Configure a Site-to-Site IPSec IKEv1 Tunnel Between an ASA and a Cisco IOS Router

Introduction

This document describes how to configure a site-to-site (LAN-to-LAN) IPSec Internet Key Exchange Version 1 (IKEv1) tunnel via the CLI between a Cisco Adaptive Security Appliance (ASA) and a router that runs Cisco IOS^® software.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Cisco IOS
  
  
• Cisco ASA
  
  
• General IPSec concepts

Components Used

The information in this document is based on these software and hardware versions:

• Cisco 5512-X Series ASA  that runs software Version 9.4(1)
  
  
• Cisco 1941 Series Integrated Services Router (ISR) that runs Cisco IOS software Version 15.4(3)M2

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

This section describes how to complete the ASA and IOS router CLI configurations.

Network Diagram

The information in this document uses this network setup:

 

ASA Configuration

Configure the ASA Interfaces

If the ASA interfaces are not configured, ensure that you configure at least the IP addresses, interface names, and security-levels:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0

Note: Ensure that there is connectivity to both the internal and external networks, and especially to the remote peer that will be used in order to establish a site-to-site VPN tunnel. You can use a ping in order to verify basic connectivity.

Configure the IKEv1 Policy and Enable IKEv1 on the Outside Interface

In order to configure the Internet Security Association and Key Management Protocol (ISAKMP) policies for the IKEv1 connections, enter the crypto ikev1 policy <priority> command:

crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

Note: An IKEv1 policy match exists when both of the policies from the two peers contain the same authentication, encryption, hash, and Diffie-Hellman parameter values. For IKEv1, the remote peer policy must also specify a lifetime less than or equal to the lifetime in the policy that the initiator sends. If the lifetimes are not identical, then the ASA uses the shorter lifetime. 

Note: If you do not specify a value for a given policy parameter, the default value is applied.

You must enable IKEv1 on the interface that terminates the VPN tunnel. Typically, this is the outside (or public) interface. In order to enable IKEv1, enter the crypto ikev1 enable <interface-name> command in global configuration mode:

crypto ikev1 enable outside

Configure the Tunnel Group (LAN-to-LAN Connection Profile)

For a LAN-to-LAN tunnel, the connection profile type is ipsec-l2l. In order to configure the IKEv1 preshared key, enter the tunnel-group ipsec-attributes configuration mode:

tunnel-group 172.17.1.1 type ipsec-l2l
tunnel-group 172.17.1.1 ipsec-attributes
 ikev1 pre-shared-key cisco123

Configure the ACL for the VPN Traffic of Interest

The ASA uses Access Control Lists (ACLs) in order to differentiate the traffic that should be protected with IPSec encryption from the traffic that does not require protection. It protects the outbound packets that match a permit Application Control Engine (ACE) and ensures that the inbound packets that match a permit ACE have protection.

object-group network local-network
 network-object 10.10.10.0 255.255.255.0
object-group network remote-network
 network-object 10.20.10.0 255.255.255.0

access-list asa-router-vpn extended permit ip object-group local-network 
 object-group remote-network

Note: An ACL for VPN traffic uses the source and destination IP addresses after Network Address Translation (NAT).

Note: An ACL for VPN traffic must be mirrored on both of the VPN peers.

Note: If there is a need to add a new subnet to the protected traffic, simply add a subnet/host to the respective object-group and complete a mirror change on the remote VPN peer.

Configure a NAT Exemption

Note: The configuration that is described in this section is optional.

Typically, there should be no NAT performed on the VPN traffic. In order to exempt that traffic, you must create an identity NAT rule. The identity NAT rule simply translates an address to the same address.

nat (inside,outside) source static local-network local-network destination static
 remote-network remote-network no-proxy-arp route-lookup

Configure the IKEv1 Transform Set

An IKEv1 transform set is a combination of security protocols and algorithms that define the way that the ASA protects data. During IPSec Security Association (SA) negotiations, the peers must identify a transform set or proposal that is the same for both of the peers. The ASA then applies the matched transform set or proposal in order to create an SA that protects data flows in the access list for that crypto map.

