Guest

IPSec Negotiation IKE Protocols

ASA 9.x: VPN/IPsec with OSPF Configuration Example

Document ID: 63882

Updated: Jul 21, 2015

Contributed by Dinkar Sharma and Amandeep Singh, Cisco TAC Engineers.

   Print

Introduction

This document provides a sample configuration for a VPN/IPsec with Open Shortest Path First (OSPF) on a Cisco Adaptive Security Appliance (ASA). The ASA allows OSPF unicast to run over an existing VPN connection. You no longer need to configure a Generic Routing Encapsulation (GRE) tunnel.

Prerequisites

Requirements

Cisco recommends that you have a basic understanding of an IPsec site-to-site VPN tunnel configuration on ASA.

Components Used

The information in this document is based on these software and hardware versions:

  • ASA 5500-x Security Appliance that runs Software Version 9.x and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Network Diagram

Command Line Configurations

This document lists configuration examples with both IKEv1 and IKEv2 protocols, but the IPsec tunnel was formed with only IKEv2.

Local ASA

ASA Version 9.1(5)
!
hostname LOCAL-ASA
!

!--- Configure the Inside and Outside interface.

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.20.1 255.255.255.0
!

!--- Configure a manual Network Address Translation (NAT) Rule so that traffic
!--- should not be translated.

object network NETWORK_OBJ_172.16.20.0_24
subnet 172.16.20.0 255.255.255.0
object network NETWORK_OBJ_172.16.30.0_24
subnet 172.16.30.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_172.16.20.0_24
NETWORK_OBJ_172.16.20.0_24 destination static NETWORK_OBJ_172.16.30.0_24
NETWORK_OBJ_172.16.30.0_24 no-proxy-arp route-lookup

!--- The traffic specified by this Access Control List (ACL) is traffic that is
!--- to be encrypted and sent across the VPN tunnel.


access-list outside_cryptomap extended permit ip 172.16.20.0 255.255.255.0
172.16.30.0 255.255.255.0
access-list outside_cryptomap extended permit ospf interface outside host 198.51.100.1

!---
Add this ARP entry in the ASA.


arp outside 198.51.100.1 c84c.7522.1a32

!--- Configure the OSPF router process.

router ospf 100
network 172.16.20.0 255.255.255.0 area 0
network 203.0.113.0 255.255.255.0 area 0
area 0 neighbor 198.51.100.1 interface outside
log-adj-changes
!
route outside 198.51.100.0 255.255.255.0 203.0.113.2 1


!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses ISAKMP policy 30 for IKEv1 and policy for IKEv2.
!--- The configuration commands here define the Phase 1 policy parameters that are used.

crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev2 policy 1
encryption aes-256
integrity sha group 5 2
prf sha
lifetime seconds 86400

!--- In order to create and manage the database of connection-specific records for
!--- ipsec-l2l-IPsec (LAN-to-LAN) tunnels, use the command tunnel-group in global
!--- configuration mode. For L2L connections the name of the tunnel group MUST be the
!--- IP address of the IPsec peer.


tunnel-group 198.51.100.1 type ipsec-l2l

!--- Enter the preshared key in order to configure the authentication method.

tunnel-group 198.51.100.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!--- Define the transform set for Phase 2.

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption 3des protocol esp
integrity sha-1 md5

!--- Define which traffic should be sent to the IPsec peer.

crypto map outside_map 1 match address outside_cryptomap

!--- Sets the IPsec peer.

crypto map outside_map 1 set peer 198.51.100.1

!--- Sets the IPsec transform set "ESP-AES-128-SHA" to be used with the crypto map
!--- entry "outside_map".

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal DES

!--- Specifies the interface to be used with the settings defined in this
!--- configuration.

crypto map outside_map interface outside

!--- Enable IKEv1/IKEv2 on the outside interface.

crypto ikev2 enable outside
crypto ikev1 enable outside

Remote ASA

ASA Version 9.1(5)
!
hostname REMOTE-ASA
!

!--- Configure the Inside and Outside interface.


interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 198.51.100.1 255.255.255.0
ospf cost 10
ospf network point-to-point non-broadcast
!

interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.30.1 255.255.255.0
!

!--- Configure a manual NAT Rule so that traffic should not be translated.

object network NETWORK_OBJ_172.16.20.0_24
subnet 172.16.20.0 255.255.255.0
object network NETWORK_OBJ_172.16.30.0_24
subnet 172.16.30.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_172.16.30.0_24
NETWORK_OBJ_172.16.30.0_24 destination static NETWORK_OBJ_172.16.20.0_24
NETWORK_OBJ_172.16.20.0_24 no-proxy-arp route-lookup

!--- The traffic specified by this ACL is traffic that is to be encrypted and sent
!--- across the VPN tunnel.


access-list outside_cryptomap extended permit ip 172.16.30.0 255.255.255.0
172.16.20.0 255.255.255.0
access-list outside_cryptomap extended permit ospf interface outside host
203.0.113.1 log disable

