There are multiple ways to connect your inter offices using WAN. You can get MPLS, a Dedicated link. Those are the expensive ones, and there is SD-WAN. However, the cheapest and most popular method of connecting two different branch networks is using an IPsec site to site a VPN tunnel. If you have ASA on the edge of your network and planning to connect to another vendor network, you can use IPsec VPN. The only issue with the IPsec VPN is that it is always point to point and doesn’t support full-mesh connectivity.
So if you are planning to build an IPsec connectivity to multiple branches, you need to design the network in a hub and spoke topology. There is more advanced full mesh technology leveraging SD-WAN; however, we are not focusing on that, nor DMVPN.
In this blog article, we will build an IPsec tunnel between two sites using an ASA firewall. After the tunnel is built, we will test the connectivity from both sides and make sure the connectivity looks perfect.
Below is the topology that we will work on, I have two sites with an ASA firewall on edge, which is connected to the internet. We will deploy IPsec between the two sites.
As you can see, From Site1 I tried to ping Site2, and I am not getting any response, which means there is no connectivity between them.
We will be using IPsec IKE version 2 in this tutorial.
How to Set Up IPsec Site-to-Site VPN between FortiGate and ASA?
How to Set Up IPsec Site to Site VPN Between ASA and Paloalto?
How to Configure IPsec Site to Site VPN Between PfSense and ASA?
How to Deploy Cisco ASAv in AWS? | Step by Step Guide.
ASA-Site1 IPsec configuration.
1. Enable IKEv2 on the outside interface of ASA.
For IPsec to function on ASA, you have to enable the IKEv2 services on the outside interface of the ASA firewall. By default, all traffic from the outside zone to the inside will be denied, so after enabling IKE service on the external interface, it will listen on port 500 for IPsec connectivity.
crypto ikev2 enable outside
2. Configure the Phase1 policy on ASA.
The IPsec consists of two phases, phase1, and phase2. Phase1 tunnel is the first tunnel created for IPsec through which the IKE key will be created, encrypted, and exchanged between the two different sites. And on the phase2 tunnel, the actual data traffic between the sites will be encrypted.
Configure the IKEv2 policy to define the phase1 parameters.
crypto ikev2 policy 10 encryption aes-192 integrity sha group 2 lifetime seconds 28800 exit !
3. Configure Phase2 on ASA.
Here, you need to know the remote gateway’s public routable address, create the tunnel group, and specify the phase2 parameters. We are using a pre-shared key for phase2 authentication, and the key that we will use is getlabsdone123. You may choose a different key. However, all the parameters must match on both sides, except, of course, the public IP address of each end, which will be different.
tunnel-group 18.104.22.168 type ipsec-l2l crypto ipsec ikev2 ipsec-proposal S1pro protocol esp encryption aes protocol esp integrity sha-1 exit ! tunnel-group 22.214.171.124 ipsec-attributes ikev2 remote-authentication pre-shared-key gelabsdone123 ikev2 local-authentication pre-shared-key getlabsdone123 exit !
4. Define the interesting traffic.
To send the traffic through the ASA tunnel, we need to define the interesting traffic with the help of an access list. So you need to create an Access list that permits the source IP address of site 1, which is 10.1.1.0/24, and the destination Ip address of site 2, which is 10.2.2.0/24.
access-list 101 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
5. Define the crypto map.
We will create a crypto map by calling all the parameters we mentioned above for the IPsec tunnels.
As you can see, the proposal, access-list 101 we defined above and applying the crypto map to the outside interface of the ASA firewall.
crypto map mymap 10 set peer 126.96.36.199 crypto map mymap 10 set ikev2 ipsec-proposal S1pro crypto map mymap 10 match address 101 crypto map mymap interface outside exit
Site 2 ASA IPsec configuration.
Now that we configured the site1 ASA with the IPsec parameters, it’s time for us to create the IPsec on site2.
The configuration is below, and we will paste this into the second ASA. All the parameters on the second ASA are the same except the following.
- While the first ASA had the peer IP of 188.8.131.52, on the second ASA, the peer IP would be 184.108.40.206.
- The Accesslist will be the right opposite, meaning the source IP address of the site1 ASA will become site 2 ASA destination IP. Similarly, the destination subnet of Site1 will become the source IP address of Site2.
configure terminal crypto ikev2 enable outside crypto ikev2 policy 10 encryption aes-192 integrity sha group 2 lifetime seconds 28800 exit ! tunnel-group 220.127.116.11 type ipsec-l2l crypto ipsec ikev2 ipsec-proposal Site2prpsl protocol esp encryption aes protocol esp integrity sha-1 exit ! tunnel-group 18.104.22.168 ipsec-attributes ikev2 remote-authentication pre-shared-key getlabsdone123 ikev2 local-authentication pre-shared-key getlabsdone123 exit ! access-list 101 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 ! crypto map site2map 10 set peer 22.214.171.124 crypto map site2map 10 set ikev2 ipsec-proposal Site2prpsl crypto map site2map 10 match address 101 crypto map site2map interface outside exit
Test the network.
On the end-user machine, you can start initiating the traffic, and if you have followed everything to this point, you should get a response from the remote site.
As you can see, the Ubuntu machine connected to Site1 (10.1.1.10), can reach IP 10.2.2.10.
Similarly, the Debian host connected to site2 (10.2.2.10) can also talk to site 1.
Validate the IPsec connectivity.
We can validate the IPsec connectivity by looking at the phase1 and phase2 status. Sometimes you build the IPsec tunnel, where only phase1 always comes up but not phase2. So below command will come in handy when you are troubleshooting.
To see the phase1 IPsec status, you may issue the command, show iskamp sa.
ASA1 Phase 1 status.
ciscoasa# show isakmp sa There are no IKEv1 SAs IKEv2 SAs: Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote Status Role 15072173 126.96.36.199/500 188.8.131.52/500 READY INITIATOR Encr: AES-CBC, keysize: 192, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 28800/262 sec Child sa: local selector 10.1.1.0/0 - 10.1.1.255/65535 remote selector 10.2.2.0/0 - 10.2.2.255/65535 ESP spi in/out: 0x30fc7cd7/0x3dd6957f ciscoasa#
ASA 2 Phase 1 status.
iscoasa# show isakmp sa There are no IKEv1 SAs IKEv2 SAs: Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote Status Role 17330927 184.108.40.206/500 220.127.116.11/500 READY RESPONDER Encr: AES-CBC, keysize: 192, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 28800/348 sec Child sa: local selector 10.2.2.0/0 - 10.2.2.255/65535 remote selector 10.1.1.0/0 - 10.1.1.255/65535 ESP spi in/out: 0x3dd6957f/0x30fc7cd7 ciscoasa#
Similarly to see the phase2 status, you can enter the command show ipsec sa
ASA1 phase2 status.
ASA1 phase2 status. ciscoasa# show ipsec sa interface: outside Crypto map tag: site1map, seq num: 10, local addr: 18.104.22.168 access-list 101 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) current_peer: 22.214.171.124
ASA 2 phase2 status.
ciscoasa# show ipsec sa interface: outside Crypto map tag: site2map, seq num: 10, local addr: 126.96.36.199 access-list 101 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0 local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0) current_peer: 188.8.131.52