Friday, May 30, 2014

OSPF over IPsec tunnel (ASA ikev1)

Today I would like to set up a VPN tunnel between two ASAs with capability of sending OSPF packets over the IPsec tunnel. I know there are similar examples available on the Internet but I would like to check if there are any problems during the implementation.

         4.4.4.0/24        7.7.7.0/24        5.5.5.0/24

  /----\ .1     .10 -----  .1      .2 -----  .10      .2/----\
 |  R1  |----------| ASA1 |----------| ASA2 |----------|  R2  |
  \----/            -----             -----             \----/

                        |<-----VPN----->|

The basic configuration:

R1:
 
!
hostname r1
!
interface GigabitEthernet0/0
 ip address 4.4.4.1 255.255.255.0
 no sh
!
router ospf 200
 network 4.4.4.0 0.0.0.255 area 0
!

R2:
 
!
hostname r2
!
interface GigabitEthernet0/0
 ip address 5.5.5.2 255.255.255.0
 no sh
!         
router ospf 100
 log-adjacency-changes
 network 5.5.5.0 0.0.0.255 area 0
!

ASA1:
 
!
hostname asa1
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 7.7.7.1 255.255.255.0 
 no sh
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 4.4.4.10 255.255.255.0 
 no sh
!
router ospf 150
 network 4.4.4.0 255.255.255.0 area 0
 network 7.7.7.0 255.255.255.0 area 0
 log-adj-changes
!

ASA2:
 
!
hostname asa2
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 7.7.7.2 255.255.255.0 
 no sh
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 5.5.5.10 255.255.255.0 
 np sh
!
router ospf 250
 network 5.5.5.0 255.255.255.0 area 0
 network 7.7.7.0 255.255.255.0 area 0
 log-adj-changes
!

Let’s check if OSPF works fine:
 
r1#sh ip ospf neighbor        

Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.10          1   FULL/BDR        00:00:39    4.4.4.10        GigabitEthernet0/0
r1#

asa1# sh ospf neighbor 


Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.2           1   FULL/DR         0:00:30     7.7.7.2         outside
4.4.4.1           1   FULL/DR         0:00:31     4.4.4.1         inside
asa1# 

asa2# sh ospf neighbor 


Neighbor ID     Pri   State           Dead Time   Address         Interface
4.4.4.10          1   FULL/BDR        0:00:38     7.7.7.1         outside
5.5.5.2           1   FULL/DR         0:00:37     5.5.5.2         inside
asa2# 

r2#sh ip ospf neighbor 

Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.2           1   FULL/BDR        00:00:36    5.5.5.10        GigabitEthernet0/0
r2#

As we see above all devices see their neighbors. Before I start VPN implementation I check if routing tables are correct.

R1:
 
r1#sh ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is not set

      4.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        4.4.4.0/24 is directly connected, GigabitEthernet0/0
L        4.4.4.1/32 is directly connected, GigabitEthernet0/0
      5.0.0.0/24 is subnetted, 1 subnets
O        5.5.5.0 [110/21] via 4.4.4.10, 00:35:08, GigabitEthernet0/0
      7.0.0.0/24 is subnetted, 1 subnets
O        7.7.7.0 [110/11] via 4.4.4.10, 00:35:08, GigabitEthernet0/0
r1#

R2:
 
r2#sh ip route 
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is not set

      4.0.0.0/24 is subnetted, 1 subnets
O        4.4.4.0 [110/21] via 5.5.5.10, 00:35:07, GigabitEthernet0/0
      5.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        5.5.5.0/24 is directly connected, GigabitEthernet0/0
L        5.5.5.2/32 is directly connected, GigabitEthernet0/0
      7.0.0.0/24 is subnetted, 1 subnets
O        7.7.7.0 [110/11] via 5.5.5.10, 00:37:54, GigabitEthernet0/0
r2#

ASA1:
 
asa1# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C    4.4.4.0 255.255.255.0 is directly connected, inside
O    5.5.5.0 255.255.255.0 [110/20] via 7.7.7.2, 0:37:26, outside
C    7.7.7.0 255.255.255.0 is directly connected, outside
asa1# 

ASA2:
 
asa2# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

O    4.4.4.0 255.255.255.0 [110/20] via 7.7.7.1, 0:38:09, outside
C    5.5.5.0 255.255.255.0 is directly connected, inside
C    7.7.7.0 255.255.255.0 is directly connected, outside
asa2# 

Ok, I’m ready to start configuring the VPN:

1) definition of 1st phase:
 
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

crypto ikev1 enable outside

and 2nd:
 
 crypto ipsec ikev1 transform-set TS esp-aes-256 esp-sha-hmac 

Now I define what traffic between LAN1 and LAN2 should be encrypted:

