Networks Training

You are here: Home / Cisco ASA Firewall Configuration / Configuring site-to-site IPSEC VPN on ASA using IKEv2

Configuring site-to-site IPSEC VPN on ASA using IKEv2

Written By

The scenario of configuring site-to-site VPN between two Cisco Adaptive Security Appliances is often used by companies that have more than one geographical location sharing the same resources, documents, servers, etc. The Cisco ASA is often used as VPN terminator, supporting a variety of VPN types and protocols.

In this tutorial, we are going to configure a site-to-site VPN using IKEv2. IKEv2 is the new standard for configuring IPSEC VPNs. Although the legacy IKEv1 is widely used in real world networks, it’s good to know how to configure IKEv2 as well since this is usually required in high-security VPN networks (for compliance purposes).

As described in the topology scenario below, a VPN tunnel will be created between ASA1 and ASA2, connecting the two company sites, HQ and Branch1.

Behind each security appliance there is a private LAN network. After configuring the VPN tunnel, the private LAN networks in HQ and Branch1 (two geographically dispersed locations) will be able to communicate over the internet and share resources.

We will refer to the diagram below for this configuration tutorial.

network diagram to configure site to site vpn using IKEv2 protocol

We will start by configuring IP addressing. On ASA1 and ASA2, we will configure the inside interfaces as connected to LAN and the outside interfaces facing the VPN tunnel. In real world networks, the outside interfaces will be on a different subnet and use public IP addressing. Here we will use 10.10.10.0/24 for the outside network just for making things easier.

ASA1

ASA1(config)# interface GigabitEthernet0
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# ip address 192.168.1.2 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config-if)# interface GigabitEthernet1
ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# ip address 10.10.10.1 255.255.255.0
ASA1(config-if)# no shutdown

ASA1# show interfaces ip brief

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.1.2     YES manual up                    up
GigabitEthernet1           10.10.10.1      YES manual up                    up

ASA2

ASA2(config)# interface GigabitEthernet0
ASA2(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA2(config-if)# ip address 192.168.2.2 255.255.255.0
ASA2(config-if)# no shutdown

ASA2(config-if)# interface GigabitEthernet1
ASA2(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA2(config-if)# ip address 10.10.10.2 255.255.255.0
ASA2(config-if)# no shutdown

ASA2# show interfaces ip brief

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0           192.168.2.2     YES manual up                    up
GigabitEthernet1           10.10.10.2      YES manual up                    up

MORE READING:  Configuring IPS Protection and IP Spoofing on Cisco ASA 5500 Firewalls

Next, we will configure the ISAKMP policies with IKEv2. We will first use the crypto ikev2 policy command to enter IKEv2 policy configuration mode, where we will configure the IKEv2 parameters.

In this scenario, we used 3DES encryption with Diffie-Hellman group 2, hash function SHA-1 and an encryption key lifetime of 43200 seconds (12 hours).

ASA1

ASA1(config)# crypto ikev2 policy 1
ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# encryption 3des
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 43200

Finally, after the parameters have been set, we will enable IKEv2 on the outside interface

ASA1(config-ikev2-policy)# crypto ikev2 enable outside

ASA2

ASA2(config)# crypto ikev2 policy 1
ASA2(config-ikev2-policy)# group 2
ASA2(config-ikev2-policy)# encryption 3des
ASA2(config-ikev2-policy)# prf sha
ASA2(config-ikev2-policy)# lifetime seconds 43200
ASA2(config-ikev2-policy)# crypto ikev2 enable outside

Next, we will configure IKEv2 proposal. As opposed to IKEv1, where we configured a transform set that combines the encryption and authentication method, with IKEv2 we can configure multiple encryption and authentication types, and multiple integrity algorithms for a single policy.

For this scenario, we will first enter ipsec proposal configuration mode and there set the parameters.

ASA1

ASA1(config)#crypto ipsec ikev2 ipsec-proposal P1
ASA1(config-ipsec-proposal)#protocol esp encryption 3des aes des
ASA1(config-ipsec-proposal)#protocol esp integrity sha-1

ASA2

The same configuration is applied to ASA2.

ASA2(config)# crypto ipsec ikev2 ipsec-proposal P1
ASA2(config-ipsec-proposal)# protocol esp encryption 3des aes des
ASA2(config-ipsec-proposal)# protocol esp integrity sha-1

Next we need to identify the VPN interesting traffic with an access list.

ASA1(config)# access-list ACL1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

The mirror ACL should be configured on ASA2.

ASA2(config)# access-list ACL2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

The next step is to define a tunnel group. There are two default tunnel groups in the ASA: DefaultRAGroup is the default IPsec remote-access tunnel group and DefaultL2Lgroup is the default IPsec LAN-to-LAN tunnel group.

To establish a LAN-to-LAN connection, two attributes must be set:

–  Connection type – IPsec LAN-to-LAN.

–  Authentication method for the IP – in this scenario we will use preshared key for IKEv2.

