Site-to-Site IPsec VPN Tunnel Configuration

If we talk about network security, we cannot not to mention VPN.
VPN or Virtual private network is a secure private tunnel over an insecure network (example Internet). VPN can be understood like secure tunnel that connects 2 networks together. Data that travels through it is encrypted, so if some “outsider” somehow gets to see the data, he or she will not be able to make much use of it. Therefore,Site-to-site VPN or lan-to-lan (L2L) tunnel can be used to securely connect distant LAN networks together. 


On cisco ASA, this can be done using IPsec protocol standard that enables crypted communication. After succesfully connecting 2 distant sites together over VPN, hosts from site 1 can directly communicate with hosts on site 2 as if they are on the same LAN. 

After VPN is succesfully established, every packet that flows from one VPN concentrator (often refered as peer) to the other, in our example from ASA-A firewall to ASA-B firewall and other way around, gets authenticated and crypted by the IPsec protocol suite. 

Protocols and standards used in IPsec protocol suite:

- ESP (Encapsulation Security Payload)
- AH (Authentication header)
- IKE (Internet Key Exchange)
- encryption algorithms (DES,3DES,AES)
- DH (Diffie-Hellman group)
- Hash algorithms (MD5,SH1)
- SA (Security association)

To define traffic that will go through VPN when it leaves ASA firewall, we need to setup ACL that will say to which addresses packets flow will be crypted: 

ASA-A#conf t ASA-A(config)#access-list crypto_acl_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

(notice that on the ASA-B, this acl must be mirrored, which means that we will use the same address range but with opposite source and destination addresses) 

IPsec don't work well with NAT so we need to exclude VPN traffic from NAT opertaions. For that purpose we usenat 0 in combination with acl that defines traffic which will not be NAT-ed: 

ASA-A(config)#nat (inside) 0 access-list identity_nat_ACL ASA-A(config)#access-list nat_0 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

We also have to define Phase1 parameters that specify encryption protocol, hash algorithm, authentication method, Diffie Hellman Group (DH) ...etc. Also we have to enable isakmp framework on the "outside" interface and specify peer address as identification for tunnel. There can be defined more crypto policies. Policy number defines priority, which means that rules with lower policy number are used first. In this example, we will use policy number 10 (although we could use any other number): 

ASA-A(config)#crypto isakmp policy 10 ASA-A(config-isakmp-policy)#authentication pre-share ASA-A(config-isakmp-policy)#encryption 3des ASA-A(config-isakmp-policy)#hash md5 ASA-A(config-isakmp-policy)#group 2 ASA-A(config-isakmp-policy)#lifetime 86400 ASA-A(config)#isakmp enable outside ASA-A(config)#isakmp identity address

(notice that for succesfull vpn tunnel establishment, this parameters, rules must match exacetly on the other peer - ASA firewall) 

Next, define pre-shared-key and type of VPN: 

ASA-A(config)#tunnel-group 20.1.1.20 type ipsec-l2l ASA-A(config)#tunnel-group 20.1.1.20 ipsec-attributes ASA-A#(config-tunnel-ipsec)#pre-shared-key s0meKey4TEST!!!

(pre-shared-key is a passphrase and must also match exacetly as on other VPN peer, ASA firewall) 

After defineing Phase1, we need to setup Phase2 parameters, like IPsec transform set that define encryption and authentication protocols, key lifetime..etc: 

ASA-A(config)#crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac ASA-A(config)#crypto ipsec security-association lifetime seconds 86400 ASA-A(config)#crypto ipsec security-association lifetime kilobytes 4608000

Next, define crypto map, which is container for a Phase2 ipsec parameters. At the end, crypto map is 
attached to an "outside" interface: 

ASA-A(config)#crypto map my_crypto_map 10 match address crypto_acl_1 ASA-A(config)#crypto map my_crypto_map 10 set pfs ASA-A(config)#crypto map my_crypto_map 10 set peer 20.1.1.20 ASA-A(config)#crypto map my_crypto_map 10 set transform-set ESP-3DES-MD5 ASA-A(config)#crypto map my_crypto_map interface outside

(every crypto map is identified by priority number. Lower numbers has higher priority so that tunnels are bringed up first. In this example crypto map has priority number 10) 



Configuration example of ASA-A on site A: 

ASA-A>enable ASA-A#configure terminal ASA-A(config)#crypto isakmp policy 10 ASA-A(config-isakmp-policy)#authentication pre-share ASA-A(config-isakmp-policy)#encryption 3des ASA-A(config-isakmp-policy)#hash md5 ASA-A(config-isakmp-policy)#group 2 ASA-A(config-isakmp-policy)#lifetime 86400 ASA-A(config)#crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac ASA-A(config)#crypto ipsec security-association lifetime seconds 86400 ASA-A(config)#crypto ipsec security-association lifetime kilobytes 4608000 ASA-A(config)#access-list crypto_acl_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ASA-A(config)#nat (inside) 0 access-list identity_nat_ACL ASA-A(config)#access-list nat_0 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ASA-A(config)#crypto map my_crypto_map 10 match address crypto_acl_1 ASA-A(config)#crypto map my_crypto_map 10 set pfs ASA-A(config)#crypto map my_crypto_map 10 set peer 20.1.1.20 ASA-A(config)#crypto map my_crypto_map 10 set transform-set ESP-3DES-MD5 ASA-A(config)#crypto map my_crypto_map interface outside ASA-A(config)#isakmp enable outside ASA-A(config)#isakmp identity address ASA-A(config)#tunnel-group 20.1.1.20 type ipsec-l2l ASA-A(config)#tunnel-group 20.1.1.20 ipsec-attributes ASA-A#(config-tunnel-ipsec)#pre-shared-key s0meKey4TEST!!!

Configuration example of ASA-B on site B:

ASA-B>enable ASA-B#configure terminal ASA-B(config)#crypto isakmp policy 10 ASA-B(config-isakmp-policy)#authentication pre-share ASA-B(config-isakmp-policy)#encryption 3des ASA-B(config-isakmp-policy)#hash md5 ASA-B(config-isakmp-policy)#group 2 ASA-B(config-isakmp-policy)#lifetime 86400 ASA-B(config)#crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac ASA-B(config)#crypto ipsec security-association lifetime seconds 86400 ASA-B(config)#crypto ipsec security-association lifetime kilobytes 4608000 ASA-B(config)#access-list crypto_acl_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ASA-B(config)#nat (inside) 0 access-list identity_nat_ACL ASA-B(config)#access-list nat_0 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ASA-B(config)#crypto map my_crypto_map 10 match address crypto_acl_1 ASA-B(config)#crypto map my_crypto_map 10 set pfs ASA-B(config)#crypto map my_crypto_map 10 set peer 20.1.1.10 ASA-B(config)#crypto map my_crypto_map 10 set transform-set ESP-3DES-MD5 ASA-B(config)#crypto map my_crypto_map interface outside ASA-B(config)#isakmp enable outside ASA-B(config)#isakmp identity address ASA-B(config)#tunnel-group 20.1.1.10 type ipsec-l2l ASA-B(config)#tunnel-group 20.1.1.10 ipsec-attributes ASA-B(config-tunnel-ipsec)#pre-shared-key s0meKey4TEST!!!

After complete configuration of both ASAs You should have working VPN. After that, all data from network A designated to network B, and data from network B designated to network A, will be encrypted and go through configured VPN tunnel.