$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Site To Site VPNS with Cisco ASA $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Implementing Site-To-Site VPNs on Cisco ASA ============================================= Basic ASA IKEv1 Site-To-Site VPN ASDM Configuration --------------------------------------------------- Requirements ############ # Java installed on management PC # Following bootstrap configuration on the ASA * IP Addressing for management interface * Routing to management PC * Username/Password configured * HTTP Server enabled and acess granted from the Management PC * ASDM Image copied to ASA Flash and enabled Configuration ############# # Start ASDM and login # Select Configuration # Navigate to Notes ##### * Normal to receive certificate error when accessing as ASA is using self-signed certificate initially * Wizard also available, Wizards > VPN Wizards > Site-To-Site VPN Wizard Basic ASA IKEv1 Site-To-Site VPN CLI Configuration -------------------------------------------------- # Configure Phase 1 Policy :: * For ASA less than 8.4.1 :: crypto isakmp policy encryption hash group lifetime authentication pre-share * For later ASA versions :: crypto ikev1 policy encryption hash group lifetime authentication pre-share # Configure PSK (<= v8.0) :: crypto isakmp key address # Configure IPSec Transform-Set * For ASA less than 8.4.1 :: crypto ipsec transform-set

* For later ASA versions :: crypto ipsec ikev1 transform-set

# Configure IPSec SA Lifetime :: crypto ipsec security-association lifetime seconds # Configure Encryption Domain (Crypto ACL) :: access-list permit ip

# Configure Crypto Map :: crypto map match address crypto map set transform-set crypto map set peer ! optional - override default value crypto map set security-association lifetime seconds # Configure Connection Profile (Tunnel-group> :: * For ASA >= 7.0 and less than 8.4.1 :: tunnel-group type ipsec-l2l tunnel-group ipsec-attributes pre-shared-key * For ASA later versions :: tunnel-group type ipsec-l2l tunnel-group ipsec-attributes ikev1 pre-shared-key # Enable ISAKMP on the approropriate (e.g. Internet facing) interface :: crypto map interface # Enable ISAKMP :: * For ASA less than 8.4.1 :: crypto isakmp enable * For later ASA versions :: crypto ikev1 enable Basic ASA IKEv1 VPN with RSA ------------------ # Define hostname :: hostname # Define domain name :: domain-name # Configure Trusted CA :: crypto ca trustpoint enrollment url http:// # Download CA certificates and accept them :: crypto ca authentication # Enroll with the CA :: crypto ca enroll # Configure Phase 1 Policy :: crypto isakmp policy encryption hash group lifetime authentication rsa-sig # Configure IPSec Transform-Set * For ASA less than 8.4.1 :: crypto ipsec transform-set

* For later ASA versions :: crypto ipsec ikev1 transform-set

# Configure IPSec Transform-Set (>= v8.4.1) :: # Configure IPSec SA Lifetime :: crypto ipsec security-association lifetime seconds # Configure Encryption Domain :: access-list permit ip

# Configure Crypto Map :: crypto map match address crypto map set transform-set crypto map set peer ! optional - override defalt value crypto map security-association lifetime seconds # Configure Connection Profile (Tunnel-group> :: * For ASA less than 8.4.1 :: tunnel-group type ipsec-l2l tunnel-group ipsec-attributes trustpoint # Define interfaces on which to accept this VPN connection :: crypto map interface # Enable ISAKMP :: * For ASA less than 8.4.1 :: crypto isakmp enable * For later ASA versions :: crypto ikev1 enable Based ASA IKEv2 VPN with PSK ---------------------------- # Create IKEv2 Proposal :: crypto ikev2 policy encryption integrity group lifetime authentication pre-share # Create IPSEC Transform Set :: crypto ipsec ike2 ipsec proposal protocol esp integrity protocol esp encryption # Define global IPSec SA Lifetime :: crypto ipsec security-association lifetime seconds # Define Connection Profile :: tunnel-group type ipsec-l2l2 ike21 local-authentication pre-shared-key ikev2 remote-authentication pre-shared-key # Define Encryption Domain :: access-list permit ip

# Crypto map :: crypto map ipsec-isakmp crypto map set ikev2 ipsec-proposal crypto map set peer crypto map match address # Define interface from which to accept these VPN connections crypto map interface # Enable IKEv2 on the interface crypto ikev2 enable Based ASA IKEv2 VPN with PSK ---------------------------- Prequistes ########## * Ensure hostname is set * Ensure domain name is set * Ensure time is correct Configuration ############# # Define the Trusted CA :: crypto ca trustpoint enrollment url http:// # Download CA certificates, verify the given Hash is correct :: crypto ca authenticate # Request certificate from the CA (Enrollment) :: crypto ca enrol # Create IKEv2 Proposal :: crypto ikev2 policy encryption integrity group lifetime authentication rsa-sig # Create IPSEC Transform Set :: crypto ipsec ike2 ipsec proposal protocol esp integrity protocol esp encryption # Define global IPSec SA Lifetime :: crypto ipsec security-association lifetime seconds # Define Connection Profile :: tunnel-group type ipsec-l2l2 ikev2 local-authentication certificate ikev2 remote-authentication certificate # Define Encryption Domain :: access-list permit ip

# Crypto map :: crypto map ipsec-isakmp crypto map set ikev2 ipsec-proposal crypto map set peer crypto map set trustpoint crypto map match address # Define interface from which to accept these VPN connections :: crypto map interface # Enable IKEv2 on the interface :: crypto ikev2 enable ASA VPN setup with IP SLA ------------------------- # Requirements * Configure IP SPA # Configure ICMP SLA :: sla monitor type echo protocol ipIcmpEcho interface timeout frequency sla monitor scheudle start-time now life forever # Check Track Status :: show track # ISAKMP Policy # PSK for both peers # ISAKMP Keepalive # IPSEC Transform-set # IPSEC SA Lifetime # Crypto ACL # Crypto Map * Define multiple peers # Define Map on both external interfaces # Enable ISAKMP on both interfaces