Site-to-Site VPN tunnel with Dynamic Peer IP address |example with PSK and PKI (CCIE Notes)


PSK (Pre-Shared Key)

ASA (Static IP side has the ‘dynamic’ configuration):

crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set ESP-DES esp-des esp-sha-hmac
!
access-list crypto_acl_10 extended permit ip host 1.1.1.1 host 2.2.2.2
!
crypto dynamic-map MARKETING_VPN match address crypto_acl_10 
crypto dynamic-map MARKETING_VPN 10 set ikev1 transform-set ESP-DES
crypto dynamic-map MARKETING_VPN 10 set reverse-route
!
crypto map out_map 10 ipsec-isakmp dynamic MARKETING_VPN
crypto map out_map interface outside
!
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key cisco123

Notes:

  • All phase 2 parameters need to be defined under dynamic-map.
  • Tunnel-group DefaultL2LGroup is to be used for referring the pre-shared-key that will be used by the dynamic peers.
  • Traffic cannot be initiated from the Static side of the VPN tunnel.

IOS (Dynamic IP side has the ‘static’ configuration):

crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400 
!
crypto ipsec transform-set ESP-DES esp-des esp-sha-hmac 
 mode tunnel
!
access-list 110 permit ip host 2.2.2.2 host 1.1.1.1
!
crypto map out_map 10 ipsec-isakmp 
 set peer 10.1.1.1
 set transform-set ESP-DES 
 match address 110
!
crypto isakmp key cisco123 address 10.1.1.1

Notes:

  • No difference in configuration than a regular Site-to-Site VPN
  • Traffic can only be initiated from the Dynamic side of the VPN tunnel.

PKI (Public Key Infrastructure/Certificates)

ASA (Static IP side has the ‘dynamic’ configuration):

crypto ikev1 policy 20
 authentication rsa-sig
 encryption 3des
 hash md5
 group 2
 lifetime 86400
!
access-list crypto_acl_20 extended permit ip host 1.1.1.1 host 5.5.5.5
!
crypto dynamic-map dyn_map 20 match address crypto_acl_20
crypto dynamic-map dyn_map 20 set pfs
crypto dynamic-map dyn_map 20 set ikev1 transform-set ESP-3DES
crypto dynamic-map dyn_map 20 set reverse-route
!
crypto map out_map 10 ipsec-isakmp dynamic dyn_map
crypto map out_map interface outside
!
tunnel-group SALES_GROUP type ipsec-l2l
tunnel-group SALES_GROUP ipsec-attributes
 peer-id-validate nocheck
 ikev1 trust-point CISCO_CA
!
crypto ca certificate map CERT_MAP_SALES 10
 subject-name attr ou eq sales_vpn
!
tunnel-group-map enable rules
tunnel-group-map CERT_MAP_SALES 10 SALES_GROUP

Notes:

  • Refer the trustpoint in the tunnel-group only (not the crypto-map in this case).
  • Create a dynamic crypto map and refer it under the crypto map applied on the egress interface
  • tunnel-group-map maps a certificate map to a tunnel-group

Defaults:

  • The ASA uses the OU in the certificate to match the correct tunnel-group, but the same can be achieved with certificate maps.
  • No certificate maps are associated to any tunnel-group
  • It matches OU, IKE-ID and Peer-IP as they are enabled.

IOS (Dynamic IP side has the ‘static’ configuration):

crypto pki trustpoint CISCO_CA
 enrollment url http://3.3.3.3:80
 usage ike
 fqdn R1.networkology.net
 subject-name CN=R5, C=IN, OU=sales
!
crypto ikev1 policy 20
 authentication rsa-sig
 encryption 3des
 hash md5
 group 2
 lifetime 86400
!
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
!
access-list 120 permit ip host 2.2.2.2 host 1.1.1.1
!
crypto map out_map 20 ipsec-isakmp 
 set peer 10.1.1.1
 set transform-set ESP-3DES 
 set pfs group2
 match address 120

Notes;

  • Make sure the while applying for a certificate, the subject-name consists of the values that the peer end is expecting to see in the certificate. This will ensure that proper tunnel-group is applied either by the default behavior of the ASA i.e. looking up the OU or if certificate maps are defined with specific rules, then accordingly the tunnel-group will be selected.

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/ccie-security/

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s