VPN will allow connectivity between two LAN networks (LAN-1 and LAN-2). With Site-to-Site IPSEc VPN between the 2 devices, we can establish a secure tunnel over the internet and pass our private LAN traffice inside this tunnel.
How IPSEc WorksThere are five main steps followed by the IPSEc devices:
- Interesting Traffic: the IPSEc devices recognize the traffice to protect
- Phase 1 (ISAKMP): The IPSEc devices negotiate an IKE security policy and establish a secure channel for communication.
- Phase 2 (IPSEc): The IPSEc devices negotiate an IPSEc security policy to protect data.
- Data Transfer: Data is transferred securely between the IPSEc peers based on the IPSEc parameters and keys negotiated during the previous phases.
- IPSEc Tunnel Terminated: IPSEc SAs terinate when timing out or a certain data volume is reached.
Let's work on the ASA on the left side first.
First is to configure the interfaces on the ASA.
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# ip address 100.100.100.1 255.255.255.0
ciscoasa(config-if)# exit
ciscoasa(config)#
ciscoasa(config)# interface vlan 2
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# exit
ciscoasa(config)#
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# exit
ciscoasa(config)# interface ethernet 0/1
ciscoasa(config-if)# switchport access vlan 2
Configure the interesting traffic.
ciscoasa(config)# access-list LAN1-TO-LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
//Traffic that will be encrypted using CRYPTO ACL
ciscoasa(config)# access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list NONAT
//Because IPSEc does not work with NAT, we need to exclude the interesting traffic from the NAT operation.
//This means the interesting traffic in the crypto ACL must not be translated using the NAT 0 command
Configure Phase 1 (ISAKMP)
Phase 1 of the IPSEc operation is used to establish a secure communication channel for futher data transmission. In Phase 1, VPN peers exchange shared secret keys, authenticate each other and negotiate IKE secuirty policies etc.
ciscoasa(config)# isakmp policy "priority number"
ciscoasa(config-isakmp-policy)# encryption (aes|3des|des)
ciscoasa(config-isakmp-policy)# hash (sha|md5)
ciscoasa(config-isakmp-policy)# authentication (pre-share|rsa-sig)
ciscoasa(config-isakmp-policy)# group (1|2|5|7)
ciscoasa(config-isakmp-policy)# lifetime "seconds"
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)# isakmp enable "interface-name"
ciscoasa(config)# isakmp identity address << = identity the ASA with its address and not FQDN
//Specify the pre-shared key and the type of the VPN using the tunnel-group command
ciscoasa(config)# tunnel-group "peer IP address" type(ipsec-l2l|ipsec-ra|webvpn)
ciscoasa(config)# tunnel-group "peer IP address" ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key "key"
The following is the example of the configuration:
ciscoasa(config)# isakmp policy 10
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# lifetime 3600
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)# isakmp enable outside
ciscoasa(config)# isakmp identity address
ciscoasa(config)# tunnel-group RIGHT_SIDE_ASA type ipsec-l2l
ciscoasa(config)# tunnel-group RIGHT_SIDE_ASA ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key SUPERSTRONGVPNPASSWORD
Configure Phase 2 (IPSEc)Configure the Transform-set and Crypto Map
Negotiation of IPSEc security parameters and IPSEc transform sets
Establishment of IPSEc SAs
Renegotiation of IPSEc SAs periodically to enscure security
Transform set format on CLI:
ciscoasa(config)# crypto ipsec transform-set "name" "transform1" "transform2"
After configuring the Transform set on both IPSEc peers, we need to configure a crypto map which contains all Phase 2 IPSEc parameters. This crypto map is then attached to the firewall interface (usually "outside") on which the IPSEc will be established.
ciscoasa(config)# crypto map "name" "seq-num" match address "Crypto-ACL"
ciscoasa(config)# crypto map "name" "seq-num" set peer "Peer_IP_address"
ciscoasa(config)# crypto map "name" "seq-num" set transform-set "Transfor_set_name"
ciscoasa(config)# crypto map "name" "seq-num" set security-association lifetime seconds {seconds}
ciscoasa(config)# crypto map "name" interface "interface-name"
The following is the example of the configuration:
ciscoasa(config)# crypto ipsec transform-set LEFTASASIDE esp-aes-192 esp-sha-hmac
ciscoasa(config)# crypto map LEFTASAVPN 20 match address LAN1-TO-LAN2
ciscoasa(config)# crypto map LEFTASAVPN 20 set peer 200.200.200.1
ciscoasa(config)# crypto map LEFTASAVPN 20 set transform-set LEFTASASIDE
ciscoasa(config)# crypto map LEFTASAVPN 20 set security-association lifetime seconds 36000
ciscoasa(config)# crypto map LEFTASAVPN interface outside
No comments:
Post a Comment