IKEv2/IPSec Crypto Map between IOS Router and ASA Firewall

This blog post will document the steps to configure an IKEv2/IPSec Site-to-Site VPN between a Cisco ASA firewall (ASAv 9.9.1) and an IOS Router (v15.4) using a Pre-Shared Key (PSK).

Simple topology:


ASA Firewall Configuration

Define IKEv2 Policy
crypto ikev2 policy 10
encryption aes-gcm
integrity null
group 5
prf sha256
lifetime seconds 86400


Define IPSec Transform Set
crypto ipsec ikev2 ipsec-proposal TSET
protocol esp encryption aes-192
protocol esp integrity sha-256

Define Tunnel Group and define PSK
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key 0 Cisco1234
ikev2 local-authentication pre-shared-key 0 Cisco1234

Define Group Policy
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2

Define ACL to match interesting traffic
access-list R1_VPN extended permit ip 10.20.0.0 255.255.252.0 10.10.0.0 255.255.252.0

Define Crypto Map
crypto map CM 10 match address R1_VPN
crypto map CM 10 set peer 1.1.1.1
crypto map CM 10 set ikev2 ipsec-proposal TSET
crypto map CM interface OUTSIDE

Enable IKEv2 on the OUTSIDE interface
crypto ikev2 enable OUTSIDE

IOS Router Configuration

Define IKEv2 Proposal
crypto ikev2 proposal PROP
encryption aes-gcm-128
prf sha256
group 5

Define IKEv2 Policy
crypto ikev2 policy IKEV2_POLICY
proposal PROP

Define IPSec Transform Set
crypto ipsec transform-set TSET esp-aes 192 esp-sha256-hmac

Define IKEv2 Keyring and PSK
crypto ikev2 keyring KEYRING
peer ALL
address 0.0.0.0 0.0.0.0
pre-shared-key local Cisco1234
pre-shared-key remote Cisco1234

Define IKEv2 Profile
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 2.2.2.1 255.255.255.255
identity local address 1.1.1.1
authentication remote pre-share
authentication local pre-share
keyring local KEYRING


Define ACL to match interesting traffic
ip access-list extended ASA_VPN
permit ip 10.10.0.0 0.0.3.255 10.20.0.0 0.0.3.255


Define Crypto Map
crypto map CM 10 ipsec-isakmp
set peer 2.2.2.1
set transform-set TSET
set ikev2-profile IKEV2_PROFILE
match address ASA_VPN
crypto map CM


Enable Crypto Map on OUTSIDE interface
interface GigabitEthernet0/0
crypto map CM

IOS Router Verification Commands

When using a Crypto Map a VPN tunnel will only be established when interesting traffic (traffic that matches the ACLs defined) is routed to the firewall/router. Use the command show crypto map to show the output of the configuration (Proposal used, peer IP address, Transform Set used etc).

The command show crypto session detail will show the state of the tunnel “UP-ACTIVE” and the pkts encrypted/decrypted etc.

ASA Firewall Verification Commands

The ASA uses different commands, use the command show vpn-sessiondb detail l2l to display the output for the tunnel such as Encryption, Integrity protocols used, Authentication method (PSK or Cert), Connection ID (Peer IP) etc.


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.