Sunday, October 2, 2016

Configuring Site-to-Site IPsec VPN Using CCP and ASDM

I was troubleshooting a site-to-site IPsec VPN connection with a client who's using a Palo Alto (PA) firewall on their network. There's a great link which helped me understand and troubleshoot a PA firewall. We were exchanging our IKE Phase 1 and Phase 2 policies configured between our VPN router and their PA firewall and after a couple of sleepless nights (damn that PFS!), we were able to establish the VPN tunnel. Maybe I should take up Palo Alto PCNSE cert next year.

Router##show crypto isakmp sa   
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
17.8.17.44   202.7.2.2     QM_IDLE           1010 ACTIVE

IPv6 Crypto ISAKMP SA


Router#show crypto ipsec sa

interface: GigabitEthernet0/1
    Crypto map tag: CMAP, local addr 202.7.2.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.27.193.162/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.5.202.0/255.255.255.0/0/0)

   current_peer 17.8.17.44 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 380030, #pkts encrypt: 380030, #pkts digest: 380030
    #pkts decaps: 366102, #pkts decrypt: 366102, #pkts verify: 366102

    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 202.7.2.2, remote crypto endpt.: 17.8.17.44
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x826B1D60(2188057952)
     PFS (Y/N): Y, DH group: group2


It's challenging to configure and to troubleshoot VPNs but you won't get lost once you've built a foundation of the basic IKE policies and IPsec framework. I was able to review my CCNA Security and ASA basics last year but forgot about to post this lab for a site-to-site IPsec VPN between an IOS router and ASA firewall.


Router(config)#hostname R1
R1(config)#interface fastethernet0/0
R1(config-if)#ip address 209.165.200.225 255.255.255.248
R1(config-if)#no shutdown
R1(config-if)#
*Jul  7 12:24:32.875: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
R1(config-if)#
*Jul  7 12:24:59.615: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to down
R1(config-if)#clock rate 64000
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/0


Router(config)#hostname R2
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jul  7 12:23:52.779: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jul  7 12:23:53.779: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R2(config-if)#do ping 10.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#clock rate 64000
R2(config-if)#
*Jul  7 12:24:14.411: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to down
R2(config-if)#exit
R2(config)#ip route 209.165.200.224 255.255.255.248 serial0/0/0
R2(config)#ip route 172.16.3.0 255.255.255.0 serial0/0/1


Router(config)#hostname R3
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 172.16.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#exit
*Jul  7 12:31:11.111: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jul  7 12:31:12.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R3(config)#ip route 0.0.0.0 0.0.0.0 serial0/0/1


R3(config)#enable secret cisco
R3(config)#line vty 0 4
R3(config-line)#password cisco
R3(config-line)#login
R3(config-line)#line console 0
R3(config-line)#password cisco
R3(config-line)#login


R3(config)#ip http server
R3(config)#username admin privilege 15 secret cisco123
R3(config)#ip http authentication local


ciscoasa> enable
Password: <ENTER>
ciscoasa# conf t
ciscoasa(config)#

***************************** NOTICE *****************************

Help to improve the ASA platform by enabling anonymous reporting,
which allows Cisco to securely receive minimal error and health
information from the device. To learn more about this feature,
please visit: http://www.cisco.com/go/smartcall

Would you like to enable anonymous error reporting to help improve
the product? [Y]es, [N]o, [A]sk later: n

In the future, if you would like to enable this feature,
issue the command "call-home reporting anonymous".

Please remember to save your configuration.

