Skip to main content

ikev2 VPN s-2-s - IOS and ASA - pre-shared-key

Today I would like to test a new version of s-2-s VPN - ikev2. This is improved and more secure version of ikev1. I will configure the tunnel working on the below case scenario:

                     |<-VPN->|

               /----\         -----                /----\ 
  Loop0 ----  |  R1  |-------| ASA1 |------Gig0/0-|  R2  |
11.11.11.11    \----/         -----       20.0.0.1 \----/ 

Let’s start to define an ACL to match interesting traffic:
 
R1(config)#access-list 101 permit ip host 11.11.11.11 host 20.0.0.1

asa1(config)# access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11

Now I configure ikev2 proposals on R1:
 
R1(config)#crypto ikev2 proposal IKEV2-PROPOSAL
R1(config-ikev2-proposal)#encryption 3des
R1(config-ikev2-proposal)#group 5
R1(config-ikev2-proposal)#integrity md5
R1(config-ikev2-proposal)#exit

and then policy:
 
R1(config)#crypto ikev2 policy IKEV2-POLICY
R1(config-ikev2-policy)#proposal IKEV2-PROPOSAL
R1(config-ikev2-policy)#exit

On ASA I configure the policy:
 
asa1(config)# crypto ikev2 policy 10
asa1(config-ikev2-policy)# group 5
asa1(config-ikev2-policy)# integrity md5
asa1(config-ikev2-policy)# encryption 3des
asa1(config-ikev2-policy)# exit

and enable it on the outside interface:
 
asa1(config)# crypto ikev2 enable outside

Now on R1 I add key for ISAKMP:
 
R1(config)#crypto ikev2 keyring KEYRING
R1(config-ikev2-keyring)#peer 10.0.0.2
R1(config-ikev2-keyring-peer)#pre-shared-key local cisco123
R1(config-ikev2-keyring-peer)#pre-shared-key remote cisco123
R1(config-ikev2-keyring-peer)#address 10.0.0.2
R1(config-ikev2-keyring-peer)#exit
R1(config-ikev2-keyring)#

and ikev2 profile:
 
R1(config)#crypto ikev2 profile IKEV2-PROFILE
R1(config-ikev2-profile)#match identity remote address 10.0.0.2
R1(config-ikev2-profile)#authentication remote pre-share
R1(config-ikev2-profile)#authentication local pre-share

R1(config-ikev2-profile)#keyring local KEYRING

or (depends on your IOS version)

R1(config-ikev2-profile)#keyring KEYRING

and on ASA1 tunnel group:
 
asa1(config)# tunnel-group 10.0.0.1 type ipsec-l2l
asa1(config)# tunnel-group 10.0.0.1 ipsec-attributes
asa1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 0 cisco123
INFO: You must configure ikev2 remote-authentication pre-shared-key
      and/or certificate to complete authentication.
asa1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 0 cisco123
asa1(config-tunnel-ipsec)# exit
asa1(config)#

Ok, the first part is completed. Let’s start with transform set on asa1:
 
asa1(config)# crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
asa1(config-ipsec-proposal)# protocol esp integrity md5 
asa1(config-ipsec-proposal)# protocol esp encryption 3des 
asa1(config-ipsec-proposal)# exit
asa1(config)#

and r1:
 
R1(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac  
R1(cfg-crypto-trans)#exit
R1(config)#

Last step is to add crypto map and then apply on the interface:
 
R1(config)#crypto map MAPA 10 ipsec-isakmp
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set peer 10.0.0.2
R1(config-crypto-map)#set transform-set TS
R1(config-crypto-map)#set ikev2-profile IKEV2-PROFILE
R1(config-crypto-map)#exit
R1(config)#

R1(config)#int gig0/0
R1(config-if)#crypto map MAPA
R1(config-if)#
*May  3 16:08:12.759: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#

asa1(config)# crypto map MAPA 10 match address VPN
asa1(config)# crypto map MAPA 10 set peer 10.0.0.1
asa1(config)# crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
asa1(config)# crypto map MAPA interface outside
asa1(config)#

Ok, we are ready to test the tunnel. Let’s ping R2 (20.0.0.1) from R1 (from loopback interface):
 
R1#ping 20.0.0.1 source loo0 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#

 Let’s check the ASA tunnel:
 
asa1# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:9, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
418992871          10.0.0.2/500          10.0.0.1/500      READY    RESPONDER
      Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/795 sec
Child sa: local selector  20.0.0.1/0 - 20.0.0.1/65535
          remote selector 11.11.11.11/0 - 11.11.11.11/65535
          ESP spi in/out: 0xefc2b8b/0x4098633c  
asa1# 
asa1# 
asa1# 

asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2

      access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11 
      local ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
      current_peer: 10.0.0.1

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: 10.0.0.1/500
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 4098633C
      current inbound spi : 0EFC2B8B

    inbound esp sas:
      spi: 0x0EFC2B8B (251407243)
         transform: esp-3des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 200704, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4101119/27991)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x000003FF
    outbound esp sas:
      spi: 0x4098633C (1083728700)
         transform: esp-3des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 200704, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4331519/27991)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

asa1# 

and then r1:
 
R1#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         10.0.0.1/500          10.0.0.2/500          none/none            READY  
      Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/946 sec

 IPv6 Crypto IKEv2  SA 


R1#sh crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: MAPA, local addr 10.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
   current_peer 10.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
    #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xEFC2B8B(251407243)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x4098633C(1083728700)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: Onboard VPN:2, sibling_flags 80000040, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4325061/2483)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEFC2B8B(251407243)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: Onboard VPN:1, sibling_flags 80000040, crypto map: MAPA
        sa timing: remaining key lifetime (k/sec): (4325061/2483)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
R1#

Ok, the tunnel is working fine, the traffic is passing through as we see by checking packets encapsulated and decapsulated:

  #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
  #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

In case we need to troubleshoot on the router we have new commands:

R1#debug crypto ikev2 ?
  client  Client
  detail  debug level 5 - all other details, including state transition
  error   debug level 1 - debug messages signalling an error
  event   debug level 3 - description of packet, contents and policy matching
  packet  debug level 4 - packet dump debugging
  terse   debug level 2 - message exchange debugs
  <cr>

R1#debug crypto ikev2 

and depends on the problem we can set different level of debug.
On the ASA the command for ikev2 is different:

asa1# debug crypto ikev2 ?

  ha        debug the ikev2 ha
  platform  debug the ikev2 platform
  protocol  debug the ikev2 protocol
  timers    debug the ikev2 timers
asa1# debug crypto ikev2 pr
asa1# debug crypto ikev2 protocol ?

  <1-255>  Specify an optional debug level (default is 1)
  <cr>
asa1# debug crypto ikev2 protocol 127

In one of my next posts, instead of pre-share-key, I will configure the tunnel using certificates.


Full configurations:
--
ASA1:
--
hostname asa1
!
interface Eth0/0
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.0
 no sh
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 20.0.0.2 255.255.255.0
 no sh
!
access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
!
route outside 11.11.11.11 255.255.255.255 10.0.0.1 1
!
crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
 protocol esp integrity md5 
 protocol esp encryption 3des
!
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 10.0.0.1
crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
crypto map MAPA interface outside
!
crypto ikev2 policy 10
 encryption 3des
 integrity md5
 group 5
!
crypto ikev2 enable outside
!
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco123
 ikev2 local-authentication pre-shared-key cisco123
!
--
R1:
--
hostname R1
!
crypto ikev2 proposal IKEV2-PROPOSAL 
 encryption 3des
 integrity md5
 group 5
!
crypto ikev2 policy IKEV2-POLICY 
 proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring KEYRING
 peer 10.0.0.2
  address 10.0.0.2
  pre-shared-key local cisco123
  pre-shared-key remote cisco123
 !
!
!
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 10.0.0.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
!
!
crypto map MAPA 10 ipsec-isakmp 
 set peer 10.0.0.2
 set transform-set TS 
 set ikev2-profile IKEV2-PROFILE
 match address 101
!
!
interface Loopback0
 ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 crypto map MAPA
 no sh
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
access-list 101 permit ip host 11.11.11.11 host 20.0.0.1
!
--
 
 
 
!!!! ATTENTION !!!!
I found one missing parameter on ASA1:

crypto ikev2 policy 10 
prf md5

The default one doesn’t work. More details in my next post.
 
 

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...