IPSec VPNs allow multiple entities to communicate securely with eachother over an un-trusted medium such as the Internet. In the following article and accompanying video I go over how to configure an IPSec VPN with IKEv2 and pre shared keys using two Cisco ASA Firewalls and a Cisco IOS Router.

VPN
Topology

Site A - Cisco ASA 9.9(1)

Interface settings.

interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 1.1.1.2 255.255.255.0

Route configuration.

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1

Interface ACL and access-group.

access-list INSIDE_access_in extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list INSIDE_access_in extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0
access-group INSIDE_access_in in interface INSIDE

Phase 1 settings.

crypto ikev2 policy 10
 encryption aes-gcm
 group 5
 prf sha256
 lifetime seconds 86400

Phase 2 settings.

crypto ipsec ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1
 protocol esp encryption aes-192
 protocol esp integrity sha-256

crypto ipsec ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-2
 protocol esp encryption aes-192
 protocol esp integrity sha-256

Group Policy Settings.

group-policy 2.2.2.2 internal
group-policy 2.2.2.2 attributes
 vpn-tunnel-protocol ikev2

group-policy 3.3.3.2 internal
group-policy 3.3.3.2 attributes
 vpn-tunnel-protocol ikev2

Tunnel Group Settings.

tunnel-group 2.2.2.2 type ipsec-l2l
 tunnel-group 2.2.2.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 0 key123
 ikev2 local-authentication pre-shared-key 0 key123
tunnel-group 2.2.2.2 general-attributes
 default-group-policy 3.3.3.2

tunnel-group 3.3.3.2 type ipsec-l2l
 tunnel-group 3.3.3.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 0 key123
 ikev2 local-authentication pre-shared-key 0 key123
tunnel-group 3.3.3.2 general-attributes
 default-group-policy 3.3.3.2

Interesting traffic (crypto) ACLs.

access-list VPN-SITE_B-1 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list VPN-SITE_C-1 extended permit ip 10.1.1.0 255.255.255.0 10.3.3.0 255.255.255.0

Crypto map settings.

crypto map VPN-OUTSIDE_CRYPTO_MAP-1 20 match address VPN-SITE_B-1
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 20 set peer 2.2.2.2
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 20 set ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1

crypto map VPN-OUTSIDE_CRYPTO_MAP-1 30 match address VPN-SITE_C-1
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 30 set peer 3.3.3.2
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 30 set ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-2

crypto map VPN-OUTSIDE_CRYPTO_MAP-1 interface OUTSIDE

Enable IKEv2 on the interface.

crypto ikev2 enable OUTSIDE

Site B - Cisco IOS 15.6(2)T

Interface settings.

interface GigabitEthernet0/0
 ip address 2.2.2.2 255.255.255.0

Route configuration.

ip route 0.0.0.0 0.0.0.0 2.2.2.1

Phase 1 settings.

crypto ipsec transform-set VPN-TRANSFORM_SET-1 esp-aes 192 esp-sha256-hmac
 mode tunnel

Phase 2 settings.

crypto ikev2 proposal VPN-PROPOSAL-1
 encryption aes-gcm-128
 prf sha256
 group 5

IKEv2 Policy.

crypto ikev2 policy VPN-IKEV2_POLICY-1
 proposal VPN-PROPOSAL-1

Key Ring.

crypto ikev2 keyring VPN-KEYRING-1
 peer SITE_B
 address 1.1.1.2 255.255.255.255
 pre-shared-key local key123
 pre-shared-key remote key123

IKEv2 Profile.

crypto ikev2 profile VPN-IKEV2_PROFILE-1
 match identity remote address 1.1.1.2 255.255.255.255
 identity local address 2.2.2.2
 authentication remote pre-share
 authentication local pre-share
 keyring local VPN-KEYRING-1

Interesting traffic (crypto) ACL.

ip access-list extended VPN-SITE_A-1
 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

Crypto map.

crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 ipsec-isakmp
 set peer 1.1.1.2
 set transform-set VPN-TRANSFORM_SET-1
 set ikev2-profile VPN-IKEV2_PROFILE-1
 match address VPN-SITE_A-1

Apply crypto map to the interface.

interface GigabitEthernet0/0
 crypto map VPN-OUTSIDE_CRYPTO_MAP-1

Site C - Cisco ASA 9.9(1)

Interface settings.

interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 3.3.3.2 255.255.255.0

Route configuration.

route OUTSIDE 0.0.0.0 0.0.0.0 3.3.3.1

Interface ACL and access-group.

access-list INSIDE_access_in extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-group INSIDE_access_in in interface INSIDE

Phase 1 settings.

crypto ikev2 policy 10
 encryption aes-gcm
 integrity null
 group 5
 prf sha256
 lifetime seconds 86400

Phase 2 settings.

crypto ipsec ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1
 protocol esp encryption aes-192
 protocol esp integrity sha-256

Group Policy Settings.

group-policy 1.1.1.2 internal
group-policy 1.1.1.2 attributes
 vpn-tunnel-protocol ikev2

Tunnel Group Settings.

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 0 key123
 ikev2 local-authentication pre-shared-key 0 key123
tunnel-group 1.1.1.2 general-attributes
 default-group-policy 1.1.1.2

Interesting traffic (crypto) ACL.

access-list VPN-SITE_A-1 extended permit ip 10.3.3.0 255.255.255.0 10.1.1.0 255.255.255.0

Crypto map settings.

crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 match address VPN-SITE_A-1
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set peer 1.1.1.2
crypto map VPN-OUTSIDE_CRYPTO_MAP-1 10 set ikev2 ipsec-proposal VPN-IPSEC_PROPOSAL-1

crypto map VPN-OUTSIDE_CRYPTO_MAP-1 interface OUTSIDE

Enable IKEv2 on the interface.

crypto ikev2 enable OUTSIDE

Advertisements