VPNs are amongst the most annoying topics for me. While the theory and concepts are easy the amount of moving parts required to enable it to work are easily misplaced. It doesn’t help that Cisco hasn’t found a smooth way to bring these moving parts into one section similar to how they use address-family or in routing protocols or C3PL in QoS. Instead the configuration is spread about with a piece of phase 1 over here and phase 2 over there. It doesn’t help either that ASAs and routers naming conventions are different and Ikev1 and Ikev2 parameters have different names.
Anyway, i present a minimum configuration required to allow a site-to-site (L2L / Lan To Lan) VPN to work
Reading this article is recommended before getting started. http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
1. Defining interesting traffic – Selected traffic creates the VPN session when called
access-list VPNACL extended permit ip 10.131.1.0 255.255.255.0 10.131.2.0 255.255.255.0
2. IKE phase 1 – Authenticate peers and setup security association in preparation for phase 2 data transfer
crypto ikev2 policy 1 encryption aes-256 integrity sha256 group 20 prf sha256 lifetime seconds 3600 ! encryption [select] - encrypts data ! integrity [select] - ensure from correct peer ! group [select] - encryption and integrity ! prf [select] - random key generator ! lifetime seconds [select] - session lifetime
2. IKE phase 2 – Add encryption and integrity to the data being transferred
crypto ipsec ikev2 ipsec-proposal PROPOSAL1 protocol esp encryption aes-256 protocol esp integrity sha-256! protocol esp encryption [select] - encryption level ! protocol esp integrity [select] - integrity level
3. IKE phase 2 – Authentication method and keys
tunnel-group 10.131.255.10 type ipsec-l2l tunnel-group 10.131.255.10 ipsec-attributes ikev2 remote-authentication pre-shared-key cisco ikev2 local-authentication pre-shared-key cisco
4. Tie it all together with a crypto map
crypto map CMAP 2 match address VPNACL crypto map CMAP 2 set peer 10.131.255.10 crypto map CMAP 2 set ikev2 ipsec-proposal PROPOSAL1
5. Enable Ikev2 and CMAP on the outside interface
crypto map CMAP interface outside crypto ikev2 enable outside
How to verify it all works:
show crypto isakmp sa show crypto ipsec sa
JUNIOR TAITT 