TravelingPacket – A blog of network musings

There are multiple parts to the IPSEC SIte-to-Site VPN config.

– Create access list to specify what will be encrypted

– Create access list to specify what should go over the VPN, and not be natted

– Create Phase 1 (IKE) settings and apply it to the selected interface.

– Create our transformation set (what encryption settings we will use for phase 2).

– Create Phase 2 (ESP) settings otherwise known as a Crypto map.

– Apply Crypto map settings specifying interface.

– Create the tunnel object for peer.

Config:

ASA 1 Core

Create Objects

First create the objects representing what will be found on each side of the VPN.

config t

object network Local-Subnet
 subnet 10.100.1.0 255.255.255.0

object network Remote-Subnet
 subnet 10.100.2.0 255.255.255.0

Encryption Access-list

Next I will create the Access list to tell the firewall what to Encrypt

access-list VPN-to-Remote extended permit ip object Local-Subnet Remote-Subnet

Now we need to make sure traffic is not being forwarded out of our WAN interface, and that the firewall knows to send it over the VPN. We do this with a “No-Nat” statement. This is different than what it once was in 8.2 and below. We will specify this with a different kind of nat statement.

No NAT

nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet

IKE Settings

Now its time for the VPN settings!

First lets create our IKE settings and enable it on the outside interface.

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

Create the IPSEC transformation

crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac

Crypto MAP (Phase 2)

Now lets create our Crypto map and put it all together.

crypto map VPN 10 match address VPN-to-Remote
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.2
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000

There are a few optional settings like the lifetime, by default its 28800. In this config I am just making it known that’s what its set on. Also you can set “reverse-route” which will add the route to the remote subnet into the routing table. This way you can push it out in a routing protocol.

We will also need to apply the Crypto map to the interface.

crypto map VPN interface outside

Tunnel Group/PSK

Our last step is to create the tunnel group with our Peer IP/DNS name and set the PSK.

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
 ikev1 pre-shared-key presharedkey

Below is the config for the Remote side

config t

object network Local-Subnet
 subnet 10.100.2.0 255.255.255.0

object network Core-Subnet
 subnet 10.100.1.0 255.255.255.0

access-list VPN-to-Remote extended permit ip object Local-Subnet Core-Subnet

nat (inside,outside) source static Local-Subnet Local-Subnet destination static Core-Subnet Core-Subnet

crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac

crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto map VPN 10 match address VPN-to-Core
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.1
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000

crypto map VPN interface outside

tunnel-group 1.1.1.1type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key presharedkey