ASA site-to-site redux

GNS3 has made it very easy to set up asa support for your topologies with their newer versions… https://community.gns3.com/community/forum/blog/2015/02/19/how-to-add-cisco-asa-842-to-gns3-11-and-get-it-working

this failed… i’m beginning to think ikev2 won’t work on gns3 asa’s…i know ikev1 does… below are the running configs… perhaps you’ll have a go at it… i need to move on…

down arrow smaller

asa1_ikev2_gns3_fail asa2_ikev2_gns3_fail

 

asa site2site 082715

 

enable ikev1 or v2 on the outside interface. this is done in global configuration mode:

crypto ikev2 enable outside

configure isakmp. this is the phase 1 policy and it must match for both peers. isakmp (phase 1 policy) negotiates encryption as well as other parameters to authenticate the peer and establish a secure channel for the vpn.

asa-2(config-ikev2-policy)# sh run crypto ikev2
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400

the policy number can be between 1 and 65535, wherein 1 is evaluated first, and so on.

define encryption. advanced encryption standard, as above, is chosen as preferred.

define integrity: the hash algrithm provides data integrity by ensuring the packet hasn’t changed in transit. here the sha (secure hash algorithm) is chosen. md5 is an option, however sha provides better security with fewer hash collisions.

group 5 represents the diffie-hellman group (D-H). this group derives a shared secret for the vpn peers.

PRF (pseudo random function). this contructs the keying material for the crypto algorithms used by the SA’s (security associations)

lifetime. the lifetime in seconds between 120 and 2,147,483,647. the lifetime specifies the interval at which a new set of isakmp keys may be renogotiated. the default is 86400.

tunnel group:

a tunnel group (aka connection profile) defines a site-to-site or remote access tunnel in order to map attributes assigned to ipsec peers. a remote-access connection profile may terminate vpn tunnels including, ipsec, l2tp over ipsec and ssl.

note: for identification purposes it is a good idea to configure the tunnel-group name with the peer ip address. also note the pre-shared-key falls under the ipsec attributes header.

asa tunnel-group config

asa-2(config)# tunnel-group 101.1.1.1 type ipsec-l2l
asa-2(config)# tunnel-group 101.1.1.1 ipsec-attributes
asa-2(config-tunnel-ipsec)# ikev2 remo
asa-2(config-tunnel-ipsec)# ikev2 remote-authentication pre
asa-2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key ccie
INFO: You must configure ikev2 local-authentication pre-shared-key
or certificate to complete authentication.
asa-2(config-tunnel-ipsec)# ikev2 loc
asa-2(config-tunnel-ipsec)# ikev2 local-authentication pre
asa-2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ccie
asa-2(config-tunnel-ipsec)#

define the ipsec policy:

a transform set specifies the encryption and hashing for use with the data packets after the establishment of a secure connection (data authentication, confidentiality, integrity)

name: specify a locally specific name. (the name is not transmitted during tunnel negotiation.

encryption: aes-256 is recommended.

integrity hash: (ikev2 only) sha-512 is recommended.

crypto ipsec ikev2 ipsec-proposal ASA-1-proposal
protocol esp encryption aes-256
protocol esp integrity sha-1

note: my version of code does not support sha-256.

asa-1(config)# sh run crypto ipsec
crypto ipsec ikev2 ipsec-proposal ASA-1-proposal
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto-map

assign an acl to allow interesting traffic (permit the inside subnet of asa-1 to communicate with the inside subnet of asa-2)