EdgeRouter - IPsec Policy-Based Site-to-Site VPN to Cisco ASA

 Overview


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an EdgeRouter and a Cisco ASA.

A Policy-Based VPN is characterized by the definition of local and remote subnets (proxy IDs). This type of VPN differs from a Route-Based VPN which is characterized by the usage of Virtual Tunnel Interfaces (VTIs) and routing entries.

book_25x25.png    NOTES & REQUIREMENTS:

Applicable to EdgeOS 1.9.7 + firmware in all EdgeRouter models. Knowledge of the Command Line Interface (CLI), Cisco IOS, and advanced networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configurations used in this article.

 

Equipment used in this article:

- EdgeRouter-X (ER-X)

Cisco ASA

- Test clients behind the peers (Host1 and Server1)

Table of Contents


  1. Network Diagram
  2. Steps: Policy-Based VPN
  3. Steps: Cisco ASA VPN
  4. Steps: Testing & Verification
  5. Related Articles

Network Diagram


Back to Top

The network topology is shown below. The following interfaces are in use on the EdgeRouter and the Cisco ASA:

ER-X

  1. eth0 (WAN) - 203.0.113.1
  2. eth1 (LAN) - 192.168.1.1/24

 Cisco ASA

  1. gi0/0 (WAN) - 192.0.2.1
  2. gi0/1 (LAN) - 172.16.1.1/24


Steps: Policy-Based VPN


Back to Top

For the purpose of this article it is assumed that the routing and interface configuration is already in place and that reachability has been tested.

The UDP ports and protocols relevant to IPsec are:

  1. UDP 500 (IKE)
  2. ESP (Protocol 50)
  3. UDP 4500 (NAT-T)

The type of VPN that will be created is called a Policy-Based VPN which uses remote and local subnets, otherwise known as proxy IDs. These values need to match exactly between the two peers and need to be mirrored images of each other. Only the prefixes defined in the proxy IDs will be carried over the tunnel. In the example ER has the 192.168.1.0/24 present on the LAN side, whereas the Cisco side uses 172.16.1.0/24.

The first part of the configuration focuses on the ER, afterwards the VPN will be set up on the ASA.

CLI_circle.png  CLI STEPS: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Exclude IPsec traffic from NAT and allow the automatic creation of the firewall rules.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE proposal (P1) and Security Associations (SAs).

set vpn ipsec ike-group FOO0 lifetime 86400
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes256
set vpn ipsec ike-group FOO0 proposal 1 hash sha256

4. Create the ESP proposal (P2) and Security Associations (SAs).

set vpn ipsec esp-group FOO0 lifetime 43200
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash md5
info_i_25x25.png Note: The choices for SAs in this example are based on optimizing the VPN for performance, stability and security. The IKE proposal focuses on security (AES256 + SHA256), whereas the ESP proposal focuses on performance (AES128 + MD5). Whatever set of SAs are chosen, make sure that the settings for Phase 1 (P1) and Phase 2 (P2) match on both sides of the connection.

5. Define the peer address and the pre-shared-key (replace <secret> with your desired passphrase).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description IPsec

6. Define the local source address (public IP) of the Site-to-Site VPN connection.

set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
info_i_25x25.png Note: It is also possible to use a non-static IP address for the WAN connection. In the case of DHCP, please use set ... peer 192.0.2.1 dhcp-interface eth0. For PPPoE interfaces or load-balancing scenarios it is currently recommend to use set ... peer 192.0.2.1 local-address 0.0.0.0 over local-address any.

7. Link the IKE proposal to the Site-to-Site connection.

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0

8. Create a tunnel that defines the remote and local subnets (proxy IDs) and link the ESP proposal.

set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24

9. (Optional) Enable the IPsec offloading feature to increase ESP (not IKE) performance.

set system offload ipsec enable (this requires a reboot to become active)

10. Commit the changes.

commit

11. Save the configuration.

save

Steps: Cisco ASA VPN


Back to Top

Please make sure that the latest stable version of the Cisco Adaptive Security Appliance (ASA) Software is being used and that the device is capable of reaching the internet. The Cisco side of the Site-to-Site VPN connection is based on the IPsec article linked below: Configure a Site-to-Site IPSec IKEv1 Tunnel

CLI_circle.png  CLI STEPS: Access the IOS command line interface (CLI). 

