Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
3
Posted byMeow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!1 year ago
Archived

A Tale of Two VPNs

Since I still have my ASA lab up, let's play with two types of VPNs.

Here is tonight's topology

Site to Site VPN

R01

A site to site VPN uses a ACL to match what traffic is going to be encrypted.

R01(config)#ip access-list extended VPN_R01_TO_ASA01
R01(config-ext-nacl)# permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

For the phase 1 settings we'll use 3DES encryption, SHA1 hash, and DH group 2. We'll also use pre-share keys for authentication.

R01(config)#crypto isakmp policy 100
R01(config-isakmp)# encr 3des
R01(config-isakmp)# hash sha
R01(config-isakmp)# authentication pre-share
R01(config-isakmp)# group 2
R01(config-isakmp)#exit

We'll use 3DES and SHA1 for phase 2 as well.

R01(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
R01(cfg-crypto-trans)#exit

Next we set a pre-share key for ASA01's WAN IP address.

R01(config)#crypto isakmp key meowcat address 200.11.254.11

Now that all the pieces are configured, we need to make a crypto map to tie everything together. The reverse-route is a handy feature that generates a static route for the VPN so we can redistribute it into other routing protocols.

R01(config)#crypto map VPN 100 ipsec-isakmp 
R01(config-crypto-map)# set peer 200.11.254.11
R01(config-crypto-map)# set transform-set ESP-3DES-SHA 
R01(config-crypto-map)# set pfs group2
R01(config-crypto-map)# set reverse-route tag 100
R01(config-crypto-map)#exit

Lastly we enable the VPN on our outside interface.

R01(config)#int g0/1.1254
R01(config-subif)#crypto map VPN

ASA01

The ASA follows a similar logic, we make a ACL that matches the VPN traffic.

ASA01(config)# access-list VPN_ASA01_TO_R01 extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0 

Then we make a phase 1 and 2 policy that matches what we did on the router.

ASA01(config)# crypto ikev1 policy 100
ASA01(config-ikev1-policy)#  authentication pre-share
ASA01(config-ikev1-policy)#  encryption 3des
ASA01(config-ikev1-policy)#  hash sha
ASA01(config-ikev1-policy)#  group 2
ASA01(config-ikev1-policy)#  lifetime 86400
ASA01(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

We will also have to enable IKEv1 on the firewall.

ASA01(config)# crypto ikev1 enable outside

On a ASA we define a pre-share key in a tunnel-group

ASA01(config)# tunnel-group 200.1.254.1 ipsec-attributes
ASA01(config-tunnel-ipsec)#  ikev1 pre-shared-key meowcat
ASA01(config-tunnel-ipsec)# exit

Then we make a crypto map that ties everything together.

crypto map VPN 100 match address VPN_ASA01_TO_R01
crypto map VPN 100 set pfs 
crypto map VPN 100 set peer 200.1.254.1 
crypto map VPN 100 set ikev1 transform-set ESP-3DES-SHA
crypto map VPN 100 set reverse-route
crypto map VPN interface outside

Testing

Now the VPN is setup we can ping from S01 to S11

cisco@S01:~$ ping 192.168.11.100 -c 5
PING 192.168.11.100 (192.168.11.100) 56(84) bytes of data.
64 bytes from 192.168.11.100: icmp_seq=1 ttl=63 time=260 ms
64 bytes from 192.168.11.100: icmp_seq=2 ttl=63 time=243 ms
64 bytes from 192.168.11.100: icmp_seq=3 ttl=63 time=269 ms
64 bytes from 192.168.11.100: icmp_seq=4 ttl=63 time=301 ms
64 bytes from 192.168.11.100: icmp_seq=5 ttl=63 time=307 ms

The VPN is up when we see QM_IDLE as a connection status.

R01#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
200.1.254.1     200.11.254.11   QM_IDLE           1008 ACTIVE

ASA01(config)# show isakmp sa 

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 200.1.254.1
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE

We can see the reverse route working by looking at the routing table.

ASA01(config)# show route static 

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 200.11.254.254 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 200.11.254.254, outside
V        192.168.10.0 255.255.255.0 connected by VPN (advertised), outside

VTI VPN

The problem with site to site VPNs is that we have to manually entering what networks to encrypt with a crypto map, ASAs now support a routed VPN called a VTI to make things more dynamic. Currently it supports BGP routing and will likely support other protocols as we go.

R01

We'll reuse the phase 1 and 2 settings from the site to site to save a bit of time and then add a preshare key for ASA02

R01(config)#crypto isakmp key meowcat address 200.12.254.12

Next we'll make a IPSEC profile for the VTI

R01(config)#crypto ipsec profile VTI
R01(ipsec-profile)# set transform-set ESP-3DES-SHA 
R01(ipsec-profile)# set pfs group2

A VTI is a tunnel so we'll make Tunnel12, give it an IP and attach the ipsec profile to it.

