Home > Articles > Cisco

  • Print
  • + Share This
From the author of Basic ASA IPsec VPN Configuration

Basic ASA IPsec VPN Configuration

To make this article a little clearer (and easier for the reader) the configuration command steps that are covered within this section stick with a static LAN to LAN IPSec VPN.

The commands that would be used to create a LAN-to-LAN IPsec (IKEv1) VPN between ASAs are shown in Table 1.

Table 1: ASA IKEv1 LAN-to-LAN IPsec Configuration Commands

1

Create and enter IKEv1 policy configuration mode.

Note: The lower the policy-priority, the higher the priority with a valid range from 1–65535.

asa(config)#crypto ikev1 policy policy-priority

2

Configure an authentication method (default: pre-share).

asa(config-ikev1-policy)#authentication {pre-share | rsa-sig}

3

Configure an encryption method (default: 3des).

asa(config-ikev1-policy)#encryption {des | 3des | aes | aes-192 | aes-256}

4

Configure a hash method (default: sha).

asa(config-ikev1-policy)#hash {md5 | sha}

5

Configure a Diffie-Hellman (DH) group (default: 2).

asa(config-ikev1-policy)#group {1 | 2 | 5}

6

Configure the IKE SA lifetime (Default: 86400 seconds [24 hours]).

asa(config-ikev1-polocy)#lifetime lifetime

7

Enable IKEv1 on an interface.

Note: This is the interface that goes out to the IPsec destination.

asa(config)#crypto ikev1 enable interface-name

8

Create an IKEv1 Transform set.

Notes:

encryption-method can be esp-des, esp-3des, esp-aes, esp-aes-192, esp-aes-256, or esp-null.

authentication-method can be esp-md5-hmac, esp-sha-hmac or esp-none.

asa(config)#crypto ipsec ikev1 transform-set set-name encryption-method authentication-method

9

Create an access-list to specify the interesting traffic to be encrypted within the IPsec tunnel.

Note: This is a very simplified version of an ACL; for further details on ACLs, see my "ASA Access Lists Concepts and Configuration" article.

asa(config)#access-list acl-name extended {permit | deny} protocol source-network source-netmask destination-network destination-netmask

10

Specify the tunnel group type.

Notes:

Because this example is for a LAN-to-LAN IPsec tunnel the ipsec-l2l tunnel mode is used.

The tunnel-group-name is almost always set to the peer IP address for LAN-to-LAN IPsec tunnels.

asa(config)#tunnel-group tunnel-group-name type ipsec-l2l

11

Enter IPsec tunnel attribute configuration mode.

asa(config)#tunnel-group tunnel-group-name ipsec-attributes

12

Configure the IPsec tunnel pre-shared key or certificate trustpoint.

asa(config-tunnel-ipsec)#ikev1 {pre-shared-key pre-shared-key | trustpoint trustpoint}

13

Create a crypto map and match based on the previously created ACL.

asa(config)#crypto map map-name sequence-number match address acl-name

14

Configure the peer IP address.

asa(config)#crypto map map-name sequence-number set peer peer-ip-address

15

Assign the previously created transform set.

asa(config)#crypto map map-name sequence-number set ikev1 transform-set set-name

16

Apply the crypto map to an interface.

asa(config)#crypto map map-name interface interface-name

The commands that would be used to create a LAN-to-LAN IPsec (IKEv2) VPN between ASAs are shown in Table 2:

Table 2: ASA IKEv2 LAN-to-LAN IPsec Configuration Commands

1

Create and enter IKEv2 policy configuration mode.

Note: The lower the policy-priority, the higher the priority with a valid range from 1–65535.

asa(config)#crypto ikev2 policy policy-priority

2

Configure an encryption method (default: 3des).

asa(config-ikev2-policy)#encryption {des | 3des | aes | aes-192 | aes-256 | null}

3

Configure a hash method (default: sha).

asa(config-ikev2-policy)#integrity {md5 | sha | sha-256 | sha-384 | sha-512}

4

Configure a Diffie-Hellman (DH) group (default: 2).

asa(config-ikev2-policy)#group {1 | 2 | 5 | 14 | 19 | 20 | 21 | 24}

5

Configure the Pseudo-Random Function (PRF) (Default: SHA).

asa(config-ikev2-policy)#prf {md5 | sha | sha256 | sha256 | sha384 | sha512}

6

Configure the IKE SA lifetime (Default: 86400 seconds [24 hours]).

asa(config-ikev2-polocy)#lifetime seconds lifetime

7

Enable IKEv2 on an interface.

Note: This is the interface that goes out to the IPsec destination

asa(config)#crypto ikev2 enable interface-name

8

Create an IKEv2 Proposal and enter proposal configuration mode.

asa(config)#crypto ipsec ikev2 ipsec-proposal proposal-name

9

Configure the IKEv2 proposal encryption method (Default: 3DES).

asa(config-ipsec-proposal)#protocol esp encryption {des | 3des | aes | aes-192 | aes-256 | null}

10

Configure the IKEv2 proposal authentication method. (Default: SHA-1)

asa(config-ipsec-proposal)#protocol esp integrity {md5 | sha-1 | null}

11

Create an access-list to specify the interesting traffic to be encrypted within the IPsec tunnel.

Note: This is a very simplified version of an ACL; for further details on ACLs see my "ASA Access Lists Concepts and Configuration" article.

asa(config)#access-list acl-name extended {permit | deny} protocol source-network source-netmask destination-network destination-netmask

12

Specify the tunnel group type.

Notes:

Because this example is for a LAN-to-LAN IPsec tunnel, the ipsec-l2l tunnel mode is used.

The tunnel-group-name is almost always set to the peer IP address for LAN-to-LAN IPsec tunnels.

asa(config)#tunnel-group tunnel-group-name type ipsec-l2l

13

Enter IPsec tunnel attribute configuration mode.

asa(config)#tunnel-group tunnel-group-name ipsec-attributes

14

Configure the local IPsec tunnel pre-shared key or certificate trustpoint.

asa(config-tunnel-ipsec)#ikev2 local-authentication {pre-shared-key pre-shared-key | certificate trustpoint}

15

Configure the remote IPsec tunnel pre-shared key or certificate trustpoint.

asa(config-tunnel-ipsec)#ikev2 remote-authentication {pre-shared-key pre-shared-key | certificate trustpoint}

16

Create a crypto map and match based on the previously created ACL.

asa(config)#crypto map map-name sequence-number match address acl-name

17

Configure the peer IP address.

asa(config)#crypto map map-name sequence-number set peer peer-ip-address

18

Assign the previously created proposal.

asa(config)#crypto map map-name sequence-number set ikev2 ipsec-proposal proposal-name

19

Apply the crypto map to an interface.

asa(config)#crypto map map-name interface interface-name

  • + Share This
  • 🔖 Save To Your Account