Cisco ASA Site-to-Site IKEv1 IPsec VPN

Site-to-site IPsec VPNs are used to “bridge” two distant LANs together over the Internet. Normally on the LAN we use private addresses so without tunneling, the two LANs would be unable to communicate with each other.

In this lesson you will learn how to configure IKEv1 IPsec between two Cisco ASA firewalls to bridge two LANs together.

Configuration

We will use the following topology for this example:

ASA1 ASA2 R1 R2 IPSEC site to site VPN

ASA1 and ASA2 are connected with each other using their Ethernet 0/1 interfaces. This is the “OUTSIDE” security zone so imagine that this is their Internet connection. Each ASA has an Ethernet 0/0 interface which is connected to the “INSIDE” security zone. R1 is in network 192.168.1.0 /24 while R2 is in 192.168.2.0 /24. The goal is to ensure that R1 and R2 can communicate with each other through the IPsec tunnel.

Phase 1 Configuration

Phase 1 of IPsec is used to establish a secure channel between the two peers that will be used for further data transmission. The ASAs will exchange secret keys, they authenticate each other and will negotiate about the IKE security policies. This is what happens in phase 1:

  • Authenticate and protect the identities of the IPsec peers.
  • Negotiate a matching IKE policy between IPsec peers to protect the IKE exchange.
  • Perform an authenticated Diffie-Hellman exchange to have matching shared secret keys.
  • Setup a secure tunnel for IKE phase 2.

Here’s what the configuration looks like on ASA1:

ASA1(config)# crypto ikev1 policy 10 
ASA1(config-ikev1-policy)# authentication pre-share 
ASA1(config-ikev1-policy)# encryption aes
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 2
ASA1(config-ikev1-policy)# lifetime 3600

Let me break down this configuration for you:

  • The IKEv1 policy starts with a priority number, I picked number 10. The lower the number, the higher the priority…you can use this if you have multiple peers.
  • We use a pre-shared key for authentication.
  • Encryption is done with AES.
  • SHA is used for hashing.
  • We use Diffie-Hellman group 2 for secret key exchange.
  • The security association is 3600 seconds, once this expires we will do a renegotiation.
If you use any ASA version before ASA 8.4 then the keyword “ikev1” has to be replaced with “isakmp”.

The IKEv1 policy is configured but we still have to enable it:

ASA1(config)# crypto ikev1 enable OUTSIDE
ASA1(config)# crypto isakmp identity address 

The first command enables our IKEv1 policy on the OUTSIDE interface and the second command is used so the ASA identifies itself with its IP address, not its FQDN (Fully Qualified Domain Name).

We configured the IKEv1 policy and activated it on the interface but we still have to specify the remote peer and a pre-shared key. This is done with a tunnel-group:

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l

The IP address above is the IP address of the OUTSIDE interface on ASA2. The type “ipsec-l2l” means lan-to-lan. Let’s configure the pre-shared key now:

ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

The pre-shared key is configured as an attribute for the remote peer. I’ll use “MY_SHARED_KEY” as the pre-shared key between the two ASA firewalls. This takes care of the phase 1 configuration on ASA1, we’ll configure the same thing on ASA2:

ASA2(config)# crypto ikev1 policy 10
ASA2(config-ikev1-policy)# authentication pre-share 
ASA2(config-ikev1-policy)# encryption aes
ASA2(config-ikev1-policy)# hash sha
ASA2(config-ikev1-policy)# group 2
ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config)# crypto ikev1 enable outside
ASA2(config)# crypto isakmp identity address 
ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes 
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

Phase 1 is now configured on both ASA firewalls. Let’s continue with phase 2…

Phase 2 configuration

Once the secure tunnel from phase 1 has been established, we will start phase 2. In this phase the two firewalls will negotiate about the IPsec security parameters that will be used to protect the traffic within the tunnel. In short, this is what happens in phase 2:

  • Negotiate IPsec security parameters through the secure tunnel from phase 1.
  • Establish IPsec security associations.
  • Periodically renegotiates IPsec security associations for security.

Here’s what the configuration looks like, we’ll start with ASA1:

ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

First we configure an access-list that defines what traffic we are going to encrypt. This will be the traffic between 192.168.1.0 /24 and 192.168.2.0 /24.

The IPsec peers will negotiate about the encryption and authentication algorithms and this is done using a transform-set. Here’s what it looks like:

ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

The transform set is called “MY_TRANSFORM_SET” and it specifies that we want to use ESP with 256-bit AES encryption and SHA for authentication. Once we configured the transform set we need to configure a crypto map which has all the phase 2 parameters:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

Let me explain the configuration step by step:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

501 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Hi Mark,

    It sounds like your ASA isn’t configured correctly for NAT. It should be configured to translate all traffic from the 192.168.2.0/24 subnet that exits the outside interface UNLESS the destination is 192.168.39.0/24 (the other end of the VPN).

    You can use this example for PAT:

    Cisco ASA PAT configuration

    The only thing left to do is to create an exception for your VPN traffic, like this:

    object network LOCAL_SUBNET
     subnet 192.168.2.0 255.255.255.0
    
     object network REMOTE_SUBNET
     subnet 192.168.39.0 255.255.255.0
    
    nat (LOCAL_SUBNET,OUTSIDE) source stati
    ... Continue reading in our forum

  2. Hi Zaman,

    Aggressive mode can be configured in the crypto map:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive

    And transport mode in the transform set:

    ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET mode ?         
    
    configure mode commands/options:
      transport  mode transport
    

    The first lifetime (ikev1 policy) is for phase 1 and the lifetime in the crypto map is for phase 2.

    Rene

  3. Hello Rene,

    What do the following two commands mean for IKE phase-1 and IKE Phase-2 :

    IKE phase-1:

    ASA1(config-ikev1-policy)# lifetime 4800

    IKE Phase-2:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3000

    I think IKE phase-1 will be deleted after 4800(If no traffic on tunnel) and IKE phase-2 will be delete after 3000(If no traffic on tunnel ).If continue traffic flows on the tunnel then what will happen, IKE phase-1 & IKE phase-2 will be re-negotiate after expiration or not??Please explain.

    Many Thanks

    br//
    zaman

  4. We have firewall 5505 where I have created site to site VPN. First time I have created crypto policy with group 2 and then changed to below.

    Phase 1 failure: Mismatched attribute types for class Group Description: Rcv’d: Group 5 Cfg’d: Group 2Group
    192.168.1.1, IP = 192.168.1.1, Received non-routine Notify message: No proposal chosen (14)

    Phase 1 (Main mode)
    Lifetime: 86400s (1 day)
    Encryption: AES256
    Hash: SHA1 Key-Ex:
    Group5
    Phase 2
    Lifetime: 3600s (1 hour)
    Encryption: AES256
    Hash: SHA1
    PFS: Group5
    Below is my firewall config.

    crypto ikev1 policy 170
    authenti

    ... Continue reading in our forum

  5. Hi Rene,

    I modified the network in your example with a few more nodes on each site. The network diagram is attached.

    The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
    Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

    However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the pi

    ... Continue reading in our forum

74 more replies! Ask a question or join the discussion by visiting our Community Forum