1. Enter configuration mode.

configure terminal

2. Define the interface names, security levels and routing (if not already configured).

interface gi0/0
nameif outside
security-level 0
ip address 192.0.2.1 255.255.255.252

interface gi0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 192.0.2.2

3. Configure network objects that match the remote and local subnets (proxy IDs).

object network obj-local
subnet 172.16.1.0 255.255.255.0

object network obj-remote
subnet 192.168.1.0 255.255.255.0

4. Create an IPsec access-list (IPsec_ACL) that links to the network objects.

access-list IPsec_ACL extended permit ip object obj-local object obj-remote

5. Create the IKE policy matching the defined SAs on the EdgeRouter.

crypto ikev1 policy 100
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

6. Create the IPsec transform set (IPsec_TS) matching the defined SAs on the EdgeRouter.

crypto ipsec ikev1 transform-set IPsec_TS esp-aes esp-md5-hmac

7. Create a crypto map (IPsec_CM) and link it to the IPsec TS and ACL, while also defining the P2 lifetime.

crypto map IPsec_CM 100 set peer 203.0.113.1 
crypto map IPsec_CM 100 set ikev1 transform-set IPsec_TS
crypto map IPsec_CM 100 set security-association lifetime seconds 43200
crypto map IPsec_CM 100 match address IPsec_ACL
crypto map IPsec_CM interface outside 

8. Create a tunnel group and define the pre-shared-key (replace <secret> with your desired passphrase).

tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
ikev1 pre-shared-key <secret>

9. Enable the IKE process.

crypto ikev1 enable outside

10. (Optional) If you are also using Source NAT, make sure to exclude the IPsec traffic from being translated by NAT.

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote no-proxy-arp route-lookup

nat (inside,outside) source dynamic obj-local interface
info_i_25x25.png Note: The source dynamic rule is part of the source NAT configuration. These configuration used in your environment may differ from this example. Be careful when adding NAT rules to the ASA, as the order at which these are applied is important.

Because source NAT was configured after the IPsec exclusion rule, the rules is in the correct order. You can verify this with:

show nat translated interface outside detail 
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static obj-local obj-local destination static obj-remote obj-remote no-proxy-arp route-lookup
translate_hits = 10, untranslate_hits = 10
Source - Origin: 172.16.1.0/24, Translated: 172.16.1.0/24
Destination - Origin: 192.168.1.0/24, Translated: 192.168.1.0/24
2 (inside) to (outside) source dynamic obj-local interface
translate_hits = 28, untranslate_hits = 25
Source - Origin: 172.16.1.0/24, Translated: 192.0.2.1/30

If the NAT rules are in the wrong order, then delete the other existing NAT rules and re-add them to the configuration. For example:

show running-config nat
nat (inside,outside) source dynamic obj-local interface
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote no-proxy-arp route-lookup

no nat (inside,outside) source dynamic obj-local interface
nat (inside,outside) source dynamic obj-local interface

11. Write the changes to the startup configuration.

copy running-config startup-config

Steps: Testing & Verification


Back to Top

After configuring the IPsec VPN, verify the connection/state using the following commands.

1. Verify the IPsec Security Associations (SAs) and status on the ER:

show vpn ipsec sa
peer-192.0.2.1-tunnel-1: #1, ESTABLISHED, IKEv1, 184447c009d51f80:14cc0f13aff401c0

 local  '203.0.113.1' @ 203.0.113.1
 remote '192.0.2.1' @ 192.0.2.1
 AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 established 237s ago, reauth in 85347s
 peer-192.0.2.1-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_MD5_96
   installed 237 ago, rekeying in 41939s, expires in 42964s
   in  cb321982,    180 bytes,     3 packets,   231s ago
   out 5d4174b1,    180 bytes,     3 packets,   231s ago
   local  192.168.1.0/24
   remote 172.16.1.0/24 

sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.14-UBNT, mips):

 uptime: 10 minutes, since Mar 12 09:05:48 2017
 malloc: sbrk 376832, mmap 0, used 269320, free 107512
 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
 Listening IP addresses:
 203.0.113.1
 192.168.1.1
Connections:
peer-192.0.2.1-tunnel-1:  203.0.113.1...192.0.2.1  IKEv1
peer-192.0.2.1-tunnel-1:   local:  [203.0.113.1] uses pre-shared key authentication
peer-192.0.2.1-tunnel-1:   remote: [192.0.2.1] uses pre-shared key authentication
peer-192.0.2.1-tunnel-1:   child:  192.168.1.0/24 === 172.16.1.0/24 TUNNEL
Routed Connections:
peer-192.0.2.1-tunnel-1{1}:  ROUTED, TUNNEL
peer-192.0.2.1-tunnel-1{1}:   192.168.1.0/24 === 172.16.1.0/24
Security Associations (1 up, 0 connecting):
peer-192.0.2.1-tunnel-1[1]: ESTABLISHED 5 minutes ago, 203.0.113.1[203.0.113.1]...192.0.2.1[192.0.2.1]
peer-192.0.2.1-tunnel-1[1]: IKEv1 SPIs: 184447c009d51f80_i* 14cc0f13aff401c0_r, pre-shared key reauthentication in 23 hours
peer-192.0.2.1-tunnel-1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
peer-192.0.2.1-tunnel-1{1}:  INSTALLED, TUNNEL, ESP SPIs: cb321982_i 5d4174b1_o
peer-192.0.2.1-tunnel-1{1}:  AES_CBC_128/HMAC_MD5_96, 180 bytes_i (3 pkts, 324s ago), 180 bytes_o (3 pkts, 324s ago)
peer-192.0.2.1-tunnel-1{1}:   192.168.1.0/24 === 172.16.1.0/24

2. Verify the ER IPsec strongSwan configuration:

sudo cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl


config setup

conn %default
       keyexchange=ikev1

conn peer-192.0.2.1-tunnel-1
       left=203.0.113.1
       right=192.0.2.1
       leftsubnet=192.168.1.0/24
       rightsubnet=172.16.1.0/24
       ike=aes256-sha256-modp2048!
       keyexchange=ikev1
       ikelifetime=86400s
       esp=aes128-md5!
       keylife=43200s
       rekeymargin=540s
       type=tunnel
       compress=no
       authby=secret
       auto=route
       keyingtries=%forever
#conn peer-192.0.2.1-tunnel-1

3. Capture the arrival of IKE traffic on the ER external WAN interface:

sudo tcpdump -i eth0 -n udp dst port 500   
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 I ident
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 R ident
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 1 I ident[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 1 R ident[E]
IP 203.0.113.1.500 > 192.0.2.1.500: isakmp: phase 2/others I oakley-quick[E]
IP 192.0.2.1.500 > 203.0.113.1.500: isakmp: phase 2/others R oakley-quick[E]
info_i_25x25.png Note: This is a live capture. If there is no output that means that the traffic is either not being generated on the client, or there is something blocking the traffic upstream.

4. Capture the ER IPsec VPN logs:

sudo swanctl --log
[KNL] creating acquire job for policy 192.168.1.10/32[icmp/8] === 172.16.1.10/32[icmp/8] with reqid {1}

[IKE] initiating Main Mode IKE_SA peer-192.0.2.1-tunnel-1[1] to 192.0.2.1
[ENC] generating ID_PROT request 0 [ SA V V V V ]
[NET] sending packet: from 203.0.113.1[500] to 192.0.2.1[500] (160 bytes)
[NET] received packet: from 192.0.2.1[500] to 203.0.113.1[500] (108 bytes)
[ENC] parsed ID_PROT response 0 [ SA V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA peer-192.0.2.1-tunnel-1[1] established between 203.0.113.1[203.0.113.1]...192.0.2.1[192.0.2.1]
[ENC] generating QUICK_MODE request 561157166 [ HASH SA No ID ID ]
[ENC] parsed QUICK_MODE response 561157166 [ HASH SA No ID ID N((24576)) ]
[IKE] CHILD_SA peer-192.0.2.1-tunnel-1{1} established with SPIs cb321982_i 5d4174b1_o and TS 192.168.1.0/24 === 172.16.1.0/24
info_i_25x25.png Note: This is also live capture. If there is no output that means that the traffic is either not being allowed through the firewall. Alternatively you can use the show vpn log | no-more command to view the entire IPsec log history.

