IKEv2 between ASA devices

asa-ikev2-asa

We have many IKEv1 VPN tunnels under our belts. Now more and more devices support version two of that protocol known as IKEv2. Cisco ASA is no different. We won’t discuss all changes and benefits that are brought to us with IKEv2, but rather how do we configure it on our beloved appliances. Not much changed when configuring IKEv2 as opposed to IKEv1 (I don’t mean under the hood). We still have to configure IKE policies (now called IKEv2), transform sets, crypto lists and so on, but we use slightly different syntax and we put some part of configuration to different places in IKEv2.

Whether we configure IKEv1 or IKEv2, if we stick to the following list which describe our steps, we should be fine. So, here is our secret recipe:

  • configure IKEv2 policy and enable it on an interface
  • define local and remote networks
  • create tunnel group and accompanying group policy
  • define IPSec proposals
  • create a crypto map and tie it to an interface
  • take care of routing
  • take care of NAT

So, as long as we know the recipe and we have experience with IKEv1, we should easily find our ways through the IKEv2. Before we begin, let’s view our topology:

ikev2_asa

The steps described here are for ASA-A. Complete configs for both ASAs are given at the bottom of the blog post.

This is our IKEv2 policy:

crypto ikev2 policy 1000
encryption aes-256
integrity sha512
group 5
prf sha
lifetime seconds 86400
!
crypto ikev2 enable outside

Almost the same as with IKEv1. The only difference here can be algorithms used and missing authentication type. It is specified elsewhere.

We create objects that will be used in crypto access list and create that list:

object network COMPANY_B_LAN
subnet 10.100.2.0 255.255.255.252
!
object network COMPANY_A_LAN
subnet 10.100.1.0 255.255.255.252
!
access-list COMPANY_A_B_CRYPTO extended permit ip object COMPANY_A_LAN object COMPANY_B_LAN

Let’s now create our group-policy for remote peer. We will make it a local policy and we will tie this policy to the tunnel group created for our remote peer. Our group policy is now empty, but we can add some attributes later, or even download our policy from an AAA server. For now, we stick with basics:

group-policy 1.1.1.2 internal
!
tunnel-group 1.1.1.2 type ipsec-l2l
!
tunnel-group 1.1.1.2 general-attributes
default-group-policy 1.1.1.2
!
tunnel-group 1.1.1.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key keyb-a
ikev2 local-authentication pre-shared-key keya-b
!

We see that we can use one PSK on one side and another on the other side. They have to be reversed on the other side.

IPSec proposals are next in our recipe:

crypto ipsec ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1

Next goes a crypto map which is applied on outside interface:

crypto map IKEv2_OUTSIDE_MAP 1000 match address COMPANY_A_B_CRYPTO
crypto map IKEv2_OUTSIDE_MAP 1000 set peer 1.1.1.2
crypto map IKEv2_OUTSIDE_MAP 1000 set ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
!
crypto map IKEv2_OUTSIDE_MAP interface outside

Taking care of routing:

route outside 0.0.0.0 0.0.0.0 1.1.1.2

And of NAT:

nat (inside,outside) source static COMPANY_A_LAN COMPANY_A_LAN destination static COMPANY_B_LAN COMPANY_B_LAN

As with IKEv1, we need sort-of-reversed configuration on other peer.

Let’s now verify our configuration:

ASA-A#
ASA-A# show crypto ikev2 sa

There are no IKEv2 SAs
ASA-A#

 

ASA-A#
ASA-A# show crypto ipsec sa

There are no ipsec sas
ASA-A#

We don’t have IKEv2 or IPsec tunnels. Now we can try doing a telnet session from Company_A’s PC to Company_B’s server:

R1#
R1#telnet 10.100.2.1
Trying 10.100.2.1 … Open
R2#

We can see that the connection was successful. Let’s now verify our security associations again:

ASA-A#
ASA-A# show crypto ikev2 sa

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
18679113           1.1.1.1/500           1.1.1.2/500      READY    INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/86 sec
Child sa: local selector  10.100.1.0/0 – 10.100.1.3/65535
remote selector 10.100.2.0/0 – 10.100.2.3/65535
ESP spi in/out: 0xa991f710/0x4652108f
ASA-A#

We can see standard stuff: who is initiator and who is responder, their addresses, algorithms used, authentication type and so on. As for IPSec SAs we have:

ASA-A#
ASA-A# show crypto ipsec sa
interface: outside
Crypto map tag: IKEv2_OUTSIDE_MAP, seq num: 1000, local addr: 1.1.1.1

access-list COMPANY_A_B_CRYPTO extended permit ip 10.100.1.0 255.255.255.252 10.100.2.0 255.255.255.252
local ident (addr/mask/prot/port): (10.100.1.0/255.255.255.252/0/0)
      remote ident (addr/mask/prot/port): (10.100.2.0/255.255.255.252/0/0)
      current_peer: 1.1.1.2

#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 11
      #pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1/500, remote crypto endpt.: 1.1.1.2/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 4652108F
current inbound spi : A991F710

! lines omitted

Same interesting data here as well. If we show running configuration of remote router while connected to it through the telnet session, we can  see our counters increase:

ASA-A#
ASA-A# show crypto ipsec sa | i encap|decap
       #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51
      #pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
ASA-A#

So, our IKEv2 VPN tunnel is working as expected.