In order to configure the IKEv1 transform set, enter the crypto ipsec ikev1 transform-set command:

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

Configure a Crypto Map and Apply it to an Interface

A crypto map defines an IPSec policy to be negotiated in the IPSec SA and includes:

• An access list in order to identify the packets that the IPSec connection permits and protects
  
  
• Peer identification
  
  
• A local address for the IPSec traffic
  
  
• The IKEv1 transform sets

Here is an example:

crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set peer 172.17.1.1
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA

You can then apply the crypto map to the interface:

crypto map outside_map interface outside

ASA Final Configuration

Here is the final configuration on the ASA:

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
object-group network local-network
 network-object 10.10.10.0 255.255.255.0
object-group network remote-network
 network-object 10.20.10.0 255.255.255.0
!
access-list asa-router-vpn extended permit ip object-group local-network
 object-group remote-network
!
nat (inside,outside) source static local-network local-network destination
 static remote-network remote-network no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set peer 172.17.1.1
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside

IOS Router CLI Configuration

Configure the Interfaces

If the IOS router interfaces are not yet configured, then at least the LAN and WAN interfaces should be configured. Here is an example:

interface GigabitEthernet0/0
 ip address 172.17.1.1 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 ip address 10.20.10.1 255.255.255.0
 no shutdown

Ensure that there is connectivity to both the internal and external networks, and especially to the remote peer that will be used in order to establish a site-to-site VPN tunnel. You can use a ping in order to verify basic connectivity.

Configure the ISAKMP (IKEv1) Policy

In order to configure the ISAKMP policies for the IKEv1 connections, enter the crypto isakmp policy <priority> command in global configuration mode. Here is an example:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2

Note: You can configure multiple IKE policies on each peer that participates in IPSec. When the IKE negotiation begins, it attempts to find a common policy that is configured on both of the peers, and it starts with the highest priority policies that are specified on the remote peer.

Configure a Crypto ISAKMP Key

In order to configure a preshared authentication key, enter the crypto isakmp key command in global configuration mode:

crypto isakmp key cisco123 address 172.16.1.1

Configure an ACL for VPN Traffic of Interest

Use the extended or named access list in order to specify the traffic that should be protected by encryption. Here is an example:

access-list 110 remark Interesting traffic access-list
access-list 110 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255 

Note: An ACL for VPN traffic uses the source and destination IP addresses after NAT.

Note: An ACL for VPN traffic must be mirrored on both of the VPN peers.

Configure a NAT Exemption

Note: The configuration that is described in this section is optional.

Typically, there should be no NAT performed on the VPN traffic. If the NAT overload is used, then a route-map should be used in order to exempt the VPN traffic of interest from translation. Notice that in the access-list that is used in the route-map, the VPN traffic of interest should be denied.

access-list 111 remark NAT exemption access-list
access-list 111 deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 permit ip 10.20.10.0 0.0.0.255 any

route-map nonat permit 10
 match ip address 111

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

Configure a Transform Set

In order to define an IPSec transform set (an acceptable combination of security protocols and algorithms), enter the crypto ipsec transform-set command in global configuration mode. Here is an example:

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel

Configure a Crypto Map and Apply it to an Interface

In order to create or modify a crypto map entry and enter the crypto map configuration mode, enter the crypto map global configuration command. In order for the crypto map entry to be complete, there are some aspects that must be defined at a minimum:

• The IPsec peers to which the protected traffic can be forwarded must be defined. These are the peers with which an SA can be established. In order to specify an IPSec peer in a crypto map entry, enter the set peer command.
  
  
• The transform sets that are acceptable for use with the protected traffic must be defined. In order to specify the transform sets that can be used with the crypto map entry, enter the set transform-set command.
  
  
• The traffic that should be protected must be defined. In order to specify an extended access list for a crypto map entry, enter the match address command.

