Cisco VPN LAB 2 : IPSec VPN Example Between two ASA 8.4.2

Cisco VPN Lab Series:

Cisco VPN LAB 1 : Simple Easy VPN Example between Routers and Comparison with DMVPN
Cisco VPN LAB 2 : IPSec VPN Example Between Two ASA 8.4.2
Cisco VPN LAB 3 : EZ VPN Between ASA 8.4.2, IOS Router and EZVPN Client Software

 Protocols and standards used in IPsec protocol suite:

- ESP (Encapsulation Security Payload)
- AH (Authentication header)
- IKE (Internet Key Exchange) - IKE phase 1 is used to secure management channel and setup the vpn channel
- encryption algorithms (DES,3DES,AES)
- DH (Diffie-Hellman group)
- Hash algorithms (MD5,SH1)
- SA (Security association)

- IPSEC -IPSEC or (IKE phase 2) is used to secure the real data thats wants to be secured.

Topology

 

Configuration:

1. ASA842-1

asa842-1(config)#  sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa842-1
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 description WAN
 nameif WAN
 security-level 0
 ip address 1.1.1.1 255.255.255.0
!
interface GigabitEthernet1
 description LAN
 nameif LAN
 security-level 100
 ip address 11.11.11.11 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive

!!!create access control lists to tell the ASA what is "Interesting traffic", that's traffic that it needs to encrypt.
!!!for no-natting traffic , new command will be something like "nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN"
access-list 102 extended permit ip host 11.11.11.12 host 22.22.22.23 log
pager lines 24
logging enable
logging buffered debugging
mtu WAN 1500
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route WAN 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

!!! IKE Phase 2 IPSEC Transform-set
crypto ipsec ikev1 transform-set myset1 esp-des esp-sha-hmac 

!!! create a "Cryptomap" to handle "Phase 2" of the VPN Tunnel, that also will use 3DES and SHA and PFS.
crypto map outside_map 1 match address 102
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.2 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set myset1

!!! Apply that Cryptomap to the outside interface.
crypto map outside_map interface WAN

!!! Enable IKEv1 on WAN Interface
crypto ikev1 enable WAN

!!! create a policy that will setup how "Phase 1" of the VPN tunnel will be established
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

!!!create a "Tunnel Group" to tell the firewall its a site to site VPN tunnel "l2l", and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. Tunnel group name must be peer gateway's ip address.
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:4d98c8c61ec98419f0152f3c7193373d
: end

2. ASA842-2

asa842-2(config)# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname asa842-2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 description WAN
 nameif WAN
 security-level 0
 ip address 1.1.1.2 255.255.255.0
!
interface GigabitEthernet1
 description LAN
 nameif LAN
 security-level 100
 ip address 22.22.22.22 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
access-list 102 extended permit ip host 22.22.22.23 host 11.11.11.12
pager lines 24
mtu WAN 1500 
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route WAN 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set myset1 esp-des esp-sha-hmac
crypto map outside_map 1 match address 102
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set myset1
crypto map outside_map interface WAN
crypto ikev1 enable WAN
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:688f0053e33cccccd01e3cacdf9c0fff
: end

3. Logging and Verification

asa842-1(config)# show crypto ipsec sa
interface: WAN
    Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1

      access-list 102 extended permit ip host 11.11.11.12 host 22.22.22.23 log
      local ident (addr/mask/prot/port): (11.11.11.12/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (22.22.22.23/255.255.255.255/0/0)
      current_peer: 1.1.1.2

      #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 1.1.1.2/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 373F0E5C
      current inbound spi : 9F4A47B4

    inbound esp sas:
      spi: 0x9F4A47B4 (2672445364)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28791)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000003
    outbound esp sas:
      spi: 0x373F0E5C (926879324)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28791)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


