Within this article we will show you the steps required to build an IKEv2 IPSEC Site to Site VPN on a Cisco ASA firewall.
IKEv2 provides a number of benefits of its predecessor IKEv1, such as ability for asymmetric authentication methods, greater protection over IKE DoS attacks, interoperability between vendors for DPD/NAT-T, and less overhead and messages during SA establishment.
Note : The previously created object groups are used to define the local and remote endpoints.
IKEv2 provides a number of benefits of its predecessor IKEv1, such as ability for asymmetric authentication methods, greater protection over IKE DoS attacks, interoperability between vendors for DPD/NAT-T, and less overhead and messages during SA establishment.
NAT Exemption
First of all we create our NAT exemption. This is to ensure that traffic is not NAT`d before being sent down the tunnel.
object-group network REMOTE-ENCDOM
network-object <REMOTE ENCDOM> 255.255.255.0
object-group network LOCAL-ENCDOM
network-object <LOCAL ENCDOM> 255.255.255.0
nat (inside,outside) 1 source static LOCAL-ENCDOM LOCAL-ENCDOM destination static REMOTE-ENCDOM REMOTE-ENCDOM
network-object <REMOTE ENCDOM> 255.255.255.0
object-group network LOCAL-ENCDOM
network-object <LOCAL ENCDOM> 255.255.255.0
nat (inside,outside) 1 source static LOCAL-ENCDOM LOCAL-ENCDOM destination static REMOTE-ENCDOM REMOTE-ENCDOM
Encryption Domain
Next, we define our endpoints, i.e what we want to encrypt.Note : The previously created object groups are used to define the local and remote endpoints.
access-list ENCDOM100 extended permit ip object-group LOCAL-ENCDOM object-group REMOTE-ENCDOM
Phase 1 Proposal
We then define our Phase 1 proposals. You may of spotted that multiple ciphers are defined for each "method". This is because IKEv2 sends across a single proposal containing multiple ciphers, compared to IKEv1 in which multiple proposals are sent.
crypto ikev2 enable outside
crypto ikev2 policy 10
encryption 3des des
integrity sha md5
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption 3des des
integrity sha md5
group 5
prf sha
lifetime seconds 86400
Phase 2 Proposal
Next, the Phase 2 proposals are configured.
crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
protocol esp encryption aes
protocol esp integrity sha-1
protocol esp encryption aes
protocol esp integrity sha-1
Tunnel Group
At this point, the tunnel group is created. Just like IKEv1 the preshared key is defined. However, IKEv2 allows you to use different authentication methods for both local and remote authentication.
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key <PRESHARED KEY>
ikev2 local-authentication pre-shared-key <PRESHARED KEY>
tunnel-group 172.16.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key <PRESHARED KEY>
ikev2 local-authentication pre-shared-key <PRESHARED KEY>
Crypto Map
Finally the crypto map is configured. This combines the previously created encryption domain, the remote peer, and the phase 2 policy into a single crypto map. This then assigned to the outside interface.
crypto map CRYPTOMAP 100 match address ENCDOM100
crypto map CRYPTOMAP 100 set peer <REMOTE PEER IP>
crypto map CRYPTOMAP 100 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
crypto map CRYPTOMAP interface outside
crypto isakmp identity address
crypto map CRYPTOMAP 100 set peer <REMOTE PEER IP>
crypto map CRYPTOMAP 100 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
crypto map CRYPTOMAP interface outside
crypto isakmp identity address
Debug / Show Commands
Here the most command debug and show commands,- debug crypto ikev2 platform 5 - debug phase 1 (ISAKMP SA`s)
- debug crypto ikev2 protocol 5 - debug phase 1 (ISAKMP SA`s)
- debug crypto ipsec - debug phase 2 (IPSEC SA`s)
- show crypto ikev2 sa - show phase 1 SA`s
- show crypto ipsec sa - show phase 2 SA`s
No comments:
Post a Comment