IPsec Remote Access VPN (ASA 8.4) – Part 1 (Basic)


To be honest, there isn’t much of a change in the configuration of an IPsec Remote Access VPN in ASA 8.3/8.4. There is just a minor change in some of the ‘crypto’ statements wherein you need to specify it as either IKEv1 or IKEv2.

So if you are planning to use the legacy IPsec VPN client (the one with that yellow lock icon) then you need to configure your Remote Access VPN with IKEv1 option. And if you’re planning to move to the new AnyConnect VPN client, then you need to configure your Remote Access VPN for IKEv2. AnyConnect does support IPsec VPN, it’s just that it will only work when you have the respective remote access VPN configured for IKEv2.

Please note that the ASA can simultaneously be configured for both IKEv1 and IKEv2. Though they use the same UDP port they are not interoperable but they work independently without any conflicts.

The following post covers the basic configuration that will be required for running an IKEv1 Remote Access VPN in ASA 8.3/8.4. 

Remote Access gateway configuration:-

1. Create the Phase 1 policy. Pre 8.3, this was the ‘crypto isakmp policy’.

crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

2. Setup Phase 2 parameters. Pre 8.3, it was ‘crypto ipsec transform-set’

crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac

3. Create an IP pool from which IP addresses will be assigned to the remote clients who are successfully authenticated.

ip local pool client_pool 192.168.1.1-192.168.1.5 mask 255.255.255.248

4. Create a group-policy.

The policy can either be applied to the tunnel-group as the default-group-policy or it can be specifically assigned to a username under its attributes. This is also where the split-tunnel needs to be configured (by default all traffic generated by the remote client is routed to the tunnel – ‘tunnelall’).

access-list split_tunnel_acl standard permit 172.21.1.0 255.255.255.0
!
group-policy ipsec_ra_policy internal
group-policy ipsec_ra_policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel_acl

5. Create the tunnel-group to which the users will connect to.

Refer the local pool we created earlier in the general-attributes. Pre 8.3, the pre-shared-key command under the ipsec-attributes did not have ‘ikev1’ appended to it.

tunnel-group ipsec_ra_tunnel type remote-access
tunnel-group ipsec_ra_tunnel general-attributes
 address-pool client_pool
 default-group-policy ipsec_ra_policy
 authentication-server-group LOCAL
tunnel-group ipsec_ra_tunnel ipsec-attributes
 ikev1 pre-shared-key c1sc0

6. Create a Dynamic Crypto Map.

Again, the ‘ikev1’ in ‘set transform-set’ was not appended in the earlier versions of ASA. Reverse-route injection puts a route in the routing table of the ASA for the remote clients IP pool and points it to the next-hop (show command output shown at the end of the post).

crypto dynamic-map dyn_map 65535 set ikev1 transform-set set1

7. Create a crypto map entry and associate the dynamic map to it.

 crypto map outside_map 65535 ipsec-isakmp dynamic dyn_map

8. Apply the crypto map to the outside interface.

crypto map outside_map interface outside

9. Enable IKEv1 on the outside interface. Pre 8.3, ‘ISAKMP’ was enabled on the interface.

 crypto ikev1 enable outside

10. Create a username and password in the local database as the remote clients with be authenticated based on the LOCAL authentication.

username officeguy password strongpassword

11. Create Identity NAT because most probably there will be a Dynamic PAT running on the outside interface. Identity NAT from your internal network to the remote access VPN client IP pool.

object-group network obj_192.168.1.1_248
network 192.168.1.1 255.255.255.248

object-group network obj_172.21.1.0_24
172.21.1.0 255.255.255.0

nat (inside,outside) source static obj_172.21.1.0_24 obj_172.21.1.0_24 destination static obj_192.168.1.1_248 obj_192.168.1.1_248 no-proxy-arp route-lookup

Client side configuration:-

Connection Entry > New

Enter the username and password created in the local username database.

Verification:-

ASA# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 Total IKE SA: 1
1 IKE Peer: 10.1.1.100
 Type : user Role : responder
 Rekey : no State : AM_ACTIVE
There are no IKEv2 SAs

ASA# show route
! output omitted for brevity
C 1.1.1.0 255.255.255.0 is directly connected, outside
 C 172.21.1.0 255.255.255.0 is directly connected, inside
 S* 0.0.0.0 0.0.0.0 [1/0] via 1.1.1.2, outside

Also check Part 2 of this post which shows some useful commands (although optional) that you can make use of while configuring an IPsec Remote Access VPN.

Advertisements

8 thoughts on “IPsec Remote Access VPN (ASA 8.4) – Part 1 (Basic)

  1. Hi Shoaib,

    Firstly i would like to thank you for this document as it has been very useful to be while configuring my remote access vpn on the asa 8.4.

    However, with the above conf the VPN client establishes the connection but is unable to pass any traffic. Here are few things that i found missing after which i was able to pass traffic over the VPN tunnel and things worked smoothly.

    Under group policy few statements that need to be added for this remote access vpn to work are ::

    *********************

    group-policy ipsec_ra_policy internal
    group-policy ipsec_ra_policy attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split_tunnel_acl
    address-pool value ipsec_ra_policy

    *********************

    Another thing that would be required for the remote access VPN to work is a NONAT statement ::

    object-group network obj_192.168.1.1_248
    network 192.168.1.1 255.255.255.248

    object-group network obj_172.21.1.0_24
    172.21.1.0 255.255.255.0

    nat (inside,outside) source static obj_172.21.1.0_24 obj_172.21.1.0_24 destination static obj_192.168.1.1_248 obj_192.168.1.1_248 no-proxy-arp route-lookup

    So if you can add these things in the above conf this particular topic on your blog would be a complete reference for configuring a remote access VPN on ASA 8.4 :)

    Thanks
    Ajit

  2. Hi Ajit,

    Sorry for the delayed response. I forgot to reply you and just noticed it now that I still hadn’t.

    Using split-tunnel depends on the requirement and varies from case-to-case so I wanted to have that under a separate post. Here’s Part 2 of IPsec Remote Access VPN.
    Regarding the Identity NAT, thanks for bringing that up. Though this was supposed to be a very basic post I do feel I should have added the Identity NAT part in there. The post will be edited soon. Keep visiting.

    Regards,
    Shoaib

  3. Dear Shoaib,
    In your configration you set up a local pool for the client. I see that you are using the 192.168.1.0 network.
    In your graphic I also see that the internal IP is set to the 172-network.

    As my internal network is set to 192-, I am therefor wondering if I then have to set the pool to something else than 192 – like the 172-network.

    Which means this line:
    ip local pool client_pool 192.168.1.1-192.168.1.5 mask 255.255.255.248

    Would end up as:
    ip local pool client_pool 172.21.1.1-172.21.1.5 mask 255.255.255.248
    (for instance)

    Or could I set up a pool like 192.168.1.200-192.168.1.205 ?

  4. Hi All, i hv an ASA 5545 9.1- My VPN users login successfully but cannit access my LAN resources. Please assist.Thank you in advance – can email my configs.

  5. Hi Amos,

    Please send a sanitized config if possible. Going by your description of the issue I suspect it could be some missing NAT statements and if sysopt connection permit-vpn is disabled then check for inbound ACLs on the outside interface.

    Regards,
    Shoaib

  6. Is following correct?
    IF sysopt connection permit-vpn is DISABLED
    In the outside_in ACL, need to permit vpnClient ip to access internal network ip subnet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s