This document describes how to configure a site-to-site Internet Key Exchange Version 2 (IKEv2) VPN tunnel between two Adaptive Security Appliances (ASAs) where one ASA has a dynamic IP address and the other has a static IP address.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
ASA Version 5505
ASA Version 9.1(5)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
There are two ways that this configuration can be set up:
With the DefaultL2LGroup tunnel group
With a named tunnel group
The biggest configuration difference between the two scenarios is the Internet Security Association and Key Management Protocol (ISAKMP) ID used by the remote ASA. When the DefaultL2LGroup is used on the static ASA, the peer's ISAKMP ID has to be the address. However if a named tunnel group is used, the peer's ISAKMP ID has to be the same the tunnel group name using this command:
crypto isakmp identity key-id <tunnel-group_name>
The advantage of using named tunnel groups on the static ASA is that when the DefaultL2LGroup is used, the configuration on the remote dynamic ASAs, which includes the pre-shared keys, has to be identical and it does not allow for much granularity with the setup of policies.
This section describes the configuration on each ASA depending on which solution you decide to use.
Solution 1 - Use of the DefaultL2LGroup
This is the simplest way to configure a LAN-to-LAN (L2L) tunnel betwen two ASAs when one ASA gets its address dynamically. The DefaultL2L Group is a preconfigured tunnel group on the ASA and all connections that do not explicitly match any particular tunnel group fall on this connection. Since the Dynamic ASA does not have a constant predetermined IP address, it means the admin cannot configure the Statis ASA in order to allow the connection on a specific tunnel group. In this situation, the DefaultL2L Group can be used in order to allow the dynamic connections.
Tip: With this method, the downside is that all peers will have the same pre-shared key since only one pre-shared key can be defined per tunnel-group and all of the peers will connect to the same DefaultL2LGroup tunnel-group.
On the ASDM, you can use the standard wizard in order to set up the appropriate connection profile or you can simply add a new connection and follow the standard procedure.
Solution 2 - Create a User-Defined Tunnel-Group
This method requires slighly more configuration, but it allows for more granularity. Each peer can have its own separate policy and pre-shared key. However here it is important to change the ISAKMP ID on the dynamic peer so that it uses a name instead of an IP address. This allows the static ASA to match the incoming ISAKMP initialisation request to the right tunnel group and to use the right policies.
On the ASDM, the connection profile name is an IP address by default. So when you create it, you must change it in order to give it a name as shown in the screenshot here:
Dynamic ASA Configuration
The Dynamic ASA is configured almost the same way in both solutions with the addition of one command as shown here:
crypto isakmp identity key-id DynamicSite2Site1
As described previously, by default the ASA uses the IP address of the interface that the VPN tunnel is mapped to as the ISAKMP key-ID. However in this case, the key-ID on the dynamic ASA is the same as the name of the tunnel-group on the Static ASA. So on every dynamic peer, the key-id will be different and a corresponding tunnel-group must be created on the Static ASA with the right name.
On the ASDM, this can be configured as shown in this screenshot:
Use this section in order to confirm that your configuration works properly.
On the Static ASA
Here is the result of the show crypto IKEv2 sa det command:
Session-id:132, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role 1574208993 198.51.100.1/4500 203.0.113.134/4500 READY RESPONDER Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:24, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/352 sec Session-id: 132 Status Description: Negotiation done Local spi: 4FDFF215BDEC73EC Remote spi: 2414BEA1E10E3F70 Local id: 198.51.100.1 Remote id: DynamicSite2Site1 Local req mess id: 13 Remote req mess id: 17 Local next mess id: 13 Remote next mess id: 17 Local req queued: 13 Remote req queued: 17 Local window: 1 Remote window: 1 DPD configured for 10 seconds, retry 2 NAT-T is detected outside Child sa: local selector 18.104.22.168/0 - 22.214.171.124/65535 remote selector 172.16.1.0/0 - 172.16.1.255/65535 ESP spi in/out: 0x9fd5c736/0x6c5b3cc9 AH spi in/out: 0x0/0x0 CPI in/out: 0x0/0x0 Encr: AES-CBC, keysize: 256, esp_hmac: SHA96 ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
Here is the result of the show crypto ipsec sa command: