Cisco Labs – Network Security (5) – Site to site VPN tunnel using pre-shared keys on ASA


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul4 4.5.5a ASA task definition

Site to site VPN tunnel using pre-shared keys on ASA

Goal

  • Site to site VPN tunnel using pre-share keys will be inicialized on ASA.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Static routes or rip routing protocol.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup.

Required time

3 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-4.5.5a_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

Asa1, Asa2, Router3

1) interface settings + static routes + NAT:

ASA1(config)#domain-name test									;set domain name
ASA1(config)#interface INT1									;on interface set following
ASA1(conf-if)#switchport mode access								;set port on a switch to access mode
ASA1(conf-if)#switchport access vlan 10								;access to vlan 10
ASA1(conf-if)#no shutdowd									;turn on switchport
ASA1(config)#interface vlan 10									;on vlan interface set following
ASA1(conf-if)#ip address 192.168.0.1 255.255.255.0						;set ip address and mask
ASA1(conf-if)#nameif inside									;name interface and security level will be set by default
ASA1(conf-if)#no shutdown

ASA1(config)#interface INT2									;on interface set following
ASA1(conf-if)#switchport mode access
ASA1(conf-if)#switchport access vlan 20
ASA1(conf-if)#no shutdown
ASA1(config)#interface vlan 20
ASA1(conf-if)#ip address 172.16.1.1 255.255.255.0
ASA1(conf-if)#nameif outside
ASA1(conf-if)#no shutdown
	
ASA1(config)#access-list CRYPTOACL permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0	;access list to define which traffic will be encrypted
ASA1(config)#access-list outsidein permit icmp any host 172.16.1.1				;access list to permit icmp traffic for test reasons
ASA1(config)#access-group outsidein in interface outside					;apply access list to an interface
ASA1(config)#route outside 10.0.0.0 255.255.255.0 172.16.1.2					;static route instead of dynamic routing protocols
ASA1(config)#route outside 172.16.0.0 255.255.255.0 172.16.1.2		

ASA1(config)#nat (inside) 1 0 0									;nat all traffic
ASA1(config)#global (outside) 1 interface							;and using PAT

ASA1(config)#nat (inside) 0 access-list CRYPTOACL						;do not translate ip addresses for traffic to be encrypted
ASA2(config)#domain-name test
ASA2(config)#interface INT4
ASA2(conf-if)#switchport mode access
ASA2(conf-if)#switchport access vlan 10
ASA2(conf-if)#no shutdown
ASA2(config)#interface vlan 10
ASA2(conf-if)#ip address 10.0.0.1 255.255.255.0
ASA2(conf-if)#nameif inside
ASA2(conf-if)#no shutdown

ASA2(config)#interface INT3
ASA2(conf-if)#switchport mode access
ASA2(conf-if)#switchport access vlan 20
ASA2(conf-if)#no shutdown
ASA2(config)#interface vlan 20
ASA2(conf-if)#ip address 172.16.0.1 255.255.255.0
ASA2(conf-if)#nameif outside
ASA2(conf-if)#no shutdown

ASA2(config)#access-list CRYPTOACL permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
ASA2(config)#access-list outsidein permit icmp any host 172.16.0.3
ASA2(config)#access-group outsidein in interface outside

ASA2(config)#route outside 192.168.0.0 255.255.255.0 172.16.0.2
ASA2(config)#route outside 172.16.1.0 255.255.255.0 172.16.0.2

ASA2(config)#nat (inside) 1 0 0
ASA2(config)#global (outside) 1 interface
ASA2(config)#nat (inside) 0 access-list CRYPTOACL
Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown
Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown
  
Router3(config)#ip route 192.168.0.0 255.255.255.0 172.16.1.1
Router3(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.1

2a) VPN tunnel settings phase 1 IKE/ISAKMP:

Policy must be the same on both ends of tunnel (priority could be different)

ASA1(config)#sysopt connection permit-vpn 							;permit ipsec and isakmp traffic in system. Otherwise access list must be defined
ASA1(config)#isakmp policy 10 									;set up policy section
ASA1(isakmp)#authentication pre-share 								;authenticated using pre-shared keys
ASA1(isakmp)#group 2										;Diffie-Hellman group 2
ASA1(isakmp)#hash sha										;hashing type
ASA1(isakmp)#encryption 3des									;encryption algorithm
    
ASA2(config)#isakmp policy 10 
ASA2(isakmp)#authentication pre-share 
ASA2(isakmp)#group 2
ASA2(isakmp)#hash sha
ASA2(isakmp)#encryption 3des
    

2b) VPN tunnel settings phase 2 IPSEC:

ASA1(config)#isakmp identity address								;to send phase 2 id to the peer
ASA1(config)#tunnel-group 172.16.0.1 type ipsec-l2l 						;set peer address and tunnel type (use ? to get more options)
ASA1(config)#tunnel-group 172.16.0.1 ipsec-attributes 						;set tunneling protocol attributes
ASA1(config)#pre-shared-key Cisco								;define pre-shared key
ASA1(config)#isakmp enable outside								;enable isakmp on outside interface

ASA1(config)#crypto ipsec transform-set TRSETASA1 esp-md5-hmac esp-des				;Define a transform set - acceptable combination of security protocols and algorithms
ASA1(config)#crypto map CRMAPASA1 10 match address CRYPTOACL					;define local policy, used within crypto map, which we defined
ASA1(config)#crypto map CRMAPASA1 10 set peer 172.16.0.1					;remote peer setting
ASA1(config)#crypto map CRMAPASA1 10 set transform-set TRSETASA1				;apply transform set in a map section
ASA1(config)#crypto map CRMAPASA1 interface outside						;apply crypto map on interface 

Apply analogical settings to other side of the tunnel.

ASA2(config)#isakmp identity address 
ASA2(config)#tunnel-group 172.16.1.1 type ipsec-l2l 
ASA2(config)#tunnel-group 172.16.1.1 ipsec-attributes 
ASA2(config)#pre-shared-key Cisco

crypto ipsec transform-set TRSETASA2 esp-md5-hmac esp-des 
crypto map CRMAPASA2 10 match address CRYPTOACL
crypto map CRMAPASA2 10 set peer 172.16.1.1
crypto map CRMAPASA2 10 set transform-set TRSETASA2
crypto map CRMAPASA2 interface outside
 

3) Access list on Router3 to enable only needed traffic:

Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1			;enable tunnel inicialisation thru ESP
Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp		;enable tunnel traffic thru UDP
Router3(config)#interface INT5
Router3(conf-if)#ip access-group 101 in								;apply access list to an interface

Function test

Use debug crypto ipsec , debug crypto isakmp and logging console debugging in order to solve issues with configuring VPN tunnels.

F1)check IKE/IPSEC router configuration:

ASA1#sh crypto isakmp stat 									;display first part of tunnel configuration. 
ASA1#sh crypto ipsec stat									;display send/receive packet statistics

Ping from LAN 1 to LAN 2 should initialize VPN tunnel and hosts on LAN2 should be accessible.

F2)initialize tunnel:

Use ping 10.0.0.100 . Take a look on DST and SRC address. It depends on from which ASA a tunnel was initialized.

ASA1#sh crypto ipsec sa
    

Picture displays existing tunnel 1st phase.

NS2-4.5.5a_ASA_DIAGNOSTIC

And 2nd phase.

NS2-4.5.5a_ASA_DIAGNOSTIC2

F3)delete tunnel

ASA1#clear crypto isakmp sa									;clear tunnel initialisation configuration
ASA1#clear crypto ipsec sa									;clear existing tunnels

Picture displays cleared tunnel.

NS2-4.5.5a_ASA_DIAGNOSTIC3

Picture displays dropped packed after cleared SAs. Debug used.

NS2-4.5.5a_ASA_DIAGNOSTIC4

F4)reinitialize tunnel from other side

Use ping 192.168.0.100 . Take a look on DST and SRC address. It depends on from which ASA a tunnel was initialized.

Picture shows debugged traffic during tunnel initialisation.

NS2-4.5.5a_ASA_DIAGNOSTIC5

Optional tasks

  • Define more transform sets to be able to select which could be fit to the other site of the tunnel.
  • Define different encryption and hashing algorithms – see point 2a.
  • Add one more router(asa) to topology and create another tunnel to this router(asa).

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list.
  • New or existing transform set must be added to new crypto map.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s