Sunday, May 4, 2014

ikev2 VPN s-2-s - IOS and ASA - pre-shared-key

Today I would like to test a new version of s-2-s VPN - ikev2. This is improved and more secure version of ikev1. I will configure the tunnel working on the below case scenario:

                     |<-VPN->|

               /----\         -----                /----\ 
  Loop0 ----  |  R1  |-------| ASA1 |------Gig0/0-|  R2  |
11.11.11.11    \----/         -----       20.0.0.1 \----/ 

Let’s start to define an ACL to match interesting traffic:
 
R1(config)#access-list 101 permit ip host 11.11.11.11 host 20.0.0.1

asa1(config)# access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11

Now I configure ikev2 proposals on R1:
 
R1(config)#crypto ikev2 proposal IKEV2-PROPOSAL
R1(config-ikev2-proposal)#encryption 3des
R1(config-ikev2-proposal)#group 5
R1(config-ikev2-proposal)#integrity md5
R1(config-ikev2-proposal)#exit

and then policy:
 
R1(config)#crypto ikev2 policy IKEV2-POLICY
R1(config-ikev2-policy)#proposal IKEV2-PROPOSAL
R1(config-ikev2-policy)#exit

On ASA I configure the policy:
 
asa1(config)# crypto ikev2 policy 10
asa1(config-ikev2-policy)# group 5
asa1(config-ikev2-policy)# integrity md5
asa1(config-ikev2-policy)# encryption 3des
asa1(config-ikev2-policy)# exit

and enable it on the outside interface:
 
asa1(config)# crypto ikev2 enable outside

Now on R1 I add key for ISAKMP:
 
R1(config)#crypto ikev2 keyring KEYRING
R1(config-ikev2-keyring)#peer 10.0.0.2
R1(config-ikev2-keyring-peer)#pre-shared-key local cisco123
R1(config-ikev2-keyring-peer)#pre-shared-key remote cisco123
R1(config-ikev2-keyring-peer)#address 10.0.0.2
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#

and ikev2 profile:
 
R1(config)#crypto ikev2 profile IKEV2-PROFILE
R1(config-ikev2-profile)#match identity remote address 10.0.0.2
R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#authentication local pre-share

R1(config-ikev2-profile)#keyring local KEYRING

or (depends on your IOS version)

R1(config-ikev2-profile)#keyring KEYRING

and on ASA1 tunnel group:
 
asa1(config)# tunnel-group 10.0.0.1 type ipsec-l2l
asa1(config)# tunnel-group 10.0.0.1 ipsec-attributes
asa1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 0 cisco123
INFO: You must configure ikev2 remote-authentication pre-shared-key
      and/or certificate to complete authentication.
asa1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 0 cisco123
asa1(config-tunnel-ipsec)# exit
asa1(config)#

Ok, the first part is completed. Let’s start with transform set on asa1:
 
asa1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
asa1(config-ipsec-proposal)# protocol esp integrity md5 
asa1(config-ipsec-proposal)# protocol esp encryption 3des 
asa1(config-ipsec-proposal)# exit
asa1(config)#

and r1:
 
R1(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac  
R1(cfg-crypto-trans)#exit
R1(config)#

Last step is to add crypto map and then apply on the interface:
 
R1(config)#crypto map MAPA 10 ipsec-isakmp
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set peer 10.0.0.2
R1(config-crypto-map)#set transform-set TS
R1(config-crypto-map)#set ikev2-profile IKEV2-PROFILE
R1(config-crypto-map)#exit
R1(config)#

R1(config)#int gig0/0
R1(config-if)#crypto map MAPA
R1(config-if)#
*May  3 16:08:12.759: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#

asa1(config)# crypto map MAPA 10 match address VPN
asa1(config)# crypto map MAPA 10 set peer 10.0.0.1
asa1(config)# crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
asa1(config)# crypto map MAPA interface outside
asa1(config)#

Ok, we are ready to test the tunnel. Let’s ping R2 (20.0.0.1) from R1 (from loopback interface):
 
R1#ping 20.0.0.1 source loo0 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#