Here is an example:

crypto map outside_map 10 ipsec-isakmp
 set peer 172.16.1.1
 set transform-set ESP-AES-SHA
 match address 110

The final step is to apply the previously defined crypto map set to an interface. In order to apply this, enter the crypto map interface configuration command:

interface GigabitEthernet0/0
 crypto map outside_map

IOS Final Configuration

Here is the final IOS router CLI configuration:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 172.16.1.1
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto map outside_map 10 ipsec-isakmp
 set peer 172.16.1.1
 set transform-set ESP-AES-SHA
 match address 110
!
interface GigabitEthernet0/0
 ip address 172.17.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map outside_map
!
interface GigabitEthernet0/1
 ip address 10.20.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
!
route-map nonat permit 10
 match ip address 111
!
access-list 110 remark Interesting traffic access-list
access-list 110 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 remark NAT exemption access-list
access-list 111 deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 permit ip 10.20.10.0 0.0.0.255 any

Verify

Before you verify whether the tunnel is up and that it passes the traffic, you must ensure that the traffic of interest is sent towards either the ASA or the IOS router.

Note: On the ASA, the packet-tracer tool that matches the traffic of interest can be used in order to initiate the IPSec tunnel (such as packet-tracer input inside tcp 10.10.10.10 12345 10.20.10.10 80 detailed for example).

Phase 1 Verification

In order to verify whether IKEv1 Phase 1 is up on the ASA, enter the show crypto isakmp sa command. The expected output is to see the MM_ACTIVE state:

ciscoasa# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 172.17.1.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs
ciscoasa#

In order to verify whether the IKEv1 Phase 1 is up on the IOS, enter the show crypto isakmp sa command. The expected output is to see the ACTIVE state:

Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.16.1.1      172.17.1.1      QM_IDLE           1005 ACTIVE

IPv6 Crypto ISAKMP SA

Router#

Phase 2 Verification

In order to verify whether IKEv1 Phase 2 is up on the ASA, enter the show crypto ipsec sa command. The expected output is to see both the inbound and outbound Security Parameter Index (SPI). If the traffic passes through the tunnel, you should see the encaps/decaps counters increment.

Note: For each ACL entry there is a separate inbound/outbound SA created, which might result in a long show crypto ipsec sa command output (dependent upon the number of ACE entries in the crypto ACL).

Here is an example:

ciscoasa# show crypto ipsec sa peer 172.17.1.1
peer address: 172.17.1.1
    Crypto map tag: outside_map, seq num: 10, local addr: 172.16.1.1

      access-list asa-router-vpn extended permit ip 10.10.10.0 255.255.255.0
       10.20.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)
      current_peer: 172.17.1.1


      #pkts encaps: 1005, #pkts encrypt: 1005, #pkts digest: 1005
      #pkts decaps: 1014, #pkts decrypt: 1014, #pkts verify: 1014
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1005, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.17.1.1/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 8A9FE619
      current inbound spi : D8639BD0

    inbound esp sas:
      spi: 0xD8639BD0 (3630406608)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914900/3519)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x8A9FE619 (2325734937)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914901/3519)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

ciscoasa# 

In order to verify whether IKEv1 Phase 2 is up on the IOS, enter the show crypto ipsec sa command. The expected output is to see both the inbound and outbound SPI. If the traffic passes through the tunnel, you should see the encaps/decaps counters increment.

Here is an example:

Router#show crypto ipsec sa peer 172.16.1.1

interface: GigabitEthernet0/0
    Crypto map tag: outside_map, local addr 172.17.1.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   current_peer 172.16.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2024, #pkts encrypt: 2024, #pkts digest: 2024
    #pkts decaps: 2015, #pkts decrypt: 2015, #pkts verify: 2015
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 26, #recv errors 0

     local crypto endpt.: 172.17.1.1, remote crypto endpt.: 172.16.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0xD8639BD0(3630406608)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x8A9FE619(2325734937)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: Onboard VPN:3, sibling_flags 80000046,
         crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4449870/3455)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD8639BD0(3630406608)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: Onboard VPN:4, sibling_flags 80000046,
         crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4449868/3455)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
Router#

Phase 1 and 2 Verification

This section describes the commands that you can use on the ASA or IOS in order to verify the details for both Phases 1 and 2.

