Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
Posted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!1 year ago

A Tale of Two VPNs

Since I still have my ASA lab up, let's play with two types of VPNs.

Here is tonight's topology

Site to Site VPN


A site to site VPN uses a ACL to match what traffic is going to be encrypted.

R01(config)#ip access-list extended VPN_R01_TO_ASA01
R01(config-ext-nacl)# permit ip

For the phase 1 settings we'll use 3DES encryption, SHA1 hash, and DH group 2. We'll also use pre-share keys for authentication.

R01(config)#crypto isakmp policy 100
R01(config-isakmp)# encr 3des
R01(config-isakmp)# hash sha
R01(config-isakmp)# authentication pre-share
R01(config-isakmp)# group 2

We'll use 3DES and SHA1 for phase 2 as well.

R01(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

Next we set a pre-share key for ASA01's WAN IP address.

R01(config)#crypto isakmp key meowcat address

Now that all the pieces are configured, we need to make a crypto map to tie everything together. The reverse-route is a handy feature that generates a static route for the VPN so we can redistribute it into other routing protocols.

R01(config)#crypto map VPN 100 ipsec-isakmp 
R01(config-crypto-map)# set peer
R01(config-crypto-map)# set transform-set ESP-3DES-SHA 
R01(config-crypto-map)# set pfs group2
R01(config-crypto-map)# set reverse-route tag 100

Lastly we enable the VPN on our outside interface.

R01(config)#int g0/1.1254
R01(config-subif)#crypto map VPN


The ASA follows a similar logic, we make a ACL that matches the VPN traffic.

ASA01(config)# access-list VPN_ASA01_TO_R01 extended permit ip 

Then we make a phase 1 and 2 policy that matches what we did on the router.

ASA01(config)# crypto ikev1 policy 100
ASA01(config-ikev1-policy)#  authentication pre-share
ASA01(config-ikev1-policy)#  encryption 3des
ASA01(config-ikev1-policy)#  hash sha
ASA01(config-ikev1-policy)#  group 2
ASA01(config-ikev1-policy)#  lifetime 86400
ASA01(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

We will also have to enable IKEv1 on the firewall.

ASA01(config)# crypto ikev1 enable outside

On a ASA we define a pre-share key in a tunnel-group

ASA01(config)# tunnel-group ipsec-attributes
ASA01(config-tunnel-ipsec)#  ikev1 pre-shared-key meowcat
ASA01(config-tunnel-ipsec)# exit

Then we make a crypto map that ties everything together.

crypto map VPN 100 match address VPN_ASA01_TO_R01
crypto map VPN 100 set pfs 
crypto map VPN 100 set peer 
crypto map VPN 100 set ikev1 transform-set ESP-3DES-SHA
crypto map VPN 100 set reverse-route
crypto map VPN interface outside


Now the VPN is setup we can ping from S01 to S11

cisco@S01:~$ ping -c 5
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=260 ms
64 bytes from icmp_seq=2 ttl=63 time=243 ms
64 bytes from icmp_seq=3 ttl=63 time=269 ms
64 bytes from icmp_seq=4 ttl=63 time=301 ms
64 bytes from icmp_seq=5 ttl=63 time=307 ms

The VPN is up when we see QM_IDLE as a connection status.

R01#show crypto isakmp sa 
dst             src             state          conn-id status   QM_IDLE           1008 ACTIVE

ASA01(config)# show isakmp sa 

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer:
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE

We can see the reverse route working by looking at the routing table.

ASA01(config)# show route static 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is to network

S* [1/0] via, outside
V connected by VPN (advertised), outside


The problem with site to site VPNs is that we have to manually entering what networks to encrypt with a crypto map, ASAs now support a routed VPN called a VTI to make things more dynamic. Currently it supports BGP routing and will likely support other protocols as we go.


We'll reuse the phase 1 and 2 settings from the site to site to save a bit of time and then add a preshare key for ASA02

R01(config)#crypto isakmp key meowcat address

Next we'll make a IPSEC profile for the VTI

R01(config)#crypto ipsec profile VTI
R01(ipsec-profile)# set transform-set ESP-3DES-SHA 
R01(ipsec-profile)# set pfs group2

A VTI is a tunnel so we'll make Tunnel12, give it an IP and attach the ipsec profile to it.

