The basic configuration of a Site-to-Site VPN in ASA remains the same except for a few commands. The previous post – Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server shows how to configure the ASA to enroll to a CA and retrieve certificates that can be used for authenticating peers in an IPsec/SSL VPN.
Below are the additional or non-standard commands that you usually do not see in a Site-to-Site VPN config using pre-shared-key for authentication.
Configuration:
crypto ikev1 policy 10 authentication rsa-sig ! tunnel-group 192.168.1.1 type ipsec-l2l tunnel-group 192.168.1.1 ipsec-attributes ikev1 trustpoint CISCO_CA ! crypto map outside_map 10 set trustpoint CISCO_CA
Verification:
ASA-FW1# show crypto ikev1 sa detail IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 192.168.2.10 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth : rsa Lifetime: 86400 Lifetime Remaining: 86128
Debugs:
Jun 26 19:56:01 [IKEv1]IP = 192.168.2.10, IKE Initiator: New Phase 1, Intf inside, IKE Peer 192.168.2.10 local Proxy Address 1.1.1.1, remote Proxy Address 5.5.5.5, Crypto map (outside_map) ! Jun 26 19:56:02 [IKEv1 DECODE]Constructed Signature Len: 128 Jun 26 19:56:02 [IKEv1 DECODE]Constructed Signature: 0000: 205D3777 CEC0A301 C4FD880F 97821433 ]7w...........3 0010: F6C9A477 C05FC15F 87DC0642 2CD1E358 ...w._._...B,..X 0020: FB53CC3C AF931B91 0DA45AB0 EB3DE37A .S.<......Z..=.z 0030: 5FECA893 511F347B 07C96214 0B0B6D08 _...Q.4{..b...m. 0040: 367B09DD DF0901C3 6333C72A B97420F7 6{......c3.*.t . 0050: B2F3ED96 15C55FBA 599F0601 CEB022F1 ......_.Y.....". 0060: FD19D17B 746454F9 EC567FDC BA39A70E ...{tdT..V...9.. 0070: 06B8DB3F 01D4CB76 7674D851 3419793E ...?...vvt.Q4.y> ! Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device ! Jun 26 19:56:02 [IKEv1 DECODE]Dump of received Signature, len 128: 0000: 29D5A373 16A65012 E8A87327 1445DDE4 )..s..P...s'.E.. 0010: 88A6A43C B70880F2 DF164433 E485D367 ...<......D3...g 0020: DF28A9AB 8E89BDF2 1CDA5803 3C322BE1 .(........X.<2+. 0030: ABB02B07 7579C106 EDF7C9AE 0D02730D ..+.uy........s. 0040: 3C6AD637 31FA9A46 33B1FDA8 CD22A045 <j.71..F3....".E 0050: 2A65D863 8AFE4748 F3DC5D76 A7C9BE83 *e.c..GH..]v.... 0060: 1026D4B9 36570FC2 BCB98F67 96B5CBD2 .&..6W.....g.... 0070: B8DC76A8 91378741 F64B9DFA 0508884F ..v..7.A.K.....O ! Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Trying to find group via OU... Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, No Group found by matching OU(s) from ID payload: Unknown Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Trying to find group via IKE ID... Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, No Group found by matching OU(s) from ID payload: Unknown Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Trying to find group via IP ADDR... Jun 26 19:56:02 [IKEv1]IP = 192.168.2.10, Connection landed on tunnel_group 192.168.2.10 ! Jun 26 19:56:03 [IKEv1]Group = 192.168.2.10, IP = 192.168.2.10, PHASE 1 COMPLETED ! Jun 26 19:56:03 [IKEv1]IP = 192.168.2.10, Keep-alive type for this connection: DPD Jun 26 19:56:03 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, Starting P1 rekey timer: 73440 seconds. Jun 26 19:56:03 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, IKE got SPI from key engine: SPI = 0x2cf83ef7 ! Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, constructing pfs ke payload Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, constructing proxy ID Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, Transmitting Proxy Id: Local host: 1.1.1.1 Protocol 0 Port 0 Remote host: 5.5.5.5 Protocol 0 Port 0 ! Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, NP encrypt rule look up for crypto map outside_map 10 matching ACL crypto_acl_1: returned cs_id=bc1b6bd0; rule=bc4226a8 ! Jun 26 19:56:04 [IKEv1 DEBUG]Group = 192.168.2.10, IP = 192.168.2.10, Starting P2 rekey timer: 24479 seconds. Jun 26 19:56:04 [IKEv1]Group = 192.168.2.10, IP = 192.168.2.10, PHASE 2 COMPLETED (msgid=23e666c4)
Notes:-
- The signatures have been constructed and received.
Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/
Advertisements
