Configuration of Site to Site VPN with ASAv using CLI

  • by

Steps to perform configuration of Site to Site VPN with ASAv using CLI

  1. Enable IKEv2
crypto ikev2 enable outside
  1. Create object for DR Site
object network Site-DR
    subnet 20.20.8.0 255.255.255.0
  1. Create an ACL to allow traffic from PROD to DR Site
access-list ACL_S2S_DR extended permit ip object Site-RPOD object Site-DR
  1. Create a rule for traffic from PROD to DR site without NAT
nat (inside,outside) source static Site-PROD Site-PROD destination static Site-DR Site-DR no-proxy-arp route-lookup
  1. Create a tunnel group by entering the IP address of remote ASAv with Pre-Share-Key Authentication
tunnel-group 20.20.20.254 type ipsec-l2l
tunnel-group 20.10.20.254 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
  1. Create an IKEv2 Policy – MUST MATCH for both ASAv
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
  1. Create an Ipsec-Proposal – MUST MATCH for both ASAv
crypto ipsec ikev2 ipsec-proposal IKEv2-SET
    protocol esp encryption aes-256
    protocol esp integrity sha-1
  1. Create a new IKEv2-MAP with ACL, peer ip and ipsec-proposal we created and activate it on outside interface
crypto map IKEv2-MAP 10 match address ACL_S2S_DR
crypto map IKEv2-MAP 10 set peer 20.20.20.254
crypto map IKEv2-MAP 10 set ikev2 ipsec-proposal IKEv2-SET
crypto map IKEv2-MAP interface outside
  1. Configure the ASAvDR with the following
crypto ikev2 enable outside

object network Site-PROD
    subnet 10.10.8.0 255.255.255.0

access-list ACL_S2S_DR extended permit ip object Site-DR object Site-PROD

nat (inside,outside) source static Site-PROD Site-PROD destination static Site-DR Site-DR no-proxy-arp route-lookup

tunnel-group 10.10.10.254 type ipsec-l2l
tunnel-group 10.10.10.254 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400

crypto ipsec ikev2 ipsec-proposal IKEv2-SET
    protocol esp encryption aes-256
    protocol esp integrity sha-1

crypto map IKEv2-MAP 10 match address ACL_S2S_RPOD
crypto map IKEv2-MAP 10 set peer 10.10.10.254
crypto map IKEv2-MAP 10 set ikev2 ipsec-proposal IKEv2-SET
crypto map IKEv2-MAP interface outside
  1. The tunnel should be up and Workstations from Site-PROD and Site-DR Site are able to ping to each other now
  2. Verify the IKEv2 IPSec Tunnel is running with show isakmp sa and show ipsec sa
ASAv# sh isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:31, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
 81109503 10.10.10.254/500                                    20.20.20.254/500                                         READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/685 sec
Child sa: local selector  10.10.8.0/0 - 10.10.8.255/65535
          remote selector 20.20.8.0/0 - 20.20.8.255/65535
          ESP spi in/out: 0xb6f15e63/0xe1443dc8
ASAv# sh ipsec sa
interface: outside
    Crypto map tag: IKEv2-MAP, seq num: 10, local addr: 10.10.10.254

      access-list ACL_S2S_DR extended permit ip 10.10.8.0 255.255.255.0 20.20.8.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.8.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (20.20.8.0/255.255.255.0/0/0)
      current_peer: 20.20.20.254


      #pkts encaps: 1368, #pkts encrypt: 1368, #pkts digest: 1368
      #pkts decaps: 1368, #pkts decrypt: 1368, #pkts verify: 1368
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1368, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.254/500, remote crypto endpt.: 20.20.20.254/500
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: E1443DC8
      current inbound spi : B6F15E63

    inbound esp sas:
      spi: 0xB6F15E63 (3069271651)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 203300864, crypto-map: IKEv2-MAP
         sa timing: remaining key lifetime (kB/sec): (4054941/28092)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE1443DC8 (3779345864)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 203300864, crypto-map: IKEv2-MAP
         sa timing: remaining key lifetime (kB/sec): (4101021/28092)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

B. Site to Site VPN with Certificate

  1. Convert the Let’s Encrypt Wildcard PFX Certificate to BASE64 with openssl
openssl base64 -in AventisLab.pfx > AventisLab.base64
  1. View and copy all the contents
cat AventisLab.base64
  1. Import the SSL Certificate to Cisco ASAv.
crypto ca import star.aventistech.info pkcs12 XXXXX (XXX - Password to open the pfx file)

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:

PASTE ALL CONTENT FROM THE OUTPUT FROM CAT CERT.BASE64

quit

The CA cert is not self-signed.

Do you also want to create trustpoints for CAs higher in the hierarchy? [yes/no]: yes
INFO: Import PKCS12 operation completed successfully
  1. Modify the Tunnel-Group to use Certificate and remote the pre-shared-key in Cisco ASAv (10.10.10.254) in PROD
tunnel-group 20.20.20.254 ipsec-attributes
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate AventisLab.com
 no ikev2 remote-authentication pre-shared-key 
 no ikev2 local-authentication pre-shared-key 
  1. Repeat the step 1 to 3 on Cisco ASAv (20.20.20.254) in DR

  2. Modify the Tunnel-Group to use Certificate and remote the pre-shared-key

tunnel-group 10.10.10.254 ipsec-attributes
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate AventisLab.com
 no ikev2 remote-authentication pre-shared-key 
 no ikev2 local-authentication pre-shared-key 
  1. Verify the tunnel is up and running with Auth Sign: RSA and Auth Verify: RSA
ASAv(config)# sh isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:33, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
383951229 10.10.10.254/500                                    20.20.20.254/500                                         READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/1127 sec
Child sa: local selector  10.10.8.0/0 - 10.10.8.255/65535
          remote selector 20.20.8.0/0 - 20.20.8.255/65535
          ESP spi in/out: 0xfda3d0dd/0x646fb86c