Finally, here are our configurations. Coloured lines represent commands we typed in.

!
hostname ASA-A
domain-name company.a
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
no shutdown
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.100.1.1 255.255.255.252
no shutdown
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
!
domain-name company.a
!

object network COMPANY_B_LAN
 subnet 10.100.2.0 255.255.255.252
!

object network COMPANY_A_LAN
 subnet 10.100.1.0 255.255.255.252
!

object network NAT_POOL
 range 192.168.1.1 192.168.1.10
!
access-list COMPANY_A_B_CRYPTO extended permit ip object COMPANY_A_LAN object COMPANY_B_LAN
!

pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
nat (inside,outside) source static COMPANY_A_LAN COMPANY_A_LAN destination static COMPANY_B_LAN COMPANY_B_LAN no-proxy-arp
!

nat (inside,outside) source static COMPANY_A_LAN COMPANY_A_LAN destination static COMPANY_B_LAN COMPANY_B_LAN no-proxy-arp
!

nat (inside,outside) source dynamic COMPANY_A_LAN NAT_POOL
!

route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
!

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
crypto ipsec ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!

crypto map IKEv2_OUTSIDE_MAP 1000 match address COMPANY_A_B_CRYPTO
crypto map IKEv2_OUTSIDE_MAP 1000 set peer 1.1.1.2
crypto map IKEv2_OUTSIDE_MAP 1000 set ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
!

crypto map IKEv2_OUTSIDE_MAP interface outside
!

crypto ikev2 policy 1000
 encryption aes-256
 integrity sha512
 group 5
 prf sha
 lifetime seconds 86400
!

crypto ikev2 enable outside
!

telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
group-policy 1.1.1.2 internal
!
tunnel-group 1.1.1.2 type ipsec-l2l
!
tunnel-group 1.1.1.2 general-attributes
 default-group-policy 1.1.1.2
!

tunnel-group 1.1.1.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key keyb-a
 ikev2 local-authentication pre-shared-key keya-b
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable

 

!
hostname ASA-B
domain-name company.b
!

enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
no shutdown

!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 10.100.2.2 255.255.255.252
no shutdown

!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
!
domain-name company.b
!
object network COMPANY_B_LAN
 subnet 10.100.2.0 255.255.255.252
!
object network COMPANY_A_LAN
 subnet 10.100.1.0 255.255.255.252
!

object network NAT_POOL
 range 192.168.2.1 192.168.2.10
!
access-list COMPANY_B_A_CRYPTO extended permit ip object COMPANY_B_LAN object COMPANY_A_LAN
!
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
nat (inside,outside) source static COMPANY_B_LAN COMPANY_B_LAN destination static COMPANY_A_LAN COMPANY_A_LAN
!

nat (inside,outside) source static COMPANY_B_LAN COMPANY_B_LAN destination static COMPANY_A_LAN COMPANY_A_LAN no-proxy-arp
!

nat (inside,outside) source dynamic COMPANY_B_LAN NAT_POOL
!

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
crypto ipsec ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map IKEv2_OUTSIDE_MAP 1000 match address COMPANY_B_A_CRYPTO
crypto map IKEv2_OUTSIDE_MAP 1000 set peer 1.1.1.1
crypto map IKEv2_OUTSIDE_MAP 1000 set ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
!

crypto map IKEv2_OUTSIDE_MAP interface outside
!
crypto ikev2 policy 1000
 encryption aes-256
 integrity sha512
 group 5
 prf sha
 lifetime seconds 86400
!

crypto ikev2 enable outside
!

telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
group-policy 1.1.1.1 internal
!
tunnel-group 1.1.1.1 type ipsec-l2l
!

tunnel-group 1.1.1.1 general-attributes
 default-group-policy 1.1.1.1
!

tunnel-group 1.1.1.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key keya-b
 ikev2 local-authentication pre-shared-key keyb-a
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable

 

Thanks for reading and happy IKEing.

 

 

 

 

Advertisements
This entry was posted in ASA, Cisco, VPN and tagged , , , , . Bookmark the permalink.

3 Responses to IKEv2 between ASA devices

  1. Pingback: IKEv2 between ASA firewall and IOS router | popravak

  2. Pingback: IKEv2 between two IOS routers (crypto map way) | popravak

  3. Pingback: Cisco- IKEV2 | Journey OF THE WSS FOR ACD

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s