How often do you get a chance to create new IPsec VPN tunnels? Well today, I got a chance to create 3 customer site to site VPNs at once!
Speaking of VPN tunnels, how many know the commands for creating an IPSEC site to site VPN without referring to documents? In my job, everything has to go through a documented procedure in creating change requests, so CLI has become the only method we use in making Firewall or Router changes as it is the most straight forward to document. However, I must say using the ASDM in creating VPNs is much easier and much less error prone.
Today, I’m going to write down what my brain went through creating these IPSec VPNs and what sort of things I want to remember when I come to read this again.
First of all, we need a bunch of info and prerequisites when creating a VPN. It is critical that we communicate clearly so both ends have the correct information especially when working with a network admin on the other end of the pipe.
So what do we need to decide first?
– We should NAT to a public IP that we own for them to filter our traffic. There are two advantages:
1) We are not tying up our Outside interface IP incase we move it.
2) We are more flexible in moving that natted IP onto another FW if we want to in the future!
– Obtain the Outside IPs on both ends to establish the tunnel. This would be the outside interface IPs on the connecting devices.
– The Source and destination domains for the VPN. This would be the source IP we are encrypting our traffic to (As explained we should NAT this to a range or one IP depending on customers, unless we are making an internal site to site VPN in which case we may not want to NAT) and destination IPs – the hosts we want to connect to on the other end
– Phase 1 IKE exchange information
authentication method (usually pre-share)
encryption algorithm (des,3des,aes, etc)
hashing algorithm (md5,sha)
DF group (2,5…)
SA lifetime (86400)
– Phase 2 IPsec tunnel information
There are two types of Cisco devices we can terminate our VPNs to; Router or Firewall. Both have advantages and disadvantages. I prefer creating site to site VPNs on routers because on routers VPN tunnels can be created as VTI – Virtual Tunnel interfaces. These interfaces are just like router interfaces and are much more flexible in nature. If you are interested on how to set that up you can check out my post here.
ASA/PIX are good with creating Remote Access VPNs as you can slap on and define the access policies much better. However in my scenario, I only had an ASA and creating a VPN tunnel on that is what I want to record down today.
Step by Step approach:
1) ALWAYS Backup your config!
2) Define and configure your PHASE 1 ISAKMP policy
crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400
*note: the policy number can be any number, it’s just a priority number . The IKE exchange will go through all the policies you have and hit on the first one it matches on the other end.
3) Define the PHASE 1 ISAKMP attributes by creating a tunnel group
tunnel-group x.x.x.x ipsec-attributes pre-shared-key *
Note: The x.x.x.x here MUST be the peer IP address.
4) Define the PHASE 2 transform set
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
In this case, I gave the tunnel name: TUNNEL_ESP_3DES_MD5 which closely describes what it uses: ESP + 3DES + MD5 + HMAC
5) Create the policy NAT statement and create the NAT
access-list acl permit ip source mask destination mask global (outside) 3 ip nat (inside) 3 access-list acl-name
Here we defined the traffic we want to be NAT using a combination of access-list for and the IP to nat to. Note that the 3 here is the ‘id’ I’m using to match the corresponding NAT statement. FYI, you can’t assign more than one acl to a nat statement (I tried it)
6) Define the Encrypted traffic using an access-list
access-list acl extended permit ip host natted dest mask
Note: We are encrypting the traffic AFTER it’s been natted so the access-list would fail if it is referring the source internal IPs.
7) Lastly Define the crypto map
crypto isakmp enable Outside crypto map map-name id match address crypto map map-name id set pfs group2 <---if DH G is required crypto map map-name id set peer 220.127.116.11 crypto map map-name id set transform-set TUNNEL_ESP_3DES_MD5
Make sure that you enable the isakmp for the interface used for establishing the connection. There can only be one crypto map per interface and hence the ‘id’ comes into place. When you create more than one vpn on an interface you will need to specify a different ‘id’ for each tunnel.
I guess that’s all there is to configuring a site to site IPSec VPN tunnel. If you are still having troubles, make sure you check out my post on how to troubleshoot a Cisco ASA/PIX site to site VPN tunnel.