Enter the show vpn-sessiondb command on the ASA for verification:

ciscoasa# show vpn-sessiondb detail l2l filter ipaddress 172.17.1.1

Session Type: LAN-to-LAN Detailed

Connection   : 172.17.1.1
Index        : 2                      IP Addr      : 172.17.1.1
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES128  IPsec: (1)AES128
Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1
Bytes Tx     : 100500                 Bytes Rx     : 101400
Login Time   : 18:06:02 UTC Wed Jul 22 2015
Duration     : 0h:05m:07s
IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
  Tunnel ID    : 2.1
  UDP Src Port : 500                    UDP Dst Port : 500
  IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
  Encryption   : AES128                 Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 86093 Seconds
  D/H Group    : 2
  Filter Name  :

IPsec:
  Tunnel ID    : 2.2
  Local Addr   : 10.10.10.0/255.255.255.0/0/0
  Remote Addr  : 10.20.10.0/255.255.255.0/0/0
  Encryption   : AES128                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 3600 Seconds           Rekey Left(T): 3293 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607901 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 26 Minutes
  Bytes Tx     : 100500                 Bytes Rx     : 101400
  Pkts Tx      : 1005                   Pkts Rx      : 1014

NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 309 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :

ciscoasa#

Enter the show crypto session command on the IOS for verification:

Router#show crypto session remote 172.16.1.1 detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: GigabitEthernet0/0
Uptime: 00:03:36
Session status: UP-ACTIVE
Peer: 172.16.1.1 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 172.16.1.1
      Desc: (none)
  IKE SA: local 172.17.1.1/500 remote 172.16.1.1/500 Active
          Capabilities:(none) connid:1005 lifetime:23:56:23
  IPSEC FLOW: permit ip 10.20.10.0/255.255.255.0 10.10.10.0/255.255.255.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 2015 drop 0 life (KB/Sec) 4449870/3383
        Outbound: #pkts enc'ed 2024 drop 26 life (KB/Sec) 4449868/3383

Router#

Troubleshoot

This section provides information that you can use in order to troubleshoot your configuration.

Note: Refer to the Important Information on Debug Commands and IP Security Troubleshooting - Understanding and Using debug Commands Cisco documents before you use debug commands.

IPSec LAN-to-LAN Checker Tool

In order to automatically verify whether the IPSec LAN-to-LAN configuration between the ASA and IOS is valid, you can use the IPSec LAN-to-LAN Checker tool. The tool is designed so that it accepts a show tech or show running-config command from either an ASA or IOS router. It examines the configuration and attempts to detect whether a crypto map based LAN-to-LAN IPSec tunnel is configured. If configured, it performs a multi-point check of the configuration and highlights any configuration errors and settings for the tunnel that would be negotiated.

ASA Debugs

In order to troubleshoot IPSec IKEv1 tunnel negotiation on an ASA firewall, you can use these debug commands:

debug crypto ipsec 127
debug crypto isakmp 127
debug ike-common 10

Note: If the number of VPN tunnels on the ASA is significant, the debug crypto condition peer A.B.C.D command should be used before you enable the debugs in order to limit the debug outputs to include only the specified peer.

IOS Router Debugs

In order to troubleshoot IPSec IKEv1 tunnel negotiation on an IOS router, you can use these debug commands:

debug crypto ipsec
debug crypto isakmp

Note: If the number of VPN tunnels on the IOS is significant, the debug crypto condition peer ipv4 A.B.C.D should be used before you enable the debugs in order to limit the debug outputs to include only the specified peer.

Tip: Refer to the Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions Cisco document for more information about how to troubleshoot a site-to-site VPN.

References

• Important Information on Debug Commands
  
  
• IP Security Troubleshooting - Understanding and Using debug Commands
  
  
• Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions
  
  
• IPSec LAN-to-LAN Checker
  
  
• Technical Support & Documentation - Cisco Systems