Home > Articles > Cisco Network Technology > General Networking > Configuring the Cisco ASA IPSec VPN

Configuring the Cisco ASA IPSec VPN

Article Description

The security of data that is being transmitted over a network is one of the key responsibilities of a security engineer/administrator. One of the ways that this data can be secured is by using IP Security (IPsec). IPsec can be configured on the Cisco Adaptive Security Appliance (ASA) to secure data going between LAN devices (LAN-to-LAN) and between a LAN device and an IPsec client (e.g., Windows, Linux, or Mac clients). Sean Wilkins goes over the high-level basics of how IPsec operates and how it can be configured on a Cisco ASA.
Basic ASA IPsec VPN Configuration

Basic ASA IPsec VPN Configuration

To make this article a little clearer (and easier for the reader) the configuration command steps that are covered within this section stick with a static LAN to LAN IPSec VPN.

The commands that would be used to create a LAN-to-LAN IPsec (IKEv1) VPN between ASAs are shown in Table 1.

Table 1: ASA IKEv1 LAN-to-LAN IPsec Configuration Commands

1

Create and enter IKEv1 policy configuration mode.

Note: The lower the policy-priority, the higher the priority with a valid range from 1–65535.

asa(config)#crypto ikev1 policy policy-priority

2

Configure an authentication method (default: pre-share).

asa(config-ikev1-policy)#authentication {pre-share | rsa-sig}

3

Configure an encryption method (default: 3des).

asa(config-ikev1-policy)#encryption {des | 3des | aes | aes-192 | aes-256}

4

Configure a hash method (default: sha).

asa(config-ikev1-policy)#hash {md5 | sha}

5

Configure a Diffie-Hellman (DH) group (default: 2).

asa(config-ikev1-policy)#group {1 | 2 | 5}

6

Configure the IKE SA lifetime (Default: 86400 seconds [24 hours]).

asa(config-ikev1-polocy)#lifetime lifetime

7

Enable IKEv1 on an interface.

Note: This is the interface that goes out to the IPsec destination.

asa(config)#crypto ikev1 enable interface-name

8

Create an IKEv1 Transform set.

Notes:

encryption-method can be esp-des, esp-3des, esp-aes, esp-aes-192, esp-aes-256, or esp-null.

authentication-method can be esp-md5-hmac, esp-sha-hmac or esp-none.

asa(config)#crypto ipsec ikev1 transform-set set-name encryption-method authentication-method

9

Create an access-list to specify the interesting traffic to be encrypted within the IPsec tunnel.

Note: This is a very simplified version of an ACL; for further details on ACLs, see my "ASA Access Lists Concepts and Configuration" article.

asa(config)#access-list acl-name extended {permit | deny} protocol source-network source-netmask destination-network destination-netmask

10

Specify the tunnel group type.

Notes:

Because this example is for a LAN-to-LAN IPsec tunnel the ipsec-l2l tunnel mode is used.

The tunnel-group-name is almost always set to the peer IP address for LAN-to-LAN IPsec tunnels.

asa(config)#tunnel-group tunnel-group-name type ipsec-l2l

11

Enter IPsec tunnel attribute configuration mode.

asa(config)#tunnel-group tunnel-group-name ipsec-attributes

12

Configure the IPsec tunnel pre-shared key or certificate trustpoint.

asa(config-tunnel-ipsec)#ikev1 {pre-shared-key pre-shared-key | trustpoint trustpoint}

13

Create a crypto map and match based on the previously created ACL.

asa(config)#crypto map map-name sequence-number match address acl-name

14

Configure the peer IP address.

asa(config)#crypto map map-name sequence-number set peer peer-ip-address

15

Assign the previously created transform set.

asa(config)#crypto map map-name sequence-number set ikev1 transform-set set-name

16

Apply the crypto map to an interface.

asa(config)#crypto map map-name interface interface-name

The commands that would be used to create a LAN-to-LAN IPsec (IKEv2) VPN between ASAs are shown in Table 2:

Table 2: ASA IKEv2 LAN-to-LAN IPsec Configuration Commands

1

Create and enter IKEv2 policy configuration mode.

Note: The lower the policy-priority, the higher the priority with a valid range from 1–65535.

asa(config)#crypto ikev2 policy policy-priority

2

Configure an encryption method (default: 3des).

asa(config-ikev2-policy)#encryption {des | 3des | aes | aes-192 | aes-256 | null}

3

Configure a hash method (default: sha).

asa(config-ikev2-policy)#integrity {md5 | sha | sha-256 | sha-384 | sha-512}

4

Configure a Diffie-Hellman (DH) group (default: 2).

asa(config-ikev2-policy)#group {1 | 2 | 5 | 14 | 19 | 20 | 21 | 24}

5

Configure the Pseudo-Random Function (PRF) (Default: SHA).

asa(config-ikev2-policy)#prf {md5 | sha | sha256 | sha256 | sha384 | sha512}

6

Configure the IKE SA lifetime (Default: 86400 seconds [24 hours]).

asa(config-ikev2-polocy)#lifetime seconds lifetime

7

Enable IKEv2 on an interface.

Note: This is the interface that goes out to the IPsec destination

asa(config)#crypto ikev2 enable interface-name

8

Create an IKEv2 Proposal and enter proposal configuration mode.

asa(config)#crypto ipsec ikev2 ipsec-proposal proposal-name

9

Configure the IKEv2 proposal encryption method (Default: 3DES).

asa(config-ipsec-proposal)#protocol esp encryption {des | 3des | aes | aes-192 | aes-256 | null}

10

Configure the IKEv2 proposal authentication method. (Default: SHA-1)

asa(config-ipsec-proposal)#protocol esp integrity {md5 | sha-1 | null}

11

Create an access-list to specify the interesting traffic to be encrypted within the IPsec tunnel.

Note: This is a very simplified version of an ACL; for further details on ACLs see my "ASA Access Lists Concepts and Configuration" article.

asa(config)#access-list acl-name extended {permit | deny} protocol source-network source-netmask destination-network destination-netmask

12

Specify the tunnel group type.

Notes:

Because this example is for a LAN-to-LAN IPsec tunnel, the ipsec-l2l tunnel mode is used.

The tunnel-group-name is almost always set to the peer IP address for LAN-to-LAN IPsec tunnels.

asa(config)#tunnel-group tunnel-group-name type ipsec-l2l

13

Enter IPsec tunnel attribute configuration mode.

asa(config)#tunnel-group tunnel-group-name ipsec-attributes

14

Configure the local IPsec tunnel pre-shared key or certificate trustpoint.

asa(config-tunnel-ipsec)#ikev2 local-authentication {pre-shared-key pre-shared-key | certificate trustpoint}

15

Configure the remote IPsec tunnel pre-shared key or certificate trustpoint.

asa(config-tunnel-ipsec)#ikev2 remote-authentication {pre-shared-key pre-shared-key | certificate trustpoint}

16

Create a crypto map and match based on the previously created ACL.

asa(config)#crypto map map-name sequence-number match address acl-name

17

Configure the peer IP address.

asa(config)#crypto map map-name sequence-number set peer peer-ip-address

18

Assign the previously created proposal.

asa(config)#crypto map map-name sequence-number set ikev2 ipsec-proposal proposal-name

19

Apply the crypto map to an interface.

asa(config)#crypto map map-name interface interface-name

5. Basic ASA IPsec VPN Configuration Examples | Next Section Previous Section