Configure IKEv1 Site to Site VPN between Cisco ASAs

710

Cisco ASA IPSEC IKEv1 VPN

 

Step 1: Configure Phase 1 and Phase 2 In ASA of both sides

Phase 1: IKE policy

In Phase 1, single bi-directional SA (Security Association) is created between VPN peers and is a control channel for Phase-1 keepalives, DH-Key Calculation and Phase-2 SA creation and rekey.

ciscoasa(config)# crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption 3des
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 86400

ciscoasa(config)# crypto ikev1 enable outside

Use this command to view the phase 1 policies configured in Cisco ASA firewall.

ciscoasa#show run crypto isakmp

Phase 2: IPSec proposal

Two unidirectional Security Associations are created for each pair of security identities, which encrypt or decrypt traffic.

ciscoasa(config)# crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

Use this command to view the phase 2 policies configured in Cisco ASA firewall.

ciscoasa# show run crypto ipsec

 

Step 2: Configure In ASA of India network

Network Objects and ACL

ciscoasa(config)# object-group network india_network
ciscoasa(config-network-object)#  network-object 10.10.10.0 255.255.255.0

ciscoasa(config)# object-group network singapore_network
ciscoasa(config-network-object)#  network-object 192.168.1.0 255.255.255.0

ciscoasa(config)# nat (inside,outside) source static india_network india_network destination static singapore_network singapore_network
ciscoasa(config)# access-list ind_sin_acl extended permit ip object-group india_network object-group singapore_network

Cryptomap

ciscoasa(config)# crypto map outside_map 5 match address ind_sin_acl
ciscoasa(config)# crypto map outside_map 5 set peer 2.2.2.2
ciscoasa(config)# crypto map outside_map 5 set ikev1 transform-set ESP-3DES-MD5

ciscoasa(config)# crypto map outside_map interface outside

Optional

When pfs is enabled, default is group2.

ciscoasa(config)# crypto map outside_map 5 set pfs group2

Defaults

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Use this command to view the crypto map configured in Cisco ASA firewall.

ciscoasa# show run crypto map

 

Group Policy and Tunnel Interface

Create a Group policy for ikev1 vpn protocol and assign to tunnel interface.

ciscoasa(config)# group-policy GrpPolicy-2.2.2.2 internal
ciscoasa(config)# group-policy GrpPolicy-2.2.2.2 attributes
ciscoasa(config)#  vpn-tunnel-protocol ikev1

ciscoasa(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ciscoasa(config)# tunnel-group 2.2.2.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)#  ikev1 pre-shared-key cisco
ciscoasa(config)# tunnel-group 2.2.2.2 general-attributes
ciscoasa(config)# default-group-policy GrpPolicy-2.2.2.2

 

Use this command to view the group policy and tunnel interfaces configured in Cisco ASA firewall.

ciscoasa# show run all group-policy GrpPolicy-2.2.2.2

ciscoasa# show run all tunnel-group 2.2.2.2

 

Step 3: In ASA of Singapore network

object-group network india_network
network-object 10.10.10.0 255.255.255.0

object-group network singapore_network
network-object 192.168.1.0 255.255.255.0

nat (inside,outside) source static singapore_network singapore_network destination static india_network india_network
access-list sin_ind_acl extended permit ip object-group singapore_network object-group india_network

crypto map outside_map 1 match address ind_sin_acl
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map interface outside

group-policy GrpPolicy-1.1.1.1 internal
group-policy GrpPolicy-1.1.1.1 attributes
vpn-tunnel-protocol ikev1

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
tunnel-group 1.1.1.1 general-attributes
default-group-policy GrpPolicy-1.1.1.1

· ·


Related Articles & Comments

Thank you for visiting us. To continue receiving updates, please Subscribe to our Social Media Channels.

Google+
FACEBOOK
RSS
YOUTUBE
Menu Title
%d bloggers like this: