Skip to Content

How to Configure IPsec Site to Site VPN Between Cisco ASA?

How to Configure IPsec Site to Site VPN Between Cisco ASA?

There are multiple ways to connect your inter offices using WAN. You can get MPLS, a Dedicated link. Those are the expensive ones, and there is SD-WAN. However, the cheapest and most popular method of connecting two different branch networks is using an IPsec site to site a VPN tunnel. If you have ASA on the edge of your network and planning to connect to another vendor network, you can use IPsec VPN. The only issue with the IPsec VPN is that it is always point to point and doesn’t support full-mesh connectivity.

So if you are planning to build an IPsec connectivity to multiple branches, you need to design the network in a hub and spoke topology. There is more advanced full mesh technology leveraging SD-WAN; however, we are not focusing on that, nor DMVPN.

In this blog article, we will build an IPsec tunnel between two sites using an ASA firewall. After the tunnel is built, we will test the connectivity from both sides and make sure the connectivity looks perfect.

Below is the topology that we will work on, I have two sites with an ASA firewall on edge, which is connected to the internet. We will deploy IPsec between the two sites.

As you can see, From Site1 I tried to ping Site2, and I am not getting any response, which means there is no connectivity between them.

We will be using IPsec IKE version 2 in this tutorial.

Read also,
How to Set Up IPsec Site-to-Site VPN between FortiGate and ASA?
How to Set Up IPsec Site to Site VPN Between ASA and Paloalto?
How to Configure IPsec Site to Site VPN Between PfSense and ASA?
How to Deploy Cisco ASAv in AWS? | Step by Step Guide.

ASA-Site1 IPsec configuration.

1. Enable IKEv2 on the outside interface of ASA.

For IPsec to function on ASA, you have to enable the IKEv2 services on the outside interface of the ASA firewall. By default, all traffic from the outside zone to the inside will be denied, so after enabling IKE service on the external interface, it will listen on port 500 for IPsec connectivity.

configure terminal

crypto ikev2 enable outside

2. Configure the Phase1 policy on ASA.

The IPsec consists of two phases, phase1, and phase2. Phase1 tunnel is the first tunnel created for IPsec through which the IKE key will be created, encrypted, and exchanged between the two different sites. And on the phase2 tunnel, the actual data traffic between the sites will be encrypted.

Configure the IKEv2 policy to define the phase1 parameters.

crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 2
 lifetime seconds 28800
 exit
!

3. Configure Phase2 on ASA.

Here, you need to know the remote gateway’s public routable address, create the tunnel group, and specify the phase2 parameters. We are using a pre-shared key for phase2 authentication, and the key that we will use is getlabsdone123. You may choose a different key. However, all the parameters must match on both sides, except, of course, the public IP address of each end, which will be different.

tunnel-group 2.2.2.2 type ipsec-l2l
crypto ipsec ikev2 ipsec-proposal S1pro
 protocol esp encryption aes
 protocol esp integrity sha-1
 exit
!
tunnel-group 2.2.2.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key gelabsdone123
 ikev2 local-authentication pre-shared-key getlabsdone123
 exit
!

4. Define the interesting traffic.

To send the traffic through the ASA tunnel, we need to define the interesting traffic with the help of an access list. So you need to create an Access list that permits the source IP address of site 1, which is 10.1.1.0/24, and the destination Ip address of site 2, which is 10.2.2.0/24.

access-list 101 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

5. Define the crypto map.

We will create a crypto map by calling all the parameters we mentioned above for the IPsec tunnels.

As you can see, the proposal, access-list 101 we defined above and applying the crypto map to the outside interface of the ASA firewall.

crypto map mymap 10 set peer 2.2.2.2
crypto map mymap 10 set ikev2 ipsec-proposal S1pro
crypto map mymap 10 match address 101
crypto map mymap interface outside
exit

Site 2 ASA IPsec configuration.

Now that we configured the site1 ASA with the IPsec parameters, it’s time for us to create the IPsec on site2.

The configuration is below, and we will paste this into the second ASA. All the parameters on the second ASA are the same except the following.

  • While the first ASA had the peer IP of 2.2.2.2, on the second ASA, the peer IP would be 1.1.1.1.
  • The Accesslist will be the right opposite, meaning the source IP address of the site1 ASA will become site 2 ASA destination IP. Similarly, the destination subnet of Site1 will become the source IP address of Site2.
configure terminal
crypto ikev2 enable outside
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 2
 lifetime seconds 28800
 exit
!
tunnel-group 1.1.1.1 type ipsec-l2l
crypto ipsec ikev2 ipsec-proposal Site2prpsl
 protocol esp encryption aes
 protocol esp integrity sha-1
 exit
!
tunnel-group 1.1.1.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key getlabsdone123
 ikev2 local-authentication pre-shared-key getlabsdone123
 exit
!
access-list 101 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
!
crypto map site2map 10 set peer 1.1.1.1
crypto map site2map 10 set ikev2 ipsec-proposal Site2prpsl
crypto map site2map 10 match address 101
crypto map site2map interface outside
exit

Test the network.

On the end-user machine, you can start initiating the traffic, and if you have followed everything to this point, you should get a response from the remote site.

As you can see, the Ubuntu machine connected to Site1 (10.1.1.10), can reach IP 10.2.2.10.

Similarly, the Debian host connected to site2 (10.2.2.10) can also talk to site 1.

Validate the IPsec connectivity.

We can validate the IPsec connectivity by looking at the phase1 and phase2 status. Sometimes you build the IPsec tunnel, where only phase1 always comes up but not phase2. So below command will come in handy when you are troubleshooting.

To see the phase1 IPsec status, you may issue the command, show iskamp sa.

ASA1 Phase 1 status.

ciscoasa# show isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local          Remote        Status   Role
 15072173 1.1.1.1/500    2.2.2.2/500   READY    INITIATOR
      Encr: AES-CBC, keysize: 192, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/262 sec
Child sa: local selector  10.1.1.0/0 - 10.1.1.255/65535
          remote selector 10.2.2.0/0 - 10.2.2.255/65535
          ESP spi in/out: 0x30fc7cd7/0x3dd6957f  
ciscoasa#

ASA 2 Phase 1 status.

iscoasa# show isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
 17330927 2.2.2.2/500                                         1.1.1.1/500                                              READY    RESPONDER
      Encr: AES-CBC, keysize: 192, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/348 sec
Child sa: local selector  10.2.2.0/0 - 10.2.2.255/65535
          remote selector 10.1.1.0/0 - 10.1.1.255/65535
          ESP spi in/out: 0x3dd6957f/0x30fc7cd7  
ciscoasa#

Similarly to see the phase2 status, you can enter the command show ipsec sa

ASA1 phase2 status.

ASA1 phase2 status.
ciscoasa# show ipsec sa
interface: outside
    Crypto map tag: site1map, seq num: 10, local addr: 1.1.1.1

      access-list 101 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 
      local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
      current_peer: 2.2.2.2

ASA 2 phase2 status.

ciscoasa# show ipsec sa 
interface: outside
    Crypto map tag: site2map, seq num: 10, local addr: 2.2.2.2

      access-list 101 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 
      local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1