Phase 1 Configuration

Phase 1 of IPsec is used to establish a secure channel between the two peers that will be used for further data transmission. The ASAs will exchange secret keys, they authenticate each other and will negotiate about the IKE security policies. This is what happens in phase 1:

Authenticate and protect the identities of the IPsec peers.
Negotiate a matching IKE policy between IPsec peers to protect the IKE exchange.
Perform an authenticated Diffie-Hellman exchange to have matching shared secret keys.
Setup a secure tunnel for IKE phase 2.

ASA1(config)# crypto ikev1 policy 10 
ASA1(config-ikev1-policy)# authentication pre-share 
ASA1(config-ikev1-policy)# encryption aes
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 2
ASA1(config-ikev1-policy)# lifetime 3600

ASA1(config)# crypto ikev1 enable OUTSIDE
ASA1(config)# crypto isakmp identity address

We configured the IKEv1 policy and activated it on the interface but we still have to specify the remote peer and a pre-shared key. This is done with a tunnel-group:

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l

The IP address above is the IP address of the OUTSIDE interface on ASA2. The type “ipsec-l2l” means lan-to-lan. Let’s configure the pre-shared key now:

ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

we’ll configure the same thing on ASA2:

ASA2(config)# crypto ikev1 policy 10
ASA2(config-ikev1-policy)# authentication pre-share 
ASA2(config-ikev1-policy)# encryption aes
ASA2(config-ikev1-policy)# hash sha
ASA2(config-ikev1-policy)# group 2
ASA2(config-ikev1-policy)# lifetime 3600

ASA2(config)# crypto ikev1 enable outside
ASA2(config)# crypto isakmp identity address 

ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l

ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes 
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

Phase 2 configuration

Once the secure tunnel from phase 1 has been established, we will start phase 2. In this phase the two firewalls will negotiate about the IPsec security parameters that will be used to protect the traffic within the tunnel. In short, this is what happens in phase 2:

Negotiate IPsec security parameters through the secure tunnel from phase 1.
Establish IPsec security associations.
Periodically renegotiates IPsec security associations for security.

Here’s what the configuration looks like, we’ll start with ASA1:

ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

ASA2(config)# access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
ASA2(config)# crypto map MY_CRYPTO_MAP 10 match address LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1   
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600                             
ASA2(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

This takes care of phase 1 and phase on both ASA firewalls. Last but not least, make sure that the firewalls know how to reach each others subnets, I will use a static route for this:

ASA1(config)# 
route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2
ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1

IPsec VPN

Phase 1 Configuration

Phase 2 configuration

results matching ""

No results matching ""