EdgeRouter - Site-to-Site IPsec VPN to Cisco ASA


Overview


Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an EdgeRouter and a Cisco ASA.

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and basic networking knowledge is required. Please see the Related Articles below for more information.
 
Devices used in this article:

Table of Contents


  1. Frequently Asked Questions (FAQ)
  2. Network Diagram
  3. Configuring the Policy-Based VPN
  4. Related Articles

FAQ


Back to Top

1. What site-to-site IPsec VPN types can be configured on EdgeOS?

The following IPsec VPN types can be configured on EdgeOS:

  • Policy-Based
  • Route-Based (VTI)
  • GRE over IPsec
2. What are the available encryption and hashing options (Security Associations / SAs) for Phase 1 (IKE) and Phase 2 (ESP)?

Encryption

  • AES128
  • AES256
  • AES128GCM128
  • AES256GCM128
  • 3DES

Hashing

  • MD5
  • SHA1
  • SHA2-256
  • SHA2-384
  • SHA2-512

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the routers:

ER-4

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24

Cisco ASA

  • gi0/0 (WAN) - 192.0.2.1
  • gi0/1 (LAN) - 172.16.1.1/24

topology.png


Configuring the Policy-Based VPN


Back to Top

CLI: Access the command line interface on the ER. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Enable the auto-firewall-nat-exclude feature.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs).

set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 5
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

5. Define the remote peering address (replace <secret> with your desired passphrase).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

6. Link the SAs created above to the remote peer and define the local and remote subnets.

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24

7. Commit the changes and save the configuration.

commit ; save

CLI: Access the command line interface (CLI) on the Cisco ASA.

1. Enter configuration mode.

configure terminal

2. Define network objects for the remote and local subnets.

object network obj-local
subnet 172.16.1.0 255.255.255.0

object network obj-remote
subnet 192.168.1.0 255.255.255.0

3. Create an access-list that links to the network objects.

access-list ipsec-acl extended permit ip object obj-local object obj-remote

4. Create an IKE policy.

crypto ikev1 policy 100
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800

5. Configure a transform-set for IPsec.

crypto ipsec ikev1 transform-set ipsec-ts esp-aes esp-sha-hmac

6. Create a crypto map and link it to the transform-set and access-list.

crypto map ipsec-cm 100 set peer 203.0.113.1 
crypto map ipsec-cm 100 set ikev1 transform-set ipsec-ts
crypto map ipsec-cm 100 set security-association lifetime seconds 3600
crypto map ipsec-cm 100 match address ipsec-acl
crypto map ipsec-cm interface outside

7. Create a tunnel group (replace <secret> with your desired passphrase).

tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
ikev1 pre-shared-key <secret>

8. Enable the IKE process.

crypto ikev1 enable outside

9. Exclude the IPsec traffic from being translated by NAT.

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote no-proxy-arp route-lookup
nat (inside,outside) source dynamic obj-local interface

10. Write the changes to the startup configuration.

copy running-config startup-config

Related Articles


Back to Top

EdgeRouter - Site-to-Site IPsec VPN to Cisco ISR

EdgeRouter - Policy-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!