(Internet Protocol Security) IPSec is a set of protocols developed by the Internet Engineering Task Force (IETF). Internet protocol security (IPsec) is a framework that helps us to protect our IP traffic on the network layer. Why? Because the (internet protocol) IP protocol itself doesn’t have any security features at all. IPsec allows two or more hosts to communicate securely by authenticating and encrypting each IP packet of a communication session. we already discussed in click here
previously that we configured IPsec VPN with routers, in this lab we are going to configure an ASA firewall. I'm using the Cisco Adaptive Security Appliance Software Version 8.4(2). if you are using an older version some of the commands may be different like ikev1 to isakmp. I'm assuming you follow our blogs and are familiar with IKE, if not then click here
IKE (Internet Key Exchange) Phase 1
The main reason for IKE Phase 1 is to establish security for IKE Phase 2 or IPsec. let's understand Phase 1 in steps
- The first step is Negotiation between future neighbors or peers have traffic to be
Step 1: Negotiation
the neighbor (peer) who has traffic and wants to protect will initiate the INK phase 1 negotiation. Peers will negotiate about the following:
- Hashing
: peers will use a hashing algorithm to verify the integrity and use MD5 or SHA.
- Authentication: peers have to show their identity to prove who he is. Peers use shared keys or digital certificates.
- DH (Diffie Hellman) group: DH group determines how strong the key is and how it's used in the exchange process of the key. The higher number means more secure but it takes longer to compute.
- Lifetime: lifetime means how long does the IKE phase 1 tunnel stand up? The shorter the lifetime means the more secure it is because rebuilding the tunnel means we will also use new keying material. Each vendor uses a different lifetime; a default value is 86400 seconds (1 day).
- Encryption: algorithm we use for encryption DES, 3DES, or AES.
access-list extended can evaluate many of the other fields in the layer 3 and layer 4 headers of an IP packet. These are the ACLs that use source IP, Destination IP, source port, and Destination port. we can also mention which IP traffic should be allowed or denied. This gives the extended access list the ability to make much more granular decisions when controlling traffic. These uses range from 100-199 and 2000-2699. (it's very important to use extended ACL in IPsec with VPN, the access-list is used to tell the router which traffic is to encrypt.)
crypto isakmp enable this command is used to enable IKE for IPsec function. IKE is enabled by default but if it's disabled then you must enable it with the help of this command. IKE is also called ISAKMP. it's a negotiation protocol that is used to allow two hosts to agree on how to build an IPsec security association. IKE separates negotiation into two Phases. phase 1 is used to create the first tunnel. phase 2 creates the tunnel that protects data.
Crypto ISAKMP policy internet security association key management protocol policy (ISAKMP). we need to create an ISAKMP policy for the IKE phase 1 negotiation process and define the authentication, encryption, and hash function which is used to control traffic between the VPN endpoints.
ISAKMP commands:
authentication Set authentication method for protection suite
default Set a command to its defaults
encryption Set encryption algorithm for protection suite
exit Exit from ISAKMP protection suite configuration mode
group Set the Diffie-Hellman group
hash Set hash algorithm for protection suite
lifetime Set lifetime for ISAKMP security association
no Negate a command or set its defaults
The crypto isakmp key is a pre-shared key, this feature is used for the authentication method in IKE policy. we must configure a key on each site router and the same key is configured on the other endpoint of the VPN. pre-shared keys must match for successful authentication.
crypto IPsec transform-set transform set combination of algorithms and protocol this going to create a security policy. here we have encapsulation protocol you can choose ESP or AH, encryption DES,3DES, AES, and hashing MD5, SSHA1, SHA2.
R1(config)#crypto ipsec transform-set INTERNETWORKS ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
R1(config)#crypto ipsec transform-set INTERNETWORKS COMp-lzs ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
6. A crypto map is used to match an ACL that is configured earlier to a peer and other IKE and IPsec features. you have to set the peer and this map is applied on the interface which points toward the IPsec peer. for more information click here
Topology: - we need to encrypt the traffic 10.0.0.0/8 going to 20.0.0.0/8 and vice versa
Goal: -
- configure the topology as per the diagram
- configure the IP addresses as per the topology
- configure gig0 outside on ASA 1 and configure gig1 outside on ASA 2
- configure Fa0/0 inside on both the ASA
- configure the default route on both ASA firewall
- ensure the connection with the PING
- define the traffic that we want to encrypt from 10.0.0.0/8 going to 20.0.0.0/8 and vice versa on both ASA using Extended ACL and name (IP-TRAFFIC)
- configure ikve1 phase 1 on both ASA
- configure Phase 2 on both ASAs
- make sure traffic will be encrypted with IPsec VPN.
(To get the video https://youtu.be/5_sfxQGPlg0?si=m_U0lIk10dpXSG-O)
{ASA site 1}
ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
{ASA site 2}
ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.0.0.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.0.0.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
{ASA site 1}
ciscoasa(config)# interface gigabitEthernet 1
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 192.168.2.1 255.255.255.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 192.168.1.1 YES manual up up
GigabitEthernet1 10.1.1.1 YES manual up up
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 192.168.1.1 YES manual up up
GigabitEthernet1 10.1.1.1 YES manual up up
{ASA site 2}
ciscoasa(config)# interface gigabitEthernet 0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 20.1.1.1 255.0.0.0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# end
ciscoasa# show interface ip brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 20.1.1.1 YES manual up up
GigabitEthernet1 192.168.2.1 YES manual up up
{ASA site 1 and 2}
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.2
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 192.168.2.2
{ASA site 1}
ciscoasa# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
C 10.0.0.0 255.0.0.0 is directly connected, inside
C 192.168.1.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.1.2, outside
{ASA site 2}
ciscoasa# show route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 192.168.2.2 to network 0.0.0.0
C 20.0.0.0 255.0.0.0 is directly connected, inside
C 192.168.2.0 255.255.255.0 is directly connected, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 192.168.2.2, outside
PC1> show ip
NAME : PC1[1]
IP/MASK : 10.1.1.10/8
GATEWAY : 10.1.1.1
DNS :
MAC : 00:50:79:66:68:00
LPORT : 10008
RHOST:PORT : 127.0.0.1:10009
MTU: : 1500
PC2> show ip
NAME : PC2[1]
IP/MASK : 20.1.1.10/8
GATEWAY : 20.1.1.1
DNS :
MAC : 00:50:79:66:68:01
LPORT : 10010
RHOST:PORT : 127.0.0.1:10011
MTU: : 1500
ciscoasa# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
ciscoasa# ping 20.1.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.10, timeout is 2 seconds:
!!!!!