The name of the tunnel is the IP address of the peer. IKEv2 preshared key is configured as 32fjsk0392fg.

NOTE: For ikev2 you can have asymmetric pre-shared keys. You can configure a different local and different remote pre-shared key. If you want to have a configuration similar with the legacy ikev1 technology, you need to have the same local and remote pre-shared keys (as we do in our example below)

MORE READING:  New Cisco ASA version 8.4 introduced

ASA1

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg

ASA2

ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg

Finally, we will create a crypto map linking the access list, the peer and the IKEv2 proposal. We will apply this crypto map to the ASA outside interface.

ASA1

ASA1(config)# crypto map cmap 1 match address ACL1
ASA1(config)# crypto map cmap 1 set peer 10.10.10.2
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA1(config)# crypto map cmap interface outside

ASA2

Similar configuration will be applied to ASA2:

ASA2(config)# crypto map cmap 1 match address ACL2
ASA2(config)# crypto map cmap 1 set peer 10.10.10.1
ASA2(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1
ASA2(config)# crypto map cmap interface outside

The above concludes the actual IPSEC lan-to-lan configuration. In real world scenarios, the two ASA devices would be connected to the Internet and access from internal users towards the Internet must be provided as well (in addition to the lan-to-lan traffic).

This requirement (i.e internet access for users in each site) necessitates the configuration of NAT rules in order to translate the internal private IP addresses to a public IP. Let’s configure this new requirement below:

Internet Access and NAT Exclusion for VPN traffic

IPSEC VPN traffic does not work with NAT. You must not perform NAT on VPN packets. Therefore, in addition to configuring Internet access (with using NAT overload in our example here), we must also configure NAT exclusion for VPN traffic:

1) Configure NAT Overload (PAT) for Internet Access

ASA1

object network HQ
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface

object network Branch1
subnet 192.168.2.0 255.255.255.0

ASA2

object network Branch1
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface

object network HQ
subnet 192.168.1.0 255.255.255.0

2) Configure NAT Exclusion for VPN Traffic

ASA1

nat (inside,outside) source static HQ HQ destination static Branch1 Branch1 no-proxy-arp route-lookup

ASA2

nat (inside,outside) source static Branch1  Branch1 destination static HQ HQ no-proxy-arp route-looku

Related Posts

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Michael Paul says

    Nice article, thank you.

    I have purchased 2 of your books and they have been invaluable for the occasional Cisco configurations I have had to do.

    I also have access to an old surplus PIX that I would like to use to set up a VPN between my home and work. Would it be possible to write a tutorial for this. The location where the PIX would be located has a dynamic IP.

    Thanks!

  2. Manoj says

    This is very good article and helping to understand of the VPN configuration with IKE V.2 .

    Thanks a lot…..

  4. BlogAdmin says

    Run the command:

    show crypto ipsec sa

    You should see packets encrypted and decrypted on the output of the above command. This means that VPN tunnel is established and that packets are encrypted inside the tunnel.

  5. Teddy says

    If I want 192.168.1.1 to be able to ping 192.168.2.1, what would be the “route…” command/config on the ASA1. Also vice versa?

  6. BlogAdmin says

    Teddy,

    The route commands on both ASA1 and ASA2 should point to the default gateway of the ASA which is the ISP gateway (in most cases). In our example here, for ASA1:

    “route outside 0.0.0.0 0.0.0.0 10.10.10.2”

    (assuming the default gateway is 10.10.10.2)

  7. Bob C says

    Hello,

    I need to set up a vpn between an ASA and a new AWS account.
    I tested a vpn using your ‘Configuring site-to-site IPSEC VPN on ASA using IKEv2’ using 2 x back to back ASA firewalls, which was successful.
    It was an excellent tutorial, well laid out and easy to understand.
    Can you suggest one of your books or articles that I could purchase, that would cover using an ASA to connect to AWS and also Azure please.

  8. Harris Andrea says

    Hi Bob,

    Unfortunately I haven’t written anything yet regarding configuration of ASA to connect to a cloud service such as AWS or Azure. Sorry I couldn’t help.

  9. Yusuf says

    Hi there,

    Is it possible to run OSPF over the tunnel instead of the default route? it’s possible on IOS Routers.

  10. Harris Andrea says

    OSPF updates can not pass through an IPSEC tunnel. It works only if you have GRE so that’s why maybe you have seen it on ios routers

  11. cq674350529 says

    Hi,
    Thanks for the detailed tutorial.

    I have established the topology in GNS3 emulator and followed the tutorial step by step.
    Since I am not familar with the cisco asa, I have two questions after setuping the devices:
    1) how do I establish the lan-to-lan connections between the two end devices? Actually, what I want is to capture the IKEv2 packets.
    2) I failed to ping Branch1 from HQ after adding route table on both asa devices. When debuging this with packet-tracer in asa, I found it unsuccessful to ping from inside to outside on asa. What else should I do?