5. Verify the IPsec Security Associations (SAs) and statistics on the ASA:

show crypto ikev1 sa 
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 203.0.113.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

show crypto ikev1 sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 203.0.113.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86067

show vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed

Connection : 203.0.113.1
Index : 2 IP Addr : 203.0.113.1
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsec: (1)MD5
Bytes Tx : 336 Bytes Rx : 336
Login Time : 01:26:31 UTC Tue Jul 18 2017
Duration : 0h:08m:36s

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
Tunnel ID : 2.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 85884 Seconds
D/H Group : 5
Filter Name :

IPsec:
Tunnel ID : 2.2
Local Addr : 172.16.1.0/255.255.255.0/0/0
Remote Addr : 192.168.1.0/255.255.255.0/0/0
Encryption : AES128 Hashing : MD5
Encapsulation: Tunnel
Rekey Int (T): 43200 Seconds Rekey Left(T): 42684 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 21 Minutes
Bytes Tx : 336 Bytes Rx : 336
Pkts Tx : 4 Pkts Rx : 4

show crypto ipsec sa detail
interface: outside
Crypto map tag: IPsec_CM, seq num: 100, local addr: 192.0.2.1

access-list IPsec_ACL extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 203.0.113.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 192.0.2.1/0, remote crypto endpt.: 203.0.113.1/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 8766F876
current inbound spi : B3D9AF0C

inbound esp sas:
spi: 0xB3D9AF0C (3017387788)
transform: esp-aes esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: IPsec_CM
sa timing: remaining key lifetime (kB/sec): (4373999/42800)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x8766F876 (2271672438)
transform: esp-aes esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: IPsec_CM
sa timing: remaining key lifetime (kB/sec): (4373999/42800)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

6. Debug the P1 negotiation on the ASA to the console (debug level 2):

debug crypto ikev1 2
[IKEv1]IP = 203.0.113.1, IKE Initiator: New Phase 1, Intf inside, IKE Peer 203.0.113.1 local Proxy Address 172.16.1.0, remote Proxy Address 192.168.1.0, Crypto map (IPsec_CM)

[IKEv1]IP = 203.0.113.1, Connection landed on tunnel_group 203.0.113.1
[IKEv1]IP = 203.0.113.1, Connection landed on tunnel_group 203.0.113.1
[IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, PHASE 1 COMPLETED
[IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 28672
[IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, Add to IKEv1 MIB Table succeeded for SA with logical ID 28672
[IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, Security negotiation complete for LAN-to-LAN Group (203.0.113.1) Initiator, Inbound SPI = 0xc8bd5557, Outbound SPI = 0x886ed28f
[IKEv1]Group = 203.0.113.1, IP = 203.0.113.1, PHASE 2 COMPLETED (msgid=f4c19c33)

7. Send traffic over the tunnel from Server1 to Host1 and vice versa:

ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.

64 bytes from 192.168.1.10: icmp_seq=1 ttl=63 time=45.9 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=63 time=45.2 ms
64 bytes from 192.168.1.10: icmp_seq=3 ttl=63 time=45.5 ms

ping 172.16.1.10
PING 172.16.1.10 (172.16.1.10) 56(84) bytes of data.

64 bytes from 172.16.1.10: icmp_seq=1 ttl=63 time=43.9 ms
64 bytes from 172.16.1.10: icmp_seq=2 ttl=63 time=44.1 ms
64 bytes from 172.16.1.10: icmp_seq=3 ttl=63 time=44.4

Related Articles


Back to Top