ASA1:
 
access-list VPN extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0 

and ASA2:
 
access-list VPN extended permit ip 5.5.5.0 255.255.255.0 4.4.4.0 255.255.255.0 

Now, I configure tunnel groups:

ASA1:
 
tunnel-group 7.7.7.2 type ipsec-l2l
tunnel-group 7.7.7.2 ipsec-attributes
 ikev1 pre-shared-key cisco123
!

and ASA1:
 
tunnel-group 7.7.7.1 type ipsec-l2l
tunnel-group 7.7.7.1 ipsec-attributes
 ikev1 pre-shared-key cisco123
!

and crypto map:

ASA1:
 
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 7.7.7.2 
crypto map MAPA 10 set ikev1 transform-set TS
crypto map MAPA interface outside

and ASA2:
 
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 7.7.7.1 
crypto map MAPA 10 set ikev1 transform-set TS
crypto map MAPA interface outside

Let’s test the tunnel:
 
r1#ping 5.5.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r1#

asa1# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 7.7.7.2
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 
asa1# sh crypto ips     
asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1

      access-list VPN extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0 
      local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
      current_peer: 7.7.7.2

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 86047244
      current inbound spi : 8B36069C

    inbound esp sas:
      spi: 0x8B36069C (2335573660)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914999/28778)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x86047244 (2248438340)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914999/28778)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

asa1# 

Ok, the tunnel is working fine but the OSPF traffic is not sent over the tunnel. Let’s add new ACE to
VPN ACL:

ASA1:
 
access-list VPN extended permit ospf interface outside host 7.7.7.2 

and ASA2:
 
access-list VPN extended permit ospf interface outside host 7.7.7.1

Now we have to change way how OSPF sends packets:
 
interface Ethernet0/0
  ospf network point-to-point non-broadcast
!

because we disabled broadcast for OSPF I have to specify where the neighbor is located:

ASA1:
 
router ospf 150
 neighbor 7.7.7.2 interface outside

ASA2:
 
router ospf 250
 neighbor 7.7.7.1 interface outside

Now I clear the OSPF process and then I check what is the OSPF status:
 
asa1# clear ospf process 

ASA1:
 
asa1# sh ospf neighbor 


Neighbor ID     Pri   State           Dead Time   Address         Interface
7.7.7.2           1   FULL/  -        0:00:37     7.7.7.2         outside
4.4.4.1           1   FULL/DR         0:00:37     4.4.4.1         inside
asa1# 

As we see ASA1 has a relationship with ASA2 but let’s confirm the packets are sent over the tunnel:
 
asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1

      access-list VPN extended permit ospf interface outside host 7.7.7.2 
      local ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/89/0)
      remote ident (addr/mask/prot/port): (7.7.7.2/255.255.255.255/89/0)
      current_peer: 7.7.7.2

      #pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
      #pkts decaps: 80, #pkts decrypt: 80, #pkts verify: 80
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 80, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: E6E0B851
      current inbound spi : 0C02D13A

    inbound esp sas:
      spi: 0x0C02D13A (201511226)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914994/28103)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE6E0B851 (3873486929)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914994/28103)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

asa1# 

Let’s test once again ping from R1 to R2:
 
r1#ping 5.5.5.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
r1#

asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1

      access-list VPN extended permit ip 4.4.4.0 255.255.255.0 5.5.5.0 255.255.255.0 
      local ident (addr/mask/prot/port): (4.4.4.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (5.5.5.0/255.255.255.0/0/0)
      current_peer: 7.7.7.2

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 77D43B99
      current inbound spi : 8B7F07B0

    inbound esp sas:
      spi: 0x8B7F07B0 (2340358064)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914999/28752)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x77D43B99 (2010397593)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914999/28752)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

    Crypto map tag: MAPA, seq num: 10, local addr: 7.7.7.1

      access-list VPN extended permit ospf interface outside host 7.7.7.2 
      local ident (addr/mask/prot/port): (7.7.7.1/255.255.255.255/89/0)
      remote ident (addr/mask/prot/port): (7.7.7.2/255.255.255.255/89/0)
      current_peer: 7.7.7.2

      #pkts encaps: 90, #pkts encrypt: 91, #pkts digest: 91
      #pkts decaps: 90, #pkts decrypt: 90, #pkts verify: 90
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 91, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 7.7.7.1/0, remote crypto endpt.: 7.7.7.2/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: E6E0B851
      current inbound spi : 0C02D13A

    inbound esp sas:
      spi: 0x0C02D13A (201511226)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914993/28005)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE6E0B851 (3873486929)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (3914993/28003)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

asa1# 

We see two SAs: the first for IP traffic and second for OSPF (one per each access-list entry).

No comments:

Post a Comment