R01(config)#interface Tunnel12
R01(config-if)# ip address
R01(config-if)# tunnel source GigabitEthernet0/1.1254
R01(config-if)# tunnel mode ipsec ipv4
R01(config-if)# tunnel destination
R01(config-if)# tunnel protection ipsec profile VTI

Since this is a routing VPN we'll setup BGP across the tunnel and advertise the LAN network.

R01(config)#router bgp 100
R01(config-router)# bgp log-neighbor-changes
R01(config-router)# network
R01(config-router)# neighbor remote-as 100


On the ASA side we'll use the same phase 1 and 2 settings from above and add a tunnel-group entry for R01, don't forget to enable ISAKMP!

ASA02(config)# tunnel-group ipsec-attributes
ASA02(config-tunnel-ipsec)#  ikev1 pre-shared-key meowcat
ASA02(config-tunnel-ipsec)# exit

Next we need a ipsec profile

ASA02(config)# crypto ipsec profile VTI
ASA02(config-ipsec-profile)#  set ikev1 transform-set ESP-3DES-SHA
ASA02(config-ipsec-profile)#  set pfs group2

Then we make a tunnel interface like we did on the router

ASA02(config)# interface Tunnel12
ASA02(config-if)#  nameif VPN
ASA02(config-if)#  ip address 
ASA02(config-if)#  tunnel source interface outside
ASA02(config-if)#  tunnel destination
ASA02(config-if)#  tunnel mode ipsec ipv4
ASA02(config-if)#  tunnel protection ipsec profile VTI

Lastly we just need BGP on the ASA

ASA02(config)# router bgp 100
ASA02(config-router)#  bgp log-neighbor-changes
ASA02(config-router)#  address-family ipv4 unicast
ASA02(config-router-af)#   neighbor remote-as 100
ASA02(config-router-af)#   neighbor activate
ASA02(config-router-af)#   network
ASA02(config-router-af)#   no auto-summary
ASA02(config-router-af)#   no synchronization
ASA02(config-router-af)#  exit-address-family


Once BGP comes up we can now ping from S01 to S12

cisco@S01:~$ ping -c 5 
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=268 ms
64 bytes from icmp_seq=2 ttl=63 time=193 ms
64 bytes from icmp_seq=3 ttl=63 time=151 ms
64 bytes from icmp_seq=4 ttl=63 time=262 ms
64 bytes from icmp_seq=5 ttl=63 time=305 ms

--- ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 151.800/236.337/305.269/55.486 ms

And we can see the BGP working as it should

ASA02(config-router)# show bgp

BGP table version is 9, local router ID is
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*>i192.168.10.0            0    100      0  i
*>              0         32768  i
72% Upvoted
This thread is archived
New comments cannot be posted and votes cannot be cast
level 1

this is scary and confusing. This is beyond the CCNA right? Or have I missed something along the road? I did notice that in one named ACL you used a wildcard mask and then in another you used the subnet mask. I thought it was purely wildcard mask.

level 2
Meow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!Original Poster1 point · 1 year ago

It is more CCNA Security territory, and probably beyond that in the VTI section.

The ASA doesn't use wildcard masks but the router does.

level 1
1 point · 1 year ago · edited 1 year ago

I am currently doing a similar setup between a ASA and a Palo Alto so this is really helpful. I am not using BGP, but static routes instead. Would I be correct in saying I only need to add a route for my neighbor's inside subnet and not the tunnel? For example, on the ASA02 I would add:

route Tunnel12

I also noticed that as soon as I named the tunnel, I received an error regarding my priority queue. Does this mean I cannot use a LLQ on VTIs?

ASA(config-if)# nameif TUNNEL12
ERROR: Class VOICE has 'priority' set without 'priority-queue' in any interface
ASA(config-if)# tunnel protection ipsec profile VTI
Community Details





Create Post
r/ccna Rules
No posting of illegal materials
No posting of braindumps
Be courteous and helpful
Don't ask others to complete your labs
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.