!---
Add this ARP entry in ASA.


arp outside 203.0.113.1 c84c.7522.1a33

!--- Configure the OSPF router process.


router ospf 100
network 172.16.30.0 255.255.255.0 area 0
network 198.51.100.0 255.255.255.0 area 0
area 0 neighbor 203.0.113.1 interface outside
log-adj-changes !

route management 10.24.21.126 255.255.255.255 10.105.130.1 1
route outside 203.0.113.0 255.255.255.0 198.51.100.2 1

!--- PHASE 1 CONFIGURATION ---!
!--- This configuration uses isakmp policy 30 for IKEv1 and policy for IKEv2.
!--- The configuration commands here define the Phase 1 policy parameters that are used.



crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev2 policy 1
encryption aes-256
integrity sha group 5 2
prf sha
lifetime seconds 86400

!--- In order to create and manage the database of connection-specific records for
!--- ipsec-l2l-IPsec (LAN-to-LAN) tunnels, use the command tunnel-group in global
!--- configuration mode. For L2L connections the name of the tunnel group MUST be the
!--- IP address of the IPsec peer.


tunnel-group 203.0.113.1 type ipsec-l2l

!--- Enter the preshared key in order to configure the authentication method.

tunnel-group 203.0.113.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key ***** !

!--- PHASE 2 CONFIGURATION ---!
!--- The encryption types for Phase 2 are defined here.
!--- Define the transform set for Phase 2.

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption 3des protocol esp
integrity sha-1 md5

!--- Define which traffic should be sent to the IPsec peer.

crypto map outside_map 1 match address outside_cryptomap

!--- Sets the IPsec peer.

crypto map outside_map 1 set peer 203.0.113.1

!--- Sets the IPsec transform set "TSET" to be used with the crypto map entry
!--- "outside_map".

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal DES

!--- Specifies the interface to be used with the settings defined in this
!--- configuration.

crypto map outside_map interface outside

!--- Enable IKEv1/IKEv2 on the outside interface.

crypto ikev2 enable outside
crypto ikev1 enable outside

Note: You should bind the crypto-map to the interface before you specify the OSPF neighbor in order to ensure that the OSPF updates are passed through the VPN tunnel. If you bind the crypto-map to the interface after you specify the OSPF neighbor, enter the clear local-host command in order to clear OSPF connections so the OSPF adjacencies can be established over the VPN tunnel.

ASA Device Manager Configuration

  1. Choose Wizards > VPN Wizard in order to create the site-to-site VPN tunnel. In the VPN Wizard window as shown here, click Next in order to begin the VPN configuration.

  2. Enter the peer IP address and the interface from where the peer is reachable and click Next.

    Note: It is assumed that the peer device is reachable from local device, that is, the required routing for peer reachability is already present.

  3. Enter the local and remote subnets between which you wish to secure the communication and click Next.

  4. Since you are building a site-to-site VPN with preshared key authentication, enter the preshared key to be used and click Next.

  5. Check the option to configure NAT exemption for the local and remote subnets and select the source interface, that is, the interface connected to the local subnet. Click Next.

  6. Review the configuration summary for accuracy and then click Finish.

  7. You need to specify the OSPF traffic in the crypto ACL so that OSPF traffic is encrypted and sent via the VPN tunnel. In order to do this, choose Configuration > Site-to-Site VPN > Advanced > ACL Manager. Choose the crypto ACL that you configured in step 3 and choose Add > Add ACE on the top. Choose the source as the outside interface, destination as the remote peer IP address, and the service as OSPF and click OK. Click Apply in order to push the changes to the ASA.

  8. In order to configure the OSPF, choose Configuration > Device Setup > Routing > OSPF > Setup. Click the Process Instances tab, enable the OSPF process, and enter the OSPF process ID.

  9. Click the Area/Networks tab and click Add in order to configure the area ID (0 in this case) and add the networks on which you run the OSPF process. Add the inside and the outside subnet and then click OK.

  10. Click Apply in order to push the configuration changes to the ASA.

  11. Configure the outside interface so that it can form a point-to-point neighborship with the remote peer over VPN. Choose Configuration > Device Setup > Routing > OSPF >  interface. Click the Properties tab and choose the outside interface. Click Edit. In the edit box, uncheck the broadcast check box and click OK. Click Apply in order to push the changes.

  12. Specify the remote peer as a static OSPF neighbor. Choose Configuration > Device Setup > Routing > OSPF > Static Neighbor and click Add. In the Add Ospf Neighbor Entry window, for the OSPF Process ID defined in step 8, specify the remote peer IP as the neighbor and the interface as outside. Click OK and then click Apply.

  13. Configure a static Address Resolution Protocol (ARP) entry on the Local-ASA for the remote peer IP address. The reason for this is that the routes that this ASA will learn via OSPF will have peer IP address 198.51.100.1 as the next hop. In order to reach 198.51.100.1, the ASA will again have to do route-lookup which is not possible because the ASA does not support recursive route look-up. In order to forward the packets for the remote destinations, the ASA needs a Layer 2 address that corresponds to the peer IP address. Give a static ARP in order to map the MAC address of the next hop IP address to the VPN peer IP address. In order to do this, choose Configuration > Device Management > Advanced > ARP > ARP Static Table and click Add in order to configure a static ARP as shown here. You will have to give a similar static ARP entry on the remote end as well.

  14. For testing purposes, enable management access on the inside interface via the VPN tunnel. In order to do this, choose Configuration > Device Management > Management Access > Management Interface and specify the Management Access Interface as inside.

Verify

Use this section to confirm that your configuration works properly.

The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.

show crypto isakmp sa - Shows the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA) that is built between peers.

LOCAL-ASA# show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:6, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
5924753 203.0.113.1/500 198.51.100.1/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/7922 sec
Child sa: local selector 203.0.113.1/0 - 203.0.113.1/0
remote selector 198.51.100.1/0 - 198.51.100.1/0
ESP spi in/out: 0x28b5cd3d/0xb785cc6d


REMOTE-ASA# show crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:

Session-id:6, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
1760437 198.51.100.1/500 203.0.113.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/7934 sec
Child sa: local selector 198.51.100.1/0 - 198.51.100.1/0
remote selector 203.0.113.1/0 - 203.0.113.1/0
ESP spi in/out: 0xb785cc6d/0x28b5cd3d

show crypto ipsec sa - Shows each Phase 2 SA that is built and the amount of traffic that is sent.

LOCAL-ASA# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 203.0.113.1

access-list outside_cryptomap extended permit ospf interface outside host
198.51.100.1 log disable
local ident (addr/mask/prot/port): (203.0.113.1/255.255.255.255/89/0)
remote ident (addr/mask/prot/port): (198.51.100.1/255.255.255.255/89/0)
current_peer: 198.51.100.1


#pkts encaps: 828, #pkts encrypt: 828, #pkts digest: 828
#pkts decaps: 814, #pkts decrypt: 814, #pkts verify: 814
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 828, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 203.0.113.1/500, remote crypto endpt.: 198.51.100.1/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B785CC6D
current inbound spi : 28B5CD3D

inbound esp sas:
spi: 0x28B5CD3D (683003197)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239306/20803)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xB785CC6D (3078999149)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4193224/20803)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001


REMOTE-ASA# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 198.51.100.1

access-list outside_cryptomap extended permit ospf interface outside host
203.0.113.1 log disable
local ident (addr/mask/prot/port): (198.51.100.1/255.255.255.255/89/0)
remote ident (addr/mask/prot/port): (203.0.113.1/255.255.255.255/89/0)
current_peer: 203.0.113.1


#pkts encaps: 814, #pkts encrypt: 814, #pkts digest: 814
#pkts decaps: 829, #pkts decrypt: 829, #pkts verify: 829
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 814, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 198.51.100.1/500, remote crypto endpt.: 203.0.113.1/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 28B5CD3D
current inbound spi : B785CC6D

inbound esp sas:
spi: 0xB785CC6D (3078999149)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 61440, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4008904/20796)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x28B5CD3D (683003197)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 61440, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4054986/20796)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

show ospf neighbor - Shows the OSPF neighbor relationship status.

LOCAL-ASA# show ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
198.51.100.1 1 FULL/ - 0:00:32 198.51.100.1 outside

REMOTE-ASA# show ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
203.0.113.1 1 FULL/ - 0:00:39 203.0.113.1 outside

show route - Displays the IP routing table entries.

LOCAL-ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

C 203.0.113.0 255.255.255.0 is directly connected, outside
O 172.16.30.0 255.255.255.0 [110/20] via 198.51.100.1, 1:45:52, outside
C 172.16.20.0 255.255.255.0 is directly connected, inside
S 198.51.100.0 255.255.255.0 [1/0] via 203.0.113.2, outside
S 10.24.21.126 255.255.255.255 [1/0] via 10.105.130.1, management
C 10.105.130.0 255.255.255.0 is directly connected, management


REMOTE-ASA# show route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

S 203.0.113.0 255.255.255.0 [1/0] via 198.51.100.2, outside
C 172.16.30.0 255.255.255.0 is directly connected, inside
O 172.16.20.0 255.255.255.0 [110/20] via 203.0.113.1, 1:45:57, outside
C 198.51.100.0 255.255.255.0 is directly connected, outside
S 10.24.21.126 255.255.255.255 [1/0] via 10.105.130.1, management
C 10.105.130.0 255.255.255.0 is directly connected, management

Ping the inside interfaces of the peer device from each device in order to verify the connectivity.

LOCAL-ASA# ping inside 172.16.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms


REMOTE-ASA# ping inside 172.16.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jul 21, 2015
Document ID: 63882