It

It's not that hard to configure a site-to-site IPsec VPN on a ASA , just need to know a few basic thinks.
Possible values of phase 1 attributes : ISAKMP Attributes: Attribute Encryption Possible Values DES 56-bit 3DES 168-bit AES 128-bit AES 192-bit AES 256-bit MD5 or SHA Preshared keys RSA signature DSA signature Group 1 768-bit field Group 2 1024-bit field Group 5 1536-bit field Group 7 ECC 163-bit field 1202,147,483,647 seconds Default Value 3DES 168-bit or DES 56-bit, if 3DES feature is not active
Hashing Authentication method
SHA Preshared keys
DH group
Group 2 1024-bit field
Lifetime
86,400 seconds
Possible values of phase 2 attributes: IPSec Attributes:
Attribute Encryption
Possible Values None DES 56-bit 3DES 168-bit AES 128-bit AES 192-bit AES 256-bit MD5, SHA or None 1202,147,483,647 seconds 102,147,483,647 KB Tunnel or transport
Default Values 3DES 168-bit or DES 56-bit, if 3DES feature is not active
Hashing Lifetime Mode
None 28800 seconds 4,608,000 KB Tunnel
Identity information Network protocol and/or port number No default parameter
Attribute PFS group
Possible Values None Group 1 768-bit DH prime modulus Group 2 1024-bit DH prime modulus Group 5 1536-bit DH prime modulus Group 7 ECC 163-bit field
Default Values None
Values that can be used in a transform set: Type Encryption Available Options esp-3des esp-aes esp-aes-192 esp-aes-256 esp-des esp-null esp-md5-hmac esp-sha-hmac esp-none Default Option esp-3DES, or esp-des if 3DES, feature is not active
Hashing
esp-none
After you decide on what values to use it's time to configure the devices in 7 easy steps( make sure that on both sides you have the same values) 1. Configure Interfaces 2. Configure ISAKMP policy 3. Configure transform-set 4. Configure ACL 5. Configure Tunnel group 6. Configure crypto map and attach to interface 7. Enable isakmp on interface To allow VPN traffic to bypass interface ACL : sysopt connection permit-vpn If you want to manage the remote device over vpn by default Cisco ASA does not allow access to the inside interface if the traffic is coming over the VPN tunnel , to enable use: management-access inside For bypassing NAT : SITE_A access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 SITE_B
access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 and on both sites nat (inside) 0 access-list nonat
A example between two cisco asa devices:
SITE_A 1. Configure Interfaces interface GigabitEthernet0/0 ip address 195.42.2.51 255.255.255.0 nameif outside no shutdown interface GigabitEthernet0/1 ip address 192.168.10.1 255.255.255.0 nameif inside no shutdown 2. Configure ISAKMP policy crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 3. Configure transform-set crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 4. Configure ACL access-list encrypt_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
5. Configure Tunnel group tunnel-group 195.42.1.50 type ipsec-l2l tunnel-group 195.42.1.50 ipsec-attributes pre-shared-key my_secret_key 6. Configure crypto map and attach to interface crypto map IPSec_map 10 match address encrypt_acl crypto map IPSec_map 10 set peer 195.42.1.50 crypto map IPSec_map 10 set transform-set myset crypto map IPSec_map interface outside crypto isakmp enable outside 7. Enable isakmp on interface crypto isakmp enable outside SITE_B 1. Configure Interfaces interface GigabitEthernet0/0 ip address 195.42.1.50 255.255.255.0 nameif outside no shutdown interface GigabitEthernet0/1 ip address 192.168.20.1 255.255.255.0 nameif inside no shutdown 2. Configure ISAKMP policy crypto isakmp policy 1 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 3. Configure transform-set crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 4. Configure ACL access-list encrypt_acl extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 5. Configure Tunnel group tunnel-group 195.42.2.51 type ipsec-l2l
tunnel-group 195.42.2.51 ipsec-attributes pre-shared-key my_secret_key 6. Configure crypto map and attach to interface crypto map IPSec_map 10 match address encrypt_acl crypto map IPSec_map 10 set peer 195.42.2.51 crypto map IPSec_map 10 set transform-set myset crypto map IPSec_map interface outside crypto isakmp enable outside 7. Enable isakmp on interface crypto isakmp enable outside If you want to monitor and troubleshoot you need to know this commands: Phase 1: If you see "There are no isakmp sas" that means that no packet has enter ASA with destination on the remote site) , to activate the tunnel just make sure that there is any traffic matching the ACL used on crypto map ,to test use ping. sh crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 195.42.2.51 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : aes-256 Hash : SHA Auth : preshared Lifetime: 86400 Lifetime Remaining: 86375 Phase 2: sh crypto ipsec sa interface: outside Crypto map tag: IPSec_map, seq num: 10, local addr: 195.42.1.50 access-list encrypt_acl extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) current_peer: 195.42.2.51 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2 #pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 195.42.1.50, remote crypto endpt.: 195.42.2.51 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: A7969D50 current inbound spi : A5877F5E inbound esp sas: spi: 0xA5877F5E (2777120606) transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 45056, crypto-map: IPSec_map sa timing: remaining key lifetime (kB/sec): (4373999/28687) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000007 outbound esp sas: spi: 0xA7969D50 (2811665744) transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 45056, crypto-map: IPSec_map sa timing: remaining key lifetime (kB/sec): (4374000/28687) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 If you still have trouble with the tunnel try debugging phase 1 and 2: debug crypto engine 127 debug crypto isakmp 127 debug crypto ipsesc 127

It

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

It

Transféré par

Droits d'auteur :

Formats disponibles

It's not that hard to configure a site-to-site IPsec VPN on a ASA , just need to know a few basic thinks.

Hashing Authentication method

SHA Preshared keys

Group 2 1024-bit field

Possible values of phase 2 attributes: IPSec Attributes:

Hashing Lifetime Mode

None 28800 seconds 4,608,000 KB Tunnel

Identity information Network protocol and/or port number No default parameter

Attribute PFS group

Default Values None

A example between two cisco asa devices:

Vous aimerez peut-être aussi