{ASA site 1 and 2}
ciscoasa(config)# access-list IP-TRAFFIC extended permit ip 10.0.0.0 255.0.0.0 20.0.0.0 255.0.0.0
ciscoasa(config)# access-list IP-TRAFFIC extended permit ip 20.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
{ASA site 1}
ciscoasa(config)# crypto ikev1 policy 1
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 5
ciscoasa(config-ikev1-policy)# exit
{ASA site 2}
ciscoasa(config)# crypto ikev1 policy 1
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 5
ciscoasa(config-ikev1-policy)# exit
{ASA site 1 and 2}
ciscoasa(config)# crypto ikev1 enable outside
ciscoasa(config)# crypto isakmp identity address
ciscoasa(config)# crypto ikev1 enable outside
ciscoasa(config)# crypto isakmp identity address
{ASA site 1}
ciscoasa(config)# tunnel-group 192.168.2.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 192.168.2.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key INTERNETWORKS
ciscoasa(config-tunnel-ipsec)#exit
{ASA site 2}
ciscoasa(config)# tunnel-group 192.168.1.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 192.168.1.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key INTERNETWORKS
ciscoasa(config-tunnel-ipsec)# exit
{ASA site 1}
ciscoasa(config)# crypto ipsec ikev1 transform-set TRANSFORM-SET esp-aes esp-sha-hmac
ciscoasa(config)# crypto map CRYPTO-MAP 1 match address IP-TRAFFIC
ciscoasa(config)# crypto map CRYPTO-MAP 1 set peer 192.168.2.1
ciscoasa(config)# crypto map CRYPTO-MAP 1 set ikev1 transform-set TRANSFORM-SET
ciscoasa(config)# crypto map CRYPTO-MAP interface outside
{ASA site 2}
ciscoasa(config)# crypto ipsec ikev1 transform-set TRANSFORM-SET esp-aes esp-sha-hmac
ciscoasa(config)# crypto map CRYPTO-MAP 1 match address IP-TRAFFIC
ciscoasa(config)# crypto map CRYPTO-MAP 1 set peer 192.168.1.1
ciscoasa(config)# crypto map CRYPTO-MAP 1 set ikev1 transform-set TRANSFORM-SET
ciscoasa(config)# crypto map CRYPTO-MAP interface outside
PC1> ping 20.1.1.10
84 bytes from 20.1.1.10 icmp_seq=1 ttl=64 time=32.131 ms
84 bytes from 20.1.1.10 icmp_seq=2 ttl=64 time=31.610 ms
84 bytes from 20.1.1.10 icmp_seq=3 ttl=64 time=34.764 ms
84 bytes from 20.1.1.10 icmp_seq=4 ttl=64 time=63.130 ms
84 bytes from 20.1.1.10 icmp_seq=5 ttl=64 time=31.747 ms
PC2> ping 10.1.1.10
84 bytes from 10.1.1.10 icmp_seq=1 ttl=64 time=32.587 ms
84 bytes from 10.1.1.10 icmp_seq=2 ttl=64 time=31.857 ms
84 bytes from 10.1.1.10 icmp_seq=3 ttl=64 time=32.332 ms
84 bytes from 10.1.1.10 icmp_seq=4 ttl=64 time=47.037 ms
84 bytes from 10.1.1.10 icmp_seq=5 ttl=64 time=32.316 ms
ciscoasa# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.2.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ciscoasa# show crypto ipsec sa
interface: outside
Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 192.168.1.1
access-list IP-TRAFFIC extended permit ip 10.0.0.0 255.0.0.0 20.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.0.0.0/0/0)
current_peer: 192.168.2.1
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 19, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.1/0, remote crypto endpt.: 192.168.2.1/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 18ACCBA3
current inbound spi : 55367239
inbound esp sas:
spi: 0x55367239 (1429631545)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: CRYPTO-MAP
sa timing: remaining key lifetime (kB/sec): (3914998/28714)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000FFFF
outbound esp sas:
spi: 0x18ACCBA3 (413977507)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: CRYPTO-MAP
sa timing: remaining key lifetime (kB/sec): (3914998/28714)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ciscoasa# show vpn-sessiondb
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
Site-to-Site VPN : 1 : 1 : 1
IKEv1 IPsec : 1 : 1 : 1
---------------------------------------------------------------------------
Total Active and Inactive : 1 Total Cumulative : 1
Device Total VPN Capacity : 0
Device Load : 0%
***!! WARNING: Platform capacity exceeded !!***
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
IKEv1 : 1 : 1 : 1
IPsec : 1 : 1 : 1
---------------------------------------------------------------------------
Totals : 2 : 2
---------------------------------------------------------------------------
ciscoasa#
0 comments:
Post a Comment