload the ASA so we are stuck with UDP. We log more information at the A-End end as the traffic doesn’t get encrypted so is less of a burden.
! logging timestamp logging trap notifications logging host outside <LOGGING_HOST> !
You can enable buffered logging as needed.
! logging enable logging timestamp logging trap warnings logging host outside <LOGGING_HOST> !
For simplicity this example uses static routes. R1 has a static route to send the client network via the A-End ASA:
ip route 10.1.0.0 255.255.255.0 192.0.2.2
The A-END ASA has a default route eastbound, so that any IPSec peer can be configured
route outside 0.0.0.0 0.0.0.0 192.0.2.5 1
The A-END ASA also needs to be able to route IPSec when it pops out of the tunnel, with any destination address:
route inside 0.0.0.0 0.0.0.0 192.0.2.1 tunneled
The B-End ASA has a static route to send everything (non-tunnel) via its outside linknet. It doesn’t need a tunneled route as the only possible destination is the client LAN 10.1.0.0/24.
route outside 0.0.0.0 0.0.0.0 192.0.2.130 1
If you want to read about setting up an IPSec VPN through NAT, see this follow up post.