 Let’s check the ASA tunnel:
 
asa1# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
418992871          10.0.0.2/500          10.0.0.1/500      READY    RESPONDER
      Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/795 sec
Child sa: local selector  20.0.0.1/0 - 20.0.0.1/65535
          remote selector 11.11.11.11/0 - 11.11.11.11/65535
          ESP spi in/out: 0xefc2b8b/0x4098633c  
asa1# 
asa1# 
asa1# 

asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2

      access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11 
      local ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
      current_peer: 10.0.0.1

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: 10.0.0.1/500
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 4098633C
      current inbound spi : 0EFC2B8B

    inbound esp sas:
      spi: 0x0EFC2B8B (251407243)
         transform: esp-3des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 200704, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4101119/27991)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x000003FF
    outbound esp sas:
      spi: 0x4098633C (1083728700)
         transform: esp-3des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 200704, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4331519/27991)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

asa1# 

and then r1:
 
R1#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         10.0.0.1/500          10.0.0.2/500          none/none            READY  
      Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/946 sec

 IPv6 Crypto IKEv2  SA 


R1#sh crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: MAPA, local addr 10.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
   current_peer 10.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xEFC2B8B(251407243)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4098633C(1083728700)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4325061/2483)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEFC2B8B(251407243)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4325061/2483)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R1#

Ok, the tunnel is working fine, the traffic is passing through as we see by checking packets encapsulated and decapsulated:

  #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
  #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

In case we need to troubleshoot on the router we have new commands:

R1#debug crypto ikev2 ?
  client  Client
  detail  debug level 5 - all other details, including state transition
  error   debug level 1 - debug messages signalling an error
  event   debug level 3 - description of packet, contents and policy matching
  packet  debug level 4 - packet dump debugging
  terse   debug level 2 - message exchange debugs
  <cr>

R1#debug crypto ikev2 

and depends on the problem we can set different level of debug.
On the ASA the command for ikev2 is different:

asa1# debug crypto ikev2 ?

  ha        debug the ikev2 ha
  platform  debug the ikev2 platform
  protocol  debug the ikev2 protocol
  timers    debug the ikev2 timers
asa1# debug crypto ikev2 pr
asa1# debug crypto ikev2 protocol ?

  <1-255>  Specify an optional debug level (default is 1)
  <cr>
asa1# debug crypto ikev2 protocol 127

In one of my next posts, instead of pre-share-key, I will configure the tunnel using certificates.


Full configurations:
--
ASA1:
--
hostname asa1
!
interface Eth0/0
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.0
 no sh
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 20.0.0.2 255.255.255.0
 no sh
!
access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
!
route outside 11.11.11.11 255.255.255.255 10.0.0.1 1
!
crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
 protocol esp integrity md5 
 protocol esp encryption 3des
!
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 10.0.0.1
crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
crypto map MAPA interface outside
!
crypto ikev2 policy 10
 encryption 3des
 integrity md5
 group 5
!
crypto ikev2 enable outside
!
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco123
 ikev2 local-authentication pre-shared-key cisco123
!
--
R1:
--
hostname R1
!
crypto ikev2 proposal IKEV2-PROPOSAL 
 encryption 3des
 integrity md5
 group 5
!
crypto ikev2 policy IKEV2-POLICY 
 proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring KEYRING
 peer 10.0.0.2
  address 10.0.0.2
  pre-shared-key local cisco123
  pre-shared-key remote cisco123
 !
!
!
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 10.0.0.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map MAPA 10 ipsec-isakmp 
 set peer 10.0.0.2
 set transform-set TS 
 set ikev2-profile IKEV2-PROFILE
 match address 101
!
!
interface Loopback0
 ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 crypto map MAPA
 no sh
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
access-list 101 permit ip host 11.11.11.11 host 20.0.0.1
!
--
 
 
 
!!!! ATTENTION !!!!
I found one missing parameter on ASA1:

crypto ikev2 policy 10 
prf md5

The default one doesn’t work. More details in my next post.
 
 

No comments:

Post a Comment