I’d like to continue the ikev2 topic (ASA ikev2 VPN s-2-s (PKI) -
part one) and introduce new features which allow me to achieve the same
result. I strongly recommend to read the previous post first to have a
clear picture what I’m going to do. I will work on the same network
diagram.
Let’s remove the group-policy IKEV2-GROUP-POLICY from the tunnel-group.
Repeat the same for ASA2. Now I check if the traffic between hosts is allowed:
As we see, even the traffic which we want to block is now allowed. Let’s remind the IP address list with permitted traffic:
a) 11.11.11.11 <-> 20.0.0.1
b) 11.11.12.12 <-> 20.0.2.2
c) 11.11.13.13 <-> 20.0.3.3
There is one global parameter which we can use to control the traffic in another way:
By default the command is active what means that ASA permits all traffic inside the VPN tunnel. You don’t need any access list to specify what is sent inside the tunnel. When you disable this feature “no sysopt connection permit-ipsec”, ASA requires access-list for all traffic which you want to send over the tunnel. Let’s disable the feature on both ASAs:
Let’s try if it works:
As we see we can’t reach the destination but when we check the VPN connection we see it is active.
As you see the four packets were sent but they were dropped on the ASA2 outside interface:
I will add now a new access-list on the outside interface.
Remember that the access list should permit traffic coming from your peer:
ASA1:
ASA2:
and now check if we can ping:
As we see all servers (from my list) can communicate each other. The last thing is to check ‘non-allowed’ traffic:
As we expected we can’t ping host from other group.
11.11.11.0/24 10.0.0.0/24 20.0.0.0/24
/----\ .11 .1 ----- .1 .2 ----- .2 .1/----\
| R1 |----------| ASA1 |----------| ASA2 |----------| R2 |
\----/ ----- |.100 ----- \----/
Loop0 /----\ Loop0
11.11.12.12 | R3 | 20.0.2.2
Loop1 \----/ Loop1
11.11.13.13 PKI SERVER 20.0.3.3
Let’s remove the group-policy IKEV2-GROUP-POLICY from the tunnel-group.
asa1# conf t
asa1(config)# tunnel-group 10.0.0.2 general-attributes
asa1(config-tunnel-general)# no default-group-policy IKEV2-GROUP-POLICY
asa1(config-tunnel-general)#
asa1(config-tunnel-general)# end
asa1#
Repeat the same for ASA2. Now I check if the traffic between hosts is allowed:
r1#ping 20.0.0.1 source 11.11.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.13.13
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/76/108 ms
r1#ping 20.0.0.1 source 11.11.12.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.12.12
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/64/76 ms
r1#ping 20.0.3.3 source 11.11.12.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.11.12.12
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/63/72 ms
r1#
As we see, even the traffic which we want to block is now allowed. Let’s remind the IP address list with permitted traffic:
a) 11.11.11.11 <-> 20.0.0.1
b) 11.11.12.12 <-> 20.0.2.2
c) 11.11.13.13 <-> 20.0.3.3
There is one global parameter which we can use to control the traffic in another way:
sysopt connection permit-ipsec
By default the command is active what means that ASA permits all traffic inside the VPN tunnel. You don’t need any access list to specify what is sent inside the tunnel. When you disable this feature “no sysopt connection permit-ipsec”, ASA requires access-list for all traffic which you want to send over the tunnel. Let’s disable the feature on both ASAs:
asa1(config)# no sysopt connection permit-vpn
asa2(config)# no sysopt connection permit-vpn
Let’s try if it works:
r1#ping 20.0.0.1 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.....
Success rate is 0 percent (0/5)
r1#
As we see we can’t reach the destination but when we check the VPN connection we see it is active.
asa1# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:23, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
413441935 10.0.0.1/500 10.0.0.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/1 sec
Child sa: local selector 11.11.0.0/0 - 11.11.255.255/65535
remote selector 20.0.0.0/0 - 20.0.255.255/65535
ESP spi in/out: 0x7680f345/0x48bb9d26
asa1#
asa1# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.1
access-list VPN extended permit ip 11.11.0.0 255.255.0.0 20.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (11.11.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.255.0.0/0/0)
current_peer: 10.0.0.2
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.1/500, remote crypto endpt.: 10.0.0.2/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 48BB9D26
current inbound spi : 7680F345
inbound esp sas:
spi: 0x7680F345 (1988162373)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 200704, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (3916800/28580)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x48BB9D26 (1220255014)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 200704, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4147199/28580)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa1#
As you see the four packets were sent but they were dropped on the ASA2 outside interface:
asa1# sh crypto ipsec sa | i encrypt|decrypt
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
asa1#
I will add now a new access-list on the outside interface.
Remember that the access list should permit traffic coming from your peer:
ASA1:
access-list OUT extended permit icmp host 20.0.0.1 host 11.11.11.11
access-list OUT extended permit icmp host 20.0.2.2 host 11.11.12.12
access-list OUT extended permit icmp host 20.0.3.3 host 11.11.13.13
access-group OUT in interface outside
ASA2:
access-list OUT extended permit icmp host 11.11.11.11 host 20.0.0.1
access-list OUT extended permit icmp host 11.11.12.12 host 20.0.2.2
access-list OUT extended permit icmp host 11.11.13.13 host 20.0.3.3
access-group OUT in interface outside
and now check if we can ping:
r1#ping 20.0.0.1 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/71/80 ms
r1#ping 20.0.2.2 source 11.11.12.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.2.2, timeout is 2 seconds:
Packet sent with a source address of 11.11.12.12
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/89/136 ms
r1#ping 20.0.3.3 source 11.11.13.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.11.13.13
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/79/128 ms
As we see all servers (from my list) can communicate each other. The last thing is to check ‘non-allowed’ traffic:
r1#ping 20.0.3.3 source 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.3.3, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.....
Success rate is 0 percent (0/5)
r1#
As we expected we can’t ping host from other group.
Comments
Post a Comment