Home > Articles > Cisco Network Technology > General Networking > Configuring the Cisco ASA IPSec VPN

Configuring the Cisco ASA IPSec VPN

Article Description

The security of data that is being transmitted over a network is one of the key responsibilities of a security engineer/administrator. One of the ways that this data can be secured is by using IP Security (IPsec). IPsec can be configured on the Cisco Adaptive Security Appliance (ASA) to secure data going between LAN devices (LAN-to-LAN) and between a LAN device and an IPsec client (e.g., Windows, Linux, or Mac clients). Sean Wilkins goes over the high-level basics of how IPsec operates and how it can be configured on a Cisco ASA.
IPsec IKEv1 Example

IPsec IKEv1 Example

An example using IKEv1 would look similar to the configuration example shown in Table 4 and Table 5.

Table 4: IPsec IKEv1 Example—ASA1

1

Create and enter IKEv1 policy configuration mode.

asa1(config)#crypto ikev1 policy 1

2

Configure an authentication method.

asa1(config-ikev1-policy)#authentication pre-share

3

Configure an encryption method.

asa1(config-ikev1-policy)#encryption aes

4

Configure a hash method.

asa1(config-ikev1-policy)#hash sha

5

Configure a Diffie-Hellman (DH) group.

asa1(config-ikev1-policy)#group 2

6

Configure the IKE SA lifetime.

asa1(config-ikev1-polocy)#lifetime 86400

7

Enable IKEv1 on an interface.

asa1(config)#crypto ikev1 enable outside

8

Create an IKEv1 Transform set.

asa1(config)#crypto ipsec ikev1 transform-set ikev1-set esp-aes esp-sha-hmac

9

Create an access-list to specify the interesting traffic to be encrypted within the IPsec tunnel.

asa1(config)#access-list ikev1-list extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

10

Specify the tunnel group type.

asa1(config)#tunnel-group 10.10.10.2 type ipsec-l2l

11

Enter IPsec tunnel attribute configuration mode.

asa1(config)#tunnel-group 10.10.10.2 ipsec-attributes

12

Configure the IPsec tunnel pre-shared key or certificate trustpoint.

asa1(config-tunnel-ipsec)#ikev1 pre-shared-key this_is_a_key

13

Create a crypto map and match based on the previously created ACL.

asa1(config)#crypto map ikev1-map 1 match address ikev1-list

14

Configure the peer IP address.

asa1(config)#crypto map ikev1-map 1 set peer 10.10.10.2

15

Assign the previously created transform set.

asa1(config)#crypto map ikev1-map 1 set ikev1 transform-set ikev1-set

16

Apply the crypto map to an interface.

asa1(config)#crypto map ikev1-map interface outside

Table 5: IPsec IKEv1 Example—ASA2

1

Create and enter IKEv1 policy configuration mode.

asa2(config)#crypto ikev1 policy 1

2

Configure an authentication method.

asa2(config-ikev1-policy)#authentication pre-share

3

Configure an encryption method.

asa2(config-ikev1-policy)#encryption aes

4

Configure a hash method.

asa2(config-ikev1-policy)#hash sha

5

Configure a Diffie-Hellman (DH) group.

asa2(config-ikev1-policy)#group 2

6

Configure the IKE SA lifetime.

asa2(config-ikev1-polocy)#lifetime 86400

7

Enable IKEv1 on an interface.

asa2(config)#crypto ikev1 enable outside

8

Create an IKEv1 Transform set.

asa2(config)#crypto ipsec ikev1 transform-set ikev1-set esp-aes esp-sha-hmac

9

Create an access-list to specify the interesting traffic to be encrypted within the IPsec tunnel.

asa2(config)#access-list ikev1-list extended permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

10

Specify the tunnel group type.

asa2(config)#tunnel-group 10.10.10.1 type ipsec-l2l

11

Enter IPsec tunnel attribute configuration mode.

asa2(config)#tunnel-group 10.10.10.1 ipsec-attributes

12

Configure the IPsec tunnel pre-shared key or certificate trustpoint.

asa2(config-tunnel-ipsec)#ikev1 pre-shared-key this_is_a_key

13

Create a crypto map and match based on the previously created ACL.

asa2(config)#crypto map ikev1-map 1 match address ikev1-list

14

Configure the peer IP address.

asa2(config)#crypto map ikev1-map 1 set peer 10.10.10.1

15

Assign the previously created transform set.

asa2(config)#crypto map ikev1-map 1 set ikev1 transform-set ikev1-set

16

Apply the crypto map to an interface.

asa2(config)#crypto map ikev1-map interface outside

7. IPsec IKEv2 Example | Next Section Previous Section