Cisco Labs – Network Security (6) – Site to site VPN tunnel using pre-shared keys ASA,Router

Posted on by

NS2 – Modul4 4.5.5b ASA – IOS task definition

Site to site VPN tunnel using pre-shared keys ASA,Router

Goal

  • Site to site VPN tunnel using pre-share keys will be inicialized.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Static routes or rip routing protocol.
  • This task demonstrates ASA to IOS tunneling.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

3 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-4.5.5b_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

Asa1, Router2, Router3

1) interface settings + static routes + NAT:

ASA1(config)#domain-name test									;set domain name
ASA1(config)#interface INT1									;on interface set following
ASA1(conf-if)#switchport mode access								;set port on a switch to access mode
ASA1(conf-if)#switchport access vlan 10								;access to vlan 10
ASA1(conf-if)#no shutdown									;turn on switchport
ASA1(config)#interface vlan 10									;on vlan interface set following
ASA1(conf-if)#ip address 192.168.0.1 255.255.255.0						;set ip address and mask
ASA1(conf-if)#nameif inside									;name interface and security level will be set by default
ASA1(conf-if)#no shutdown

ASA1(config)#interface INT2									;on interface set following
ASA1(conf-if)#switchport mode access
ASA1(conf-if)#switchport access vlan 20
ASA1(conf-if)#no shutdown
ASA1(config)#interface vlan 20
ASA1(conf-if)#ip address 172.16.1.1 255.255.255.0
ASA1(conf-if)#nameif outside
ASA1(conf-if)#no shutdown
	
ASA1(config)#access-list CRYPTOACL permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0	;access list to define which traffic will be encrypted
ASA1(config)#access-list outsidein permit icmp any host 172.16.1.1				;access list to permit icmp traffic for test reasons
ASA1(config)#access-group outsidein in interface outside					;apply access list to an interface
ASA1(config)#route outside 10.0.0.0 255.255.255.0 172.16.1.2					;static route instead of dynamic routing protocols
ASA1(config)#route outside 172.16.0.0 255.255.255.0 172.16.1.2		

ASA1(config)#nat (inside) 1 0 0									;nat all traffic
ASA1(config)#global (outside) 1 interface							;and using PAT

ASA1(config)#nat (inside) 0 access-list CRYPTOACL						;do not translate ip addresses for traffic to be encrypted

Router2(config)#interface INT3
Router2(conf-if)#ip address 172.16.0.1 255.255.255.0
Router2(conf-if)#no shutdown
Router2(conf-if)#exit
Router2(config)#interface INT4
Router2(conf-if)#ip address 10.0.0.1 255.255.255.0
Router2(conf-if)#no shutdown
Router2(conf-if)#exit
Router2(config)#ip route 172.16.1.0 255.255.255.0 172.16.0.2
Router2(config)#ip route 192.168.0.0 255.255.255.0 172.16.0.2
Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown
Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown
  
Router3(config)#ip route 192.168.0.0 255.255.255.0 172.16.1.1
Router3(config)#ip route 10.0.0.0 255.255.255.0 172.16.0.1

2a) VPN tunnel settings phase 1 IKE/ISAKMP:

Policy must be the same on both ends of tunnel (priority could be different)

ASA1(config)#sysopt connection permit-vpn 							;permit ipsec and isakmp traffic in system. Otherwise access list must be defined
ASA1(config)#isakmp policy 10 									;set up policy section
ASA1(isakmp)#authentication pre-share 								;authenticated using pre-shared keys
ASA1(isakmp)#group 2										;Diffie-Hellman group 2
ASA1(isakmp)#hash sha										;hashing type
ASA1(isakmp)#encryption 3des									;encryption algorithm
    
Router2(config)#crypto isakmp policy 10
Router2(isakmp)#encryption 3des 
Router2(isakmp)#hash sha 
Router2(isakmp)#group 2
Router2(isakmp)#authentication pre-share 
Router2(isakmp)#lifetime 200

2b) VPN tunnel settings phase 2 IPSEC:

ASA1(config)#isakmp identity address								;to send phase 2 id to the peer
ASA1(config)#tunnel-group 172.16.0.1 type ipsec-l2l 						;set peer address and tunnel type (use ? to get more options)
ASA1(config)#tunnel-group 172.16.0.1 ipsec-attributes 						;set tunneling protocol attributes
ASA1(config)#pre-shared-key Cisco								;define pre-shared key
ASA1(config)#isakmp enable outside								;enable isakmp on outside interface

ASA1(config)#crypto ipsec transform-set TRSETASA1 esp-md5-hmac esp-des				;Define a transform set - acceptable combination of security protocols and algorithms
ASA1(config)#crypto map CRMAPASA1 10 match address CRYPTOACL					;define local policy, used within crypto map, which we defined
ASA1(config)#crypto map CRMAPASA1 10 set peer 172.16.0.1					;remote peer setting
ASA1(config)#crypto map CRMAPASA1 10 set transform-set TRSETASA1				;apply transform set in a map section
ASA1(config)#crypto map CRMAPASA1 interface outside						;apply crypto map on interface

Apply analogical settings to other side of the tunnel.

Router2(config)#crypto ipsec transform-set TRSETR2 esp-md5-hmac esp-des
Router2(config)#access-list 122 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
Router2(config)#crypto isakmp key Cisco address 172.16.1.1
Router2(config)#crypto map LOKALNIMAPAR2 10 ipsec-isakmp 
Router2(cr-m)#set peer 172.16.1.1
Router2(cr-m)#match address 122
Router2(cr-m)#set transform-set TRSETR2
Router2(config)#interface INT3
Router2(conf-if)# crypto map LOKALNIMAPAR2

3) Access list on Router3 to enable only needed traffic:

Router3(config)#access-list 101 permit esp host 172.16.1.1 host 172.16.0.1			;enable tunnel inicialisation thru ESP
Router3(config)#access-list 101 permit udp host 172.16.1.1 host 172.16.0.1 eq isakmp		;enable tunnel traffic thru UDP
Router3(config)#interface INT5			
Router3(conf-if)#ip access-group 101 in								;apply access list to an interface

Function test

F1) check IKE/IPSEC ASA configuration

Diagnose of this task is already performed during exercises 4.4.7 and 4.5.5a. Please use same one.

ASA1#sh crypto isakmp sa 									;display first part of tunnel configuration. 
ASA1#sh crypto ipsec sa										;display send/receive packet statistics

Ping from LAN 1 to LAN 2 should inicialize VPN tunnel and hosts on LAN2 should be accessible.

F2) clear tunnels

ASA1#clear crypto isakmp sa  									;clear tunnel inicialisation configuration
ASA1#clear crypto ipsec sa									;clear existing tunnels

Optional tasks

  • Define more transform sets to be able to select which could be fit to the other site of the tunnel.
  • Define different encryption and hashing algorithms – see point 2a.
  • Add one more router(asa) to topology and create another tunnel to this router(asa).

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list.
  • New or existing transform set must be added to new crypto map.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s