[SOLVED] Site to Site IPSEC question

[sniper7777777]

Hey everyone I have a guide I created myself to establishing a site to site VPN tunnel between 2 Cisco ASA's
I have performed these steps on both sides but still cant get IPsec SAs to show
can someone let me know if anything from the guide is missing or incorrect

keep in mind im going for a basic IPSEC tunnel nothing fancy

Also could someone shed some light on a confusing topic when I am setting the tunnel group and peer IP im confused as to what im supposed to enter

when you get a static address from say comcast you get a peer IP and usable IP so lets says 1.1.1.2 is the usable and the peer IP is 1.1.1.1

but when setting peer IP in the configs im confused as to use the peer IP from the ISP 1.1.1.1 or the outside interface of your device 1.1.1.2?

let me know

*Keep in mind this is for a Cisco ASA 5505


Create 2 SVI’s one for inside and one for outside

GFirewall(config)# int vlan 77

GFirewall(config-if)#ip address 192.168.1.254 255.255.255.0

GFirewall(config-if)# nameif inside

GFirewall(config-if)# no shut



GFirewall(config-if)# interface ethernet 0/7

GFirewall(config-if)# switchport access vlan 77

GFirewall(config-if)# no shut



^ repeat this step for outside interface with new VLAN



Pick an interface (should be higher numbered interface for inside connection)

Ethernet 0/7



Set the route as the peered IP address (not usable)

GFirewall(config)# route outside 0.0.0.0 0.0.0.0 24.15.12.6



ACL ACE’s

access-list P2PACL line 60 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list P2PACL line (ACE) 60 extended permit ip (Source) 192.168.1.0 255.255.255. (destination) 10.0.0.0 255.0.0.0

add additional ACE’s for the public IP addresses

access-list P2PACL line 70 extended permit ip 25.25.25.25 255.255.255.252 64.64.64.64 255.255.255.252







Set IKE V1 phase 1

Create a policy

GFirewall(config)# crypto ikev1 policy 1

GFirewall(config-ikev1-policy)# authentication pre-share

GFirewall(config-ikev1-policy)# encryption aes-256

GFirewall(config-ikev1-policy)# group 2

GFirewall(config-ikev1-policy)# hash sha

GFirewall(config-ikev1-policy)# lifetime 86400 (*set lower to be more secure however uses more resources)

Enable IKE V1 on outside interface

GFirewall(config)# crypto ikev1 enable outside

Set IKE V1 Phase 2

GFirewall(config)# tunnel-group 1.1.1.1 type ipsec-l2l (* Use peer IP address (other ASA outside interface IP address) as tunnel group ID)

GFirewall(config)# tunnel-group 1.1.1.1 ipsec-attributes

GFirewall(config-tunnel-ipsec)# ikev1 pre-shared-key MGTech$upport (make sure there is no space at the end of the pre shared key)

Set the transform set

GFirewall(config)# crypto ipsec ikev1 transform-set GFIREWALLT1 esp-aes-256 esp-sha-hmac



GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set peer 1.1.1.1

GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set ikev1 transform-set GFIREWALLT1

GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 match address P2PACL (* Create ACL with multiple ACE’s of subnets to Allow *Make sure you include nonat in front of extended ACL)

GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set security-association lifetime seconds 86400
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP interface outside

 

[SamirD]

IPsec tunnels are VERY picky about getting things set correctly. Just one mistake and they will not connect. If you're not getting a connection, go over every single detail over and over again until you find your mistake.

 

[beers]

can someone let me know if anything from the guide is missing or incorrect

It’s not much of a guide if it doesn’t work 😉

IPSec is pretty easy, you just have to have your details in order for both phases, matching/inverted crypto acl and then any nat policy you need.

also referring to a default gateway as a peer address adds unneeded confusion.

 

[sniper7777777]

yea I mean my pre shared key is correct and I can go over ACL’s again but from what you guys see in this guide do you see anything missing or incorrect ?

 

[Pinhedd]

I'm not familiar with Cisco hardware, my IKE/IPSec experience is limited to PFSense and Windows 10 /Server 2016+

The basic gist of IKE/IPSec is that there is an encrypted data stream between two IP-routable end-points. This is called "phase-1" and is the IKE part of the IKE/IPSec framework.

I noticed that you're using IKEv1. IKEv1 should only be used if IKEv2 is not supported by one of the devices on the tunnel. This is sometimes the case for Mobile IPSec where support between the litany of desktop/tablet/phone OSes varies but if your routers support IKEv2 it should be used.

Anyway, Phase-1 establishes a secure channel between two interfaces. In the case of a site-to-site configuration this will often be between the WAN interface of one router with a publicly routable IP and the WAN interface of another router with a publicly routable IP.

If site A has IP 1.1.1.1 from Comcast, and site B has IP 2.2.2.2 from AT&T, then phase-1 lets sites A and B talk securely.

I can't give you a walkthrough for setting up IKE for your hardware, but I recommend that you keep it simple to start with. Use a mutual PSK with IP address on both sites as the identifier for authentication. You'll have to setup a tunnel endpoint on both sides, and mirror the settings where necessary. For site A, the identifier is the IP address of the interface that the tunnel is listening on (1.1.1.1), and the peer identifier is the IP address of the interface that it expects to connect with (2.2.2.2). The reverse is true for site B.

Chose a simple encryption algorithm to start with, such as AES-128 with a hash of SHA-256 and DH-14 (RSA2048). More exotic proposals can be added later on, but keep it simple to start with.

Phase-2 is where things get a bit more interesting. Each phase-1 entry can have multiple phase-2 entries within it. Phase-2 is where the actual network transport or tunnels exist (I'm inferring that you want to setup a tunnel). You'll have to setup cryptography for each phase-2 entry as well as local and remote network settings on each side. If you have subnet 192.168.2.0/24 on site A and 192.168.3.0/24 on site B then you would setup 192.168.2.0/24 as the local network on site A along with 192.168.3.0/24 as the remote network, and 192.168.3.0/24 as the local network on site B along with 192.168.2.0/24 as the remote network.

Lastly, you'll have to add routes and firewall rules on each side. The router on site A needs to know that 192.168.3.0/24 is accessible via the IPSec tunnel interface and that traffic from hosts on router A can be permitted to traverse the tunnel to site B.