asa842-1(config)# sh log
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 639 messages logged
    Trap logging: disabled
    Permit-hostdown logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: disabled
 1.1.1.2, IP = 1.1.1.2, constructing pfs ke payload
%ASA-7-715001: Group = 1.1.1.2, IP = 1.1.1.2, constructing proxy ID
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, Transmitting Proxy Id:
  Local host:  11.11.11.12  Protocol 0  Port 0
  Remote host: 22.22.22.23  Protocol 0  Port 0
%ASA-7-714007: Group = 1.1.1.2, IP = 1.1.1.2, IKE Initiator sending Initial Contact
%ASA-7-715046: Group = 1.1.1.2, IP = 1.1.1.2, constructing qm hash payload
%ASA-7-714004: Group = 1.1.1.2, IP = 1.1.1.2, IKE Initiator sending 1st QM pkt: msg id = 7dde16b5
%ASA-7-713236: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7dde16b5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 324
%ASA-7-713236: IP = 1.1.1.2, IKE_DECODE RECEIVED Message (msgid=7dde16b5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 296
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing hash payload
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing SA payload
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing nonce payload
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing ke payload
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, processing ISA_KE for PFS in phase 2
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
%ASA-7-714011: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
11.11.11.12
%ASA-7-715047: Group = 1.1.1.2, IP = 1.1.1.2, processing ID payload
%ASA-7-714011: Group = 1.1.1.2, IP = 1.1.1.2, ID_IPV4_ADDR ID received
22.22.22.23
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, loading all IPSEC SAs
%ASA-7-715001: Group = 1.1.1.2, IP = 1.1.1.2, Generating Quick Mode Key!
%ASA-7-715001: Group = 1.1.1.2, IP = 1.1.1.2, Generating Quick Mode Key!
%ASA-5-713049: Group = 1.1.1.2, IP = 1.1.1.2, Security negotiation complete for LAN-to-LAN Group (1.1.1.2)  Initiator, Inbound SPI = 0x9f4a47b4, Outbound SPI = 0x373f0e5c
%ASA-7-713906: Group = 1.1.1.2, IP = 1.1.1.2, oakley constructing final quick mode
%ASA-7-714006: Group = 1.1.1.2, IP = 1.1.1.2, IKE Initiator sending 3rd QM pkt: msg id = 7dde16b5
%ASA-7-713236: IP = 1.1.1.2, IKE_DECODE SENDING Message (msgid=7dde16b5) with payloads : HDR + HASH (8) + NONE (0) total length : 76
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x373F0E5C) between 1.1.1.1 and 1.1.1.2 (user= 1.1.1.2) has been created.
%ASA-7-715007: Group = 1.1.1.2, IP = 1.1.1.2, IKE got a KEY_ADD msg for SA: SPI = 0x373f0e5c
%ASA-7-746012: user-identity: Add IP-User mapping 1.1.1.2 - LOCAL\1.1.1.2 Succeeded - VPN user
%ASA-7-746012: user-identity: Add IP-User mapping 22.22.22.23 - LOCAL\1.1.1.2 Succeeded - VPN user
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x9F4A47B4) between 1.1.1.1 and 1.1.1.2 (user= 1.1.1.2) has been created.
%ASA-7-715077: Group = 1.1.1.2, IP = 1.1.1.2, Pitcher: received KEY_UPDATE, spi 0x9f4a47b4
%ASA-7-715080: Group = 1.1.1.2, IP = 1.1.1.2, Starting P2 rekey timer: 24480 seconds.
%ASA-5-713120: Group = 1.1.1.2, IP = 1.1.1.2, PHASE 2 COMPLETED (msgid=7dde16b5)
%ASA-5-752016: IKEv1 was successful at setting up a tunnel.  Map Tag = outside_map. Map Sequence Number = 1.
%ASA-7-752002: Tunnel Manager Removed entry.  Map Tag = outside_map.  Map Sequence Number = 1.
%ASA-7-609001: Built local-host LAN:11.11.11.12
%ASA-7-609001: Built local-host WAN:22.22.22.23
%ASA-6-302020: Built outbound ICMP connection for faddr 22.22.22.23/0(LOCAL\1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-6-302020: Built inbound ICMP connection for faddr 22.22.22.23/0(LOCAL\1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-6-302021: Teardown ICMP connection for faddr 22.22.22.23/0(LOCAL\1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-6-302021: Teardown ICMP connection for faddr 22.22.22.23/0(LOCAL\1.1.1.2) gaddr 11.11.11.12/1285 laddr 11.11.11.12/1285
%ASA-7-609002: Teardown local-host WAN:22.22.22.23 duration 0:00:02
%ASA-7-609002: Teardown local-host LAN:11.11.11.12 duration 0:00:02
%ASA-7-111009: User 'enable_15' executed cmd: show crypto ipsec sa