• Cisco Site-to-Site IPSec VPN Tunnel (Pix/ASA) *Tutorial*

    Posted on June 12, 2012 by in Latest News, Tutorials

     

    Regardless of what you work as (network engineer, technical architect, 1/2/3rd line support engingeer / field engineer, etc…) No doubt you will have at some point had to or at least heard of “needing a site to site VPN”.

    This can be between your client and another 3rd party client, or if the client has multiple sites then between the head office and branch offices.

    I’m going to show you how to create a simple VPN tunnel. In this example I will be using cisco PIX’s, but the code and commands are the same throughout other cisco devices as well (e.g ASA’s)

    For my example i’ve got Site 1 (which is my head office) and site 2 which is a new branch office)

    Site 1 (head office):
    WAN IP: 5.5.5.5
    LAN: 192.168.5.0/24

    Site 2 (branch office):

    WAN IP: 10.10.10.10
    LAN: 192.168.10.0/24

     

    We will be using the following encryption for the tunnel:

    Phase 1: Encryption DES, authentication SHA, proposal group 2, life time 86400

    Phase 2: Encryption DES, authentication SHA, proposal group 2

    Pre-shared key: password

     

    Firstly, before we start configuring the VPN tunnels we need to specify that we will not be NAT’ing traffic between the local LAN and traffic destined for the remote LAN.

    To do this, we will create named access lists called nonat

    •  access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0

    We then need to apply this using the following:

    •  nat (inside) 0 access-list nonat

    By doing it this way, it insures if we need to add future VPN tunnels that we can just add additional entries without needing to play about with the code too much. I.E if we wanted to add an additional VPN tunnel where the remote network was 192.168.40.0/24 we could add:

    •  access-list nonat permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0

     

    We don’t need to play with the original NAT statement as this already references the “nonat” ACL’s.

    Next we need to create an ACL to allow traffic to pass between the sites. I will use a named ACL called SITE2 just to make it easy to see what it’s doing when we look at the Config.

    •  access-list SITE2 permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0

     

    We could also issue the remark command to add a comment to make it easier to read as well. IF we wish to add a comment we could do the below:

    • access-list SITE2 remark — Allow SITE2 LAN Traffic —
    • permit ip 192.168.5.0 255.255.255.0 192.168.10.0 255.255.255.0

     

    We now need to permit the use of ipsec as a VPN method. (same applies if you are applying PPTP, we just need to change the syntax).

    •  sysopt connection permit-ipsec

    We can now move on to the Phase 1 settings of the VPN tunnel. As mentioned above we will be using the following:

    Phase 1: Encryption DES, authentication SHA, proposal group 2, life time 86400

    Below is how you define the phase 1 settings. I’ve included additional information next to each line of config.

    • isakmp enable outside (Enables phase 1 on the outside interface)
    • isakmp policy 1 authentication pre-share (defines which method this phase 1 policy will be using, in this case pre-shared key)
    • isakmp policy 1 encryption des (encryption des)
    • isakmp policy 1 hash sha (authentication sha)
    • isakmp policy 1 group 2 (Group 2)
    • isakmp policy 1 lifetime 86400 (Lifetime)

     

    Once this is done we can move on to phase 2 propsal settings. To start with we need to create the transformation set which is going to be used.

    • crypto ipsec transform-set SITE2 esp-des esp-sha-hmac

    Continuing with the phase 2 process I’ve created the following: (In this example, “SITE1MAP” is the name of the crypto map set. The map set’s sequence number is 10, which is used to rank multiple entries within one crypto map set. The lower the sequence number, the higher the priority)

    • crypto map SITE1MAP 10 ipsec-isakmp
    • crypto map SITE1MAP 10 match address SITE2 (ACL to match)
    • crypto map SITE1MAP 10 set pfs group2 (IF PFS is required – which it is not in this instance)
    • crypto map SITE1MAP 10 set peer 10.10.10.10 (Primary peer to dial)
    • crypto map SITE1MAP 10 set peer 10.10.10.11 (Failover peer to dial – IF required which in this instance is not)
    • crypto map SITE1MAP 10 set transform-set SITE2 (transformation set to use – which we created earlier)
    • crypto map SITE1MAP 10 set security-association lifetime seconds 86400 kilobytes 4608000 (Life time of the tunnel)
    • crypto map SITE1MAP interface outside (enables phase 2 on the outside interface)

     

    Should we require to add an additional VPN tunnel at a later date we could do the following:

    • crypto map SITE1MAP 15 ipsec-isakmp
    • crypto map SITE1MAP 15 match address NEWVPNTUNNEL
    • crypto map SITE1MAP 15 set peer 30.30.30.30
    • crypto map SITE1MAP 15 set transform-set (we can either use the existing site2 transformation set or create a new one if required)
    • crypto map SITE1MAP 15 set security-association lifetime seconds 86400 kilobytes 4608000

    Finally we specify the peers and their pre-shared keys:

    •  isakmp key password address 10.10.10.10 netmask 255.255.255.255 no-xauth (xauth is extended authentication and allows IKE to authenticate using TACACS+ or RADIUS, no-config-mode is used with the IKE mode configuration feature. This associates a given pre-shared key with a gateway and allows an exception to the Xauth feature)

     

    To configure this on the branch office pix we would simply do the following:

    •  access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
    • nat (inside) 0 access-list nonat
    • access-list SITE2 permit ip 192.168.10.0 255.255.255.0 192.168.5.0 255.255.255.0
    • sysopt connection permit-ipsec
    • isakmp enable outside
    • isakmp policy 1 authentication pre-share
    • isakmp policy 1 encryption des
    • isakmp policy 1 hash sha 
    • isakmp policy 1 group 2 
    • isakmp policy 1 lifetime 86400
    • crypto ipsec transform-set SITE1 esp-des esp-sha-hmac
    • crypto map SITE2MAP 10 ipsec-isakmp
    • crypto map SITE2MAP 10 match address SITE1
    • crypto map SITE2MAP 10 set peer 5.5.5.5
    • crypto map SITE2MAP 10 set transform-set SITE1
    • crypto map SITE2MAP 10 set security-association lifetime seconds 86400 kilobytes 4608000
    • crypto map SITE2MAP interface outside
    • isakmp key password address 5.5.5.5 netmask 255.255.255.255 no-xauth
    And that’s it! You’ve successfully created your first albeit basic site-to-site VPN tunnel. Which will sufice for a lot of clients/connections between offices.

     

2 comments on “Cisco Site-to-Site IPSec VPN Tunnel (Pix/ASA) *Tutorial*

  1. R.Groopy on said:

    You made some clear points there. I did a search on the topic and found most guys will go along with with your blog.

  2. Chris Dean on said:

    Wonderful page, Cheers

Leave a Reply

Your email address will not be published. Required fields are marked *

*

HTML tags are not allowed.

Protected by WP Anti Spam