    Any advice would be appreciated! Thanks in advance.

  12. Harris Andrea says

    1) to establish the lan-to-lan vpn you must create traffic from a host inside HQ LAN (e.g 192.168.1.1) towards a host inside Branch1 LAN (e.g 192.168.2.1). You must configure two hosts in GNS3 inside these two LANs in order lets say to ping each other.

    2) first make sure that the two ASA can successfully communicate between their outside interfaces. The example configuration does not show how to configure NAT on each ASA so that inside hosts can access outside hosts. You must configure at least PAT on each ASA for this to work.

  13. cq674350529 says

    Hi Harris Andrea
    Thanks for your advice.

    After searching online, by configuring the NAT on both ASA devices, I make it successful to ping each host from the other in GNS3 LANs.

    But I’m afraid the NAT rules I have configured have “conflict” with the lan-to-lan connections.

    Take ASA1 as an example, the nat rules configured are as follows:
    # from inside to outside
    object network inside_1
    subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) dynamic interface
    # from outside to inside
    object network HQ
    host 192.168.1.1
    nat (inside,outside) static 10.10.10.10

    Then, I can ping 10.10.10.10 from 192.168.2.1 in Branch1, since not ping 192.168.1.1 directly.
    If not configure the second nat rule, ping 192.168.1.1 from 192.168.2.1 directly would get no response. Because the packets will only reach to G1 interface on ASA1.

    So what nat rule should be configured to make it possible for packets to go from G1 to G0 on ASA1 in the lan-to-lan situation?

    By the way, I have configured the access-lists to allow any icmp packets.

    Any advice would be appreciated ! Thanks in advance.

  14. cq674350529 says

    Hi Harris Andrea,
    Thanks for your advice.

    After searching online, I made it successful to establish a lan-to-lan connection between two LANs.

    Take the ASA1 as an example, the nat rules configured are as follows:

    object network HQ
    subnet 192.168.1.0 255.255.255.0
    object network Branch1
    subnet 192.168.2.0 255.255.255.0

    nat (inside,outside) source static HQ HQ destination static Branch1 Branch1 no-proxy-arp route-lookup

    Thanks again!

  15. Harris Andrea says

    Thats correct. This is called “NAT Exclusion” for VPN traffic. Basically you exclude lan-to-lan traffic from NAT operation.

  16. HWAN says

    Hi, I have a question.
    I configured ASAs like your post in vmware ESXi.
    But, When I command “show crypto ipsec sa”, prompt display “There are no ipsec sas” message.
    Do I should more command in ASAs?
    Outside interfaces are reachable.
    But Inside to Inside is unreachable.
    I have no clue.
    Plus, I configured inspect icmp in ‘global_policy’ each other.

  17. Harris Andrea says

    Have you configured also some hosts in the two private LAN subnets? Traffic must pass between hosts in the two private subnets.

  20. Hamid Amir says

    Hi Harris Andrea.

    I have cisco asa ikev2 vpn anyconnect configuration, I get vpn connection but no internet connection.
    when I added the command below, I get internet connection. Why I do not get internet connection with
    Ikev2 vpn?
    Can you help?

    group-policy GroupPolicy_remote attributes
    vpn-tunnel-protocol ikev2 ssl-client

  22. CapitanNemo says

    Thanks a lot Harris.

    Question, I have many vpns ikv1 and all woks fine, but I made a ikv2 and does work, phase 1 does not up, I was lokking information with other friends who works and the only diference is this comand:

    I have this

    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client

    My friends have this

    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol ikev1 ****ikv2***** l2tp-ipsec ssl-client ( the ikv2) is the only diference, do you know something?

  23. Harris Andrea says

    Yes, you need to include also the “ikev2” part since you are using both ikev1 and ikev2 in your network.

  24. Eddy Eastridge says

    If you want to see if the tunnel will come up just use the packet trace command the first time you run it you will see deny
    run the command for the second time and you should see the tunnel come up or you will see a wait message.

    You can look online to see what wait messages mean.

    Eddy Eastridge
    CCNP Security

  26. Tyra says

    I’ve followed this tutorial but still can’t seem to ping across. I’ve followed additional steps in the comments to try and bring the tunnel up but nothing seems to be working. I’m using a 192.168.1.0 range on one lan, 10.10.0.0 range for the tunnel, and 192.168.2.0 for the lan on the other end. I’ve checked the pre-shared key, triple checked the access list, attempted to remove the security level for the interfaces incase there was something there blocking it, but all with no luck. I’m running a three node network, however have one LAN currently turned off while trying to get the two main sites to work, so don’t think it’s that.

    Running “sh run ipsec sa” reveals no ipsec sas and in “sh run ipsec stats” everything is zero, no active or previous ipsec tunnels. Any ideas?

  27. Harris Andrea says

    I assume this is a lab setup. Try to configure default route on each ASA (pointing to the IP of the other ASA device).

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx