Site-to-Site IPSEC tunnel between Cisco ASA Firewalls

21-05-18 Muhammad Ali 0 comment

Site-to-Site IPSEC tunnel between Cisco ASA Firewalls

how to create IPSEC VPN tunnel

Fig 1.1 – IPSEC tunnel

 

Configuration steps for creating site-to-site IPSEC tunnel between Cisco ASA firewalls

! Make sure routers are configured and traffic is being routed from FW1 public interface to FW2 public interface and vice versa.

FW1

! Add default route on FW1 to R1

route outside 0.0.0.0 0.0.0.0 192.168.1.1

! Enable Crypto on FW1

crypto isakmp enable outside

! Create phase 1 policy

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

! Create transform set

crypto ipsec transform-set VPN esp-aes-256 esp-sha-hmac

! create network objects

object network Local_Subnet

subnet 172.16.1.0 255.255.255.0

object network Remote_Subnet

subnet 172.16.2.0 255.255.255.0

! Create access list

access-list IPSEC_TUNNEL extended permit ip object Local_Subnet  object Remote_Subnet

! create tunnel-group

tunnel-group 192.168.1.6 type ipsec-l2l

! Create pre-shared key

tunnel-group 192.168.1.6 ipsec-attributes

pre-shared-key cisco

! match access-list to define encryption subnets

crypto map VPN 1 match address IPSEC_TUNNEL

! set remote peer (IP address of remote firewall)

crypto map VPN 1 set peer 192.168.1.6

! map transform set already created

crypto map VPN 1 set transform-set VPN

! Enable crypto on outside interface

crypto map VPN interface outside

====================================================================================

FW2

! Add default route on FW2 to R2

route outside 0.0.0.0 0.0.0.0 192.168.1.5

! Enable Crypto on FW12

crypto isakmp enable outside

! Create phase 1 policy

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

! Create transform set

crypto ipsec transform-set VPN esp-aes-256 esp-sha-hmac

! create network objects

object network Local_Subnet

subnet 172.16.2.0 255.255.255.0

object network Remote_Subnet

subnet 172.16.1.0 255.255.255.0

! Create access list

access-list IPSEC_TUNNEL extended permit ip object Local_Subnet  object Remote_Subnet

! create tunnel-group

tunnel-group 192.168.1.2 type ipsec-l2l

! Create pre-shared key

tunnel-group 192.168.1.2 ipsec-attributes

pre-shared-key cisco

! match access-list to define encryption subnets

crypto map VPN 1 match address IPSEC_TUNNEL

! set remote peer (IP address of remote firewall)

crypto map VPN 1 set peer 192.168.1.2

! map transform set already created

crypto map VPN 1 set transform-set VPN

! Enable crypto on outside interface

crypto map VPN interface outside

 

=====================================================================================

Verify tunnel is up or not

Check phase-1 on FW1

FW1#sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

 

Create interesting traffic to bring the tunnel up

Ping from PC1 to PC2

PC1> ping 172.16.2.10

172.16.2.10 icmp_seq=1 timeout

172.16.2.10 icmp_seq=2 timeout

84 bytes from 172.16.2.10 icmp_seq=3 ttl=64 time=423.125 ms

84 bytes from 172.16.2.10 icmp_seq=4 ttl=64 time=91.242 ms

84 bytes from 172.16.2.10 icmp_seq=5 ttl=64 time=53.141 ms

 

After initial timeouts traffic went through (delay because of tunnel being created)

Check Phase-1

FW1#sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 192.168.1.6

Type    : L2L             Role    : initiator

Rekey   : no              State   : MM_ACTIVE

 

 

Check Phase-2

FW1# sh crypto ipsec sa

interface: outside

Crypto map tag: VPN, seq num: 1, local addr: 192.168.1.2

access-list IPSEC_TUNNEL extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)

current_peer: 192.168.1.6

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.1.2/0, remote crypto endpt.: 192.168.1.6/0

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 464AD860

current inbound spi : C1A36D54

 

Repeat same status check on FW2



%d bloggers like this: