Configuring IKEv2 Site-to-Site VPN on Cisco ASA

This blog post provides the simple configuration information to setup a Site-to-Site VPN between two Cisco ASA firewalls using the IKEv2 protocol.

The following lab scenario was setup in GNS3 using the following images:

  • Cisco ASAv version 9.5(2)
  • Cisco IOS version 15.2(4)

A VPN will be setup between the 2 Cisco ASA firewalls (ASAv-1 and ASAv-2). The 2 routers (R1 and R2) will act as hosts in the local networks in order to generate traffic to initiate the VPN tunnel on demand.


VPN Configuration ASAv-1

Basic Configuration (Interfaces, routing)

interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.250.1 255.255.255.252

interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 1.1.1.1 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.254 1
route INSIDE 10.10.0.0 255.255.0.0 192.168.250.2 1

Network Objects

object network S1_NETWORK
subnet 10.10.0.0 255.255.254.0
object network S2_NETWORK
subnet 10.10.0.0 255.255.254.0

Access Control List

access-list SITE2_VPN extended permit ip object S1_NETWORK object S2_NETWORK
access-list SITE2_VPN extended permit ip object S2_NETWORK object S1_NETWORK

NAT Rule

nat (inside,outside) source static S1_NETWORK S1_NETWORK destination static S2_NETWORK S2_NETWORK no-proxy-arp route-lookup

Tunnel Group

tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 ipsec-attributes
ikev2 local-authentication pre-shared-key cisco1234
ikev2 remote-authentication pre-shared-key cisco1234

IKEv2 Policy

crypto ikev2 policy 10
group 14
encryption aes-192
integrity sha256
prf sha256

Enable IKEv2 on External Interface

crypto ikev2 enable OUTSIDE

IPSec Transform Set

crypto ipsec ikev2 ipsec-proposal TSET
protocol esp encryption aes-256
protocol esp integrity sha-1

Crypto Map

crypto map CRYPTO-MAP 1 match address SITE2_VPN
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal TSET

crypto map CRYPTO-MAP interface OUTSIDE

VPN Configuration ASAv-2

Basic Configuration (Interfaces, routing)

interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.251.1 255.255.255.252

interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 2.2.2.1 255.255.255.0

route OUTSIDE 0.0.0.0 0.0.0.0 2.2.2.254 1
route INSIDE 10.20.0.0 255.255.0.0 192.168.251.2 1

Network Objects

object network S1_NETWORK
subnet 10.10.0.0 255.255.254.0
object network S2_NETWORK
subnet 10.10.0.0 255.255.254.0

Access Control List

access-list SITE1_VPN extended permit ip object S2_NETWORK object S1_NETWORK
access-list SITE1_VPN extended permit ip object S1_NETWORK object S2_NETWORK

NAT Rule

nat (inside,outside) source static S2_NETWORK S2_NETWORK destination static S1_NETWORK S1_NETWORK no-proxy-arp route-lookup

Tunnel Group

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 local-authentication pre-shared-key cisco1234
ikev2 remote-authentication pre-shared-key cisco1234

IKEv2 Policy

crypto ikev2 policy 10
group 14
encryption aes-192
integrity sha256
prf sha256

Enable IKEv2 on External Interface

crypto ikev2 enable OUTSIDE

IPSec Transform Set

crypto ipsec ikev2 ipsec-proposal TSET
protocol esp encryption aes-256
protocol esp integrity sha-1

Crypto Map

crypto map CRYPTO-MAP 1 match address SITE1_VPN
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 1.1.1.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal TSET

crypto map CRYPTO-MAP interface OUTSIDE

Testing

Once the VPN configuration has been setup on both ASA firewall, test connectivity by sending a ping from the local Loopback on one of the routers to the loopback of a router across the VPN. The local Loopback network address and the remote Loopback networks addresses must be defined in the crypto map in order to match and be routed across the tunnel.


When establishing connectivity for the first time over the tunnel, the first ping will drop whilst the tunnel is hopefully being established.

Verification

Use the command “show crypto ikev2 sa detailed” to verify IKEv2 SA. This will display the Local/Remote Peer IP addresses, Local/Remote networks, Policy attributes (encryption, hashing algorithms, authentication methods etc).


Use the command “show crypto ipsec sa detailed” to verify the IPSec SA. This will display information such as the crypto map, access-list, packets encrypted/decrypted. If traffic is not being sent across the VPN tunnel check the ACL has the correct local/remote networks otherwise this will not work.


Use the command “show vpn-sessiondb detailed l2l“. This will provide clearer detailed information on the VPN tunnel


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s