IKEV1 IPSEC VPN between 2 ASA's

As mentioned in a previous POST IPSEC VPN's are used to ensure that data that is being transmitted over the public network between devices that are geographically apart from each other is keept private and secure.

On the following topology, the client that is on the 192.168.10.0/24 network wants to access the webserver that is on the 192.168.20.0/24 over the network 10.0.0.0/8 which represents the public network.


The configuration of a VPN can be done in the following steps:

- Configure an ACL to identify the traffic that is being sent over the VPN

- Configure IKEV1 or 2 phase 1

- Configure IKEV1 or 2 phase 2

- Configure tunnel group

- Configure a Crypto map and assign it the outside interface

ASA1: ACL configuration.
ASA1(config)#access-list L2L extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
ASA1: IKEV1 phase 1 configuration.
ASA1(config)#crypto ikev1 policy 10
ASA1(config-ikev1-policy)#authentication pre-share
ASA1(config-ikev1-policy)#encryption aes
ASA1(config-ikev1-policy)#hash sha
ASA1(config-ikev1-policy)#group 2
ASA1(config-ikev1-policy)#lifetime 8600
ASA1(config-ikev1-policy)#exit
ASA1(config)#crypto ikev1 enable outside
ASA1: IKEV1 phase 2 configuration.
ASA1(config)#crypto ipsec ikev1 transform-set DATAENC esp-aes esp-sha-hmac
ASA1: tunnel group configuration.
ASA1(config)#tunnel-group 10.2.2.254 type ipsec-l2l
ASA1(config)#tunnel-group 10.2.2.254 ipsec-attributes
ASA1(config-tunnel-ipsec)#ikev1 pre-shared-key ciscokey
ASA1: Crypto Map configuration.
ASA1(config)#crypto map THISMAP 10 match address L2L
ASA1(config)#crypto map THISMAP 10 set peer 10.2.2.254
ASA1(config)#crypto map THISMAP 10 set ikev1 transform-set DATAENC
ASA1(config)#crypto map THISMAP interface outside
ASA2: ACL configuration.
ASA2(config)#access-list L2L extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
ASA2: IKEV1 phase 1 configuration.
ASA2(config)#crypto ikev1 policy 10
ASA2(config-ikev1-policy)#authentication pre-share
ASA2(config-ikev1-policy)#encryption aes
ASA2(config-ikev1-policy)#hash sha
ASA2(config-ikev1-policy)#group 2
ASA2(config-ikev1-policy)#lifetime 8600
ASA2(config-ikev1-policy)#exit
ASA2(config)#crypto ikev1 enable outside
ASA2: IKEV1 phase 2 configuration.
ASA2(config)#crypto ipsec ikev1 transform-set DATAENC esp-aes esp-sha-hmac
ASA2: tunnel group configuration.
ASA2(config)#tunnel-group 10.1.1.254 type ipsec-l2l
ASA2(config)#tunnel-group 10.1.1.254 ipsec-attributes
ASA2(config-tunnel-ipsec)#ikev1 pre-shared-key ciscokey
ASA2: Crypto Map configuration.
ASA2(config)#crypto map THISMAP 10 match address L2L
ASA2(config)#crypto map THISMAP 10 set peer 10.1.1.254
ASA2(config)#crypto map THISMAP 10 set ikev1 transform-set DATAENC
ASA2(config)#crypto map THISMAP interface outside

1 comment: