VPN

IKEv1 and IKEv2 between IOS router and ASA

I recently upgraded the IPSec tunnel running between a customer site and my ASA used for SNMP monitoring. The same customer was also having ADSL2 issues at another site so a spare ISR G1 (1841) router from my lab was deployed. Problem with the first generation ISR is that they do not support IKEv2. This post details IKEv1 setup on a 1841 and IKEv2 on a 887VA-M with both terminating on a ASA 5505.

Before we get lost in the configuration and explanation, these are the particulars:

Type CMAP Location Site code GUA private LAN password
IKEv2 1 Bitterne A 1.2.3.4 10.16.0.0/16 secr3t_A-B
Hythe B secr3t_B-A
IKEv1 2 Hythe B 5.6.7.8 10.32.0.0/16 secr3t_B-C
Christchurch C
IKEv1 3 Bitterne A 9.0.1.2 10.48.0.0/16 secr3t_A-C
Christchurch C

There is some shared configuration between IKE versions, this is listed below:

IOS

!
key config-key password-encrypt
password encryption aes
!
ip nat inside source route-map nonat interface Dialer0 overload
!
route-map nonat permit 10
match ip address nonat-ACL
!

ASA

!
object network network_inside
subnet 10.16.10.0 255.255.255.0
!
object network hythe_network
subnet 10.32.0.0 255.255.0.0
description Hythe supernet
!
nat (inside,outside) source static network_inside network_inside destination static hythe_network hythe_network no-proxy-arp route-lookup
!
access-list VPN-TRAFFIC-A-B extended permit ip 10.16.0.0 255.255.0.0 10.32.0.0 255.255.0.0
access-list VPN-TRAFFIC-A-C extended permit ip 10.16.0.0 255.255.0.0 10.48.0.0 255.255.0.0
!
crypto map CMAP 1 match address VPN-TRAFFIC-A-B
crypto map CMAP 1 set peer 5.6.7.8
crypto map CMAP 3 match address VPN-TRAFFIC-A-C
crypto map CMAP 3 set peer 9.0.1.2
!
crypto map CMAP interface outside
!
tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 9.0.1.2 type ipsec-l2l
!

IKEv1

IOS (Christchurch)

!
ip access-list extended nonat-ACL
deny ip 10.48.0.0 0.0.255.255 10.16.0.0 0.0.255.255
permit ip 10.48.0.0 0.0.255.255 any
!
!
ip access-list extended VPN-TRAFFIC-A-C
permit ip 10.48.0.0 0.0.255.255 10.16.0.0 0.0.255.255
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secr3t-A-C address 1.2.3.4
!
!
crypto ipsec transform-set ikev1_aes256 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map CRYPTO 3 ipsec-isakmp
set peer 1.2.3.4
set transform-set ikev1_aes256
match address VPN-TRAFFIC-A-C
!
interface Dialer0
crypto map CRYPTO
!

ASA (Bitterne)

!
!
crypto ipsec ikev1 transform-set ikev1_aes256 esp-aes-256 esp-sha-hmac
!
crypto map CMAP 3 set ikev1 transform-set ikev1_aes256
!
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
!
tunnel-group 88.215.7.85 ipsec-attributes
ikev1 pre-shared-key secre3t-A-C
!

IKEv2

IOS (Hythe)

!
!
crypto ikev2 proposal ikev2_aes256
encryption aes-cbc-256
integrity sha256
group 20
!
crypto ikev2 policy 1
match address local 1.2.3.4
proposal ikev2_aes256
!
crypto ikev2 keyring KEYRING
peer Bitterne
address 1.2.3.4
pre-shared-key local secr3t_B-A
pre-shared-key remote secr3t_A-B
!
crypto ikev2 profile ikev2_profile01
match address local 5.6.7.8
match identity remote address 1.2.3.4 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map CMAP 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set ESP-AES-SHA
set pfs group20
set ikev2-profile ikev2_profile01
match address VPN-TRAFFIC-A-B
!
!

ASA (Bitterne)

!
crypto ipsec ikev2 ipsec-proposal ikev2_aes256
protocol esp encryption aes-256
protocol esp integrity sha-1
!
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 20
prf sha256
lifetime seconds 43200
!
crypto map CMAP 1 match address VPN-TRAFFIC-A-B
crypto map CMAP 1 set peer 5.6.7.8
crypto map CMAP 1 set ikev2 ipsec-proposal ikev2_aes256
!
crypto ikev2 enable outside
!
tunnel-group 5.6.7.8 ipsec-attributes
ikev2 remote-authentication pre-shared-key secr3t_B-A
ikev2 local-authentication pre-shared-key secr3t_A-B
!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s