In our next blog post, we will focus on configuring an IKEv2 VPN between the ASA and IOS.
Is there anything special about that configuration? Yes and no. It is still “just” IKEv2 that will take care of negotiating our tunnels, but there will definitely be a difference in how we configure one platform versus another. Remember – tunnel interfaces are not supported on the ASA, at least as of 8.6, and this generally means that we will not be able to use tunnels (FlexVPNs) on IOS, too (there is actually one small exception to this rule, but it will not be discussed in this article).
Let’s take a look at our simple network:
We’ll try to build a VPN tunnel between R10 and ASA3 that we will then use to protect traffic flowing between VLANs 10 and 8. I am going to start with the ASA configuration.
First and foremost – the Policy. Note that PRF must generally be the same as what you have selected for Integrity/Hashing:
crypto ikev2 policy 10
encryption aes-256
integrity sha384
prf sha384
group 14
We will authenticate the tunnel using pre-shared-keys, and since authentication method is no longer negotiated in IKEv2 we will have to configure in under the Tunnel Group:
tunnel-group 8.9.2.10 type ipsec-l2l
tunnel-group 8.9.2.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key ipexpert
ikev2 local-authentication pre-shared-key ipexpert
This covers IKE SA INIT exchange and part of IKE AUTH. What else do we need for IKE AUTH? Encryption domain is defined by an ACL :
access-list PROXY6 extended permit ip 192.168.8.0 255.255.255.0 10.100.100.0 255.255.255.0
And security algorithms are now configured in an IPSec Proposal:
crypto ipsec ikev2 ipsec-proposal SET2
protocol esp encryption aes
protocol esp integrity sha-1
Finally, we need to bind our ACL, Proposal and the peer’s IP in a crypto map, which will be then applied to the interface. I also enabled PFS, but this is optional:
crypto map MAP2 10 match address PROXY6
crypto map MAP2 10 set peer 8.9.2.10
crypto map MAP2 10 set ikev2 ipsec-proposal SET2
crypto map MAP2 10 set pfs group14
crypto map MAP2 interface outside
Don’t forget to enable IKEv2 on the interface where the map was applied:
crypto ikev2 enable outside
All right, we are done with the firewall. The remaining configuration is for an IOS device. There is actually a nice document that shows you few examples for the “Legacy” (crypto-map based) implementations. It can be found under : IOS Configuration Guides -> Secure Connectivity -> Appendix: IKEv2 and Legacy VPNs
OK, so what do we have to do on R10? Remember that our Policy is defined in a Proposal:
crypto ikev2 proposal IKE_PROP
encryption aes-cbc-256
integrity sha384
group 14
crypto ikev2 policy IKE_POL
proposal IKE_PROP
We definitely want to build a Keyring which will be then referenced in our Profile. This is needed for Key authentication:
crypto ikev2 keyring IKE_KRING
peer ASA3
address 8.9.2.30
pre-shared-key local ipexpert
pre-shared-key remote ipexpert
IKEv2 Profile is used to distinguish between multiple VPN peers – this is also a place where we configure our authentication and potentially change our own IKE ID:
crypto ikev2 profile IKE_PROF
match identity remote address 8.9.2.30 255.255.255.255
identity local address 8.9.2.10
authentication remote pre-share
authentication local pre-share
keyring local IKE_KRING
Access-list will be a mirror image of the ASA’s:
access-list 120 permit ip 10.100.100.0 0.0.0.255 192.168.8.0 0.0.0.255
And a crypto map serves a similar purpose as on the ASA – just note that IKEv2 profile must be attached, which is needed to allow R10 to act as the session Initiator (and not Responder only):
crypto map MAP1 10 ipsec-isakmp
set peer 8.9.2.30
set transform-set SET1
set pfs group14
set ikev2-profile IKE_PROF
match address 120
int g0/0
crypto map MAP1
Assuming that you have all the needed routes in place, you should now be able to test it and obtain results similar to mine:
R8#ping 10.100.100.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.100.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
R10#sh crypto ikev2 session
IPv4 Crypto IKEv2 Session
Session-id:42, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote fvrf/ivrf Status
1 8.9.2.10/500 8.9.2.30/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/57 sec
Child sa: local selector 10.100.100.0/0 - 10.100.100.255/65535
remote selector 192.168.8.0/0 - 192.168.8.255/65535
ESP spi in/out: 0x6D1B5D64/0xACA66EA5
IPv6 Crypto IKEv2 Session
R10#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Uptime: 00:01:02
Session status: UP-ACTIVE
Peer: 8.9.2.30 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 8.9.2.30
Desc: (none)
IKEv2 SA: local 8.9.2.10/500 remote 8.9.2.30/500 Active
Capabilities:(none) connid:1 lifetime:23:58:58
IPSEC FLOW: permit ip 10.100.100.0/255.255.255.0 192.168.8.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 4185109/3537
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4185109/3537
ASA3(config)# sh vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 8.9.2.10
Index : 48 IP Addr : 8.9.2.10
Protocol : IKEv2 IPsec
Encryption : AES256 AES128 Hashing : SHA384 SHA1
Bytes Tx : 400 Bytes Rx : 400
Login Time : 17:53:24 UTC Tue Dec 9 2014
Duration : 0h:02m:28s
Last but not the least – know your weapons (if something goes wrong). The debug command I recommend for IOS is “debug crypto ikev2”. On the ASA, you may want to try these two “debug crypto platform 10” or “debug crypto protocol 255”.