R01(config)#interface Tunnel12
R01(config-if)# ip address 10.1.12.1 255.255.255.0
R01(config-if)# tunnel source GigabitEthernet0/1.1254
R01(config-if)# tunnel mode ipsec ipv4
R01(config-if)# tunnel destination 200.12.254.12
R01(config-if)# tunnel protection ipsec profile VTI

Since this is a routing VPN we'll setup BGP across the tunnel and advertise the LAN network.

R01(config)#router bgp 100
R01(config-router)# bgp log-neighbor-changes
R01(config-router)# network 192.168.10.0
R01(config-router)# neighbor 10.1.12.12 remote-as 100

ASA02

On the ASA side we'll use the same phase 1 and 2 settings from above and add a tunnel-group entry for R01, don't forget to enable ISAKMP!

ASA02(config)# tunnel-group 200.1.254.1 ipsec-attributes
ASA02(config-tunnel-ipsec)#  ikev1 pre-shared-key meowcat
ASA02(config-tunnel-ipsec)# exit

Next we need a ipsec profile

ASA02(config)# crypto ipsec profile VTI
ASA02(config-ipsec-profile)#  set ikev1 transform-set ESP-3DES-SHA
ASA02(config-ipsec-profile)#  set pfs group2

Then we make a tunnel interface like we did on the router

ASA02(config)# interface Tunnel12
ASA02(config-if)#  nameif VPN
ASA02(config-if)#  ip address 10.1.12.12 255.255.255.0 
ASA02(config-if)#  tunnel source interface outside
ASA02(config-if)#  tunnel destination 200.1.254.1
ASA02(config-if)#  tunnel mode ipsec ipv4
ASA02(config-if)#  tunnel protection ipsec profile VTI

Lastly we just need BGP on the ASA

ASA02(config)# router bgp 100
ASA02(config-router)#  bgp log-neighbor-changes
ASA02(config-router)#  address-family ipv4 unicast
ASA02(config-router-af)#   neighbor 10.1.12.1 remote-as 100
ASA02(config-router-af)#   neighbor 10.1.12.1 activate
ASA02(config-router-af)#   network 192.168.12.0
ASA02(config-router-af)#   no auto-summary
ASA02(config-router-af)#   no synchronization
ASA02(config-router-af)#  exit-address-family

Testing

Once BGP comes up we can now ping from S01 to S12

cisco@S01:~$ ping 192.168.12.100 -c 5 
PING 192.168.12.100 (192.168.12.100) 56(84) bytes of data.
64 bytes from 192.168.12.100: icmp_seq=1 ttl=63 time=268 ms
64 bytes from 192.168.12.100: icmp_seq=2 ttl=63 time=193 ms
64 bytes from 192.168.12.100: icmp_seq=3 ttl=63 time=151 ms
64 bytes from 192.168.12.100: icmp_seq=4 ttl=63 time=262 ms
64 bytes from 192.168.12.100: icmp_seq=5 ttl=63 time=305 ms

--- 192.168.12.100 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 151.800/236.337/305.269/55.486 ms

And we can see the BGP working as it should

ASA02(config-router)# show bgp

BGP table version is 9, local router ID is 200.12.254.12
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*>i192.168.10.0     10.1.12.1            0    100      0  i
*> 192.168.12.0     0.0.0.0              0         32768  i
3 comments
72% Upvoted
This thread is archived
New comments cannot be posted and votes cannot be cast
level 1

this is scary and confusing. This is beyond the CCNA right? Or have I missed something along the road? I did notice that in one named ACL you used a wildcard mask and then in another you used the subnet mask. I thought it was purely wildcard mask.

level 2
Meow 🐈🐈Meow 🐱🐱 Meow Meow🍺🐈🐱Meow A+!Original Poster1 point · 1 year ago

It is more CCNA Security territory, and probably beyond that in the VTI section.

The ASA doesn't use wildcard masks but the router does.

level 1
1 point · 1 year ago · edited 1 year ago

I am currently doing a similar setup between a ASA and a Palo Alto so this is really helpful. I am not using BGP, but static routes instead. Would I be correct in saying I only need to add a route for my neighbor's inside subnet and not the tunnel? For example, on the ASA02 I would add:

route Tunnel12 192.168.10.0 255.255.255.0 10.1.12.1

I also noticed that as soon as I named the tunnel, I received an error regarding my priority queue. Does this mean I cannot use a LLQ on VTIs?

ASA(config-if)# nameif TUNNEL12
ERROR: Class VOICE has 'priority' set without 'priority-queue' in any interface
ASA(config-if)# tunnel protection ipsec profile VTI
Community Details

34.0k

Subscribers

142

Online

Create Post
r/ccna Rules
1.
No posting of illegal materials
2.
No posting of braindumps
3.
Be courteous and helpful
4.
Don't ask others to complete your labs
Cookies help us deliver our Services. By using our Services or clicking I agree, you agree to our use of cookies. Learn More.