ciscoasa(config)# hostname CCNAS-ASA
CCNAS-ASA(config)# enable password class
CCNAS-ASA(config)# domain-name ccnasecurity.com
CCNAS-ASA(config)# passwd cisco
CCNAS-ASA(config)# interface ethernet0/0
CCNAS-ASA(config-if)# switchport access vlan 2
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/1
CCNAS-ASA(config-if)# switchport access vlan 1
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface ethernet0/2
CCNAS-ASA(config-if)# switchport access vlan 3
CCNAS-ASA(config-if)# no shutdown
CCNAS-ASA(config-if)# interface vlan 1
CCNAS-ASA(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
CCNAS-ASA(config-if)# security-level 100
CCNAS-ASA(config-if)# ip address 192.168.1.1 255.255.255.0
CCNAS-ASA(config-if)# interface vlan 2
CCNAS-ASA(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
CCNAS-ASA(config-if)# security-level 0
CCNAS-ASA(config-if)# ip address 209.165.200.226 255.255.255.248
CCNAS-ASA(config-if)# interface vlan 3
CCNAS-ASA(config-if)# no forward interface vlan 1
CCNAS-ASA(config-if)# nameif dmz
INFO: Security level for "dmz" set to 0 by default.
CCNAS-ASA(config-if)# security-level 70
CCNAS-ASA(config-if)# ip address 192.168.2.1 255.255.255.0
CCNAS-ASA(config-if)# object network inside-net
CCNAS-ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
CCNAS-ASA(config-network-object)# nat (inside,outside) dynamic interface
CCNAS-ASA(config-network-object)# exit
CCNAS-ASA(config)# object network dmz-server
CCNAS-ASA(config-network-object)# host 192.168.2.3
CCNAS-ASA(config-network-object)# nat (dmz,outside) static 209.165.200.227
CCNAS-ASA(config-network-object)# exit
CCNAS-ASA(config)# access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3
CCNAS-ASA(config)# access-group OUTSIDE-DMZ in interface outside
CCNAS-ASA(config)# route outside 0 0 209.165.200.225
CCNAS-ASA(config)# username admin password cisco123
CCNAS-ASA(config)# aaa authentication telnet console LOCAL
CCNAS-ASA(config)# aaa authentication ssh console LOCAL
CCNAS-ASA(config)# aaa authentication http console LOCAL
CCNAS-ASA(config)# http server enable
CCNAS-ASA(config)# http 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# ssh 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet 192.168.1.0 255.255.255.0 inside
CCNAS-ASA(config)# telnet timeout 10
CCNAS-ASA(config)# ssh timeout 10
CCNAS-ASA(config)# policy-map global_policy
CCNAS-ASA(config-pmap)# class inspection_default
CCNAS-ASA(config-pmap-c)# inspect icmp
CCNAS-ASA(config-pmap-c)# exit
CCNAS-ASA(config-pmap)# exit
CCNAS-ASA(config)# crypto key generate rsa modulus 1024
WARNING: You have a RSA keypair already defined named <Default-RSA-Key>.

Do you really want to replace them? [yes/no]: y
Keypair generation process begin. Please wait...
CCNAS-ASA(config)#


R3(config)#crypto isakmp policy 1    // JAVA DOWNGRADED FOR ASDM; CONFIGURE R3 S2S IPSEC VPN VIA CLI
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption 3des
R3(config-isakmp)#hash sha
R3(config-isakmp)#group 2
R3(config-isakmp)#lifetime 86400
R3(config-isakmp)#exit
R3(config)#crypto isakmp key cisco12345 address 209.165.200.226
R3(config)#crypto ipsec transform-set TSET esp-3des esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#access-list 100 permit ip 172.16.3.0 0.0.0.255 192.168.1.0 0.0.0.255
R3(config)#crypto map CMAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
R3(config-crypto-map)#set peer 209.165.200.226
R3(config-crypto-map)#set transform-set TSET
R3(config-crypto-map)#match address 100
R3(config-crypto-map)#exit
R3(config)#interface serial0/0/1
R3(config-if)#crypto map CMAP
R3(config-if)#
*Jul  7 13:12:27.235: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON


CCNAS-ASA# debug crypto ?

  ca          Set PKI debug levels
  condition   Set IPSec/ISAKMP debug filters
  engine      Set crypto engine debug levels
  ike-common  Set IKE common debug levels
  ikev1       Set IKEV1 debug levels
  ikev2       Set IKEV2 debug levels
  ipsec       Set IPSec debug levels
  ss-api      Set Crypto Secure Socket API debug levels
  vpnclient   Set EasyVPN client debug levels
CCNAS-ASA# debug crypto ikev1 ?

  <1-255>  Specify an optional debug level (default is 1)
  timers   debug the ikev1 timers
  <cr>
CCNAS-ASA# debug crypto ikev1


R3#ping 192.168.1.3 source 172.16.3.3


CCNAS-ASA# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.2.2.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE   // IPSEC ESTABLISHED IN ASA

There are no IKEv2 SAs

CCNAS-ASA# show crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 209.165.200.226

      access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.3.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)
      current_peer: 10.2.2.1


      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4   // DUE TO GENERATED ICMP
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4  
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 209.165.200.226/0, remote crypto endpt.: 10.2.2.1/0  
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: D933E94D
      current inbound spi : 6A6DC4E8

    inbound esp sas:
      spi: 0x6A6DC4E8 (1785578728)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/3517)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xD933E94D (3644057933)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/3517)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
209.165.200.226 10.2.2.1        QM_IDLE           1001    0 ACTIVE   // IPSEC ESTABLISHED IN ASA

IPv6 Crypto ISAKMP SA


R3#show crypto ipsec sa

interface: Serial0/0/1
    Crypto map tag: CMAP, local addr 10.2.2.1   

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.3.0/255.255.255.0/0/0)  
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) 
   current_peer 209.165.200.226 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4  
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 11, #recv errors 0

     local crypto endpt.: 10.2.2.1, remote crypto endpt.: 209.165.200.226  
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/1
     current outbound spi: 0x6A6DC4E8(1785578728)

     inbound esp sas:
      spi: 0xD933E94D(3644057933)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: FPGA:1, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4456786/3543)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x6A6DC4E8(1785578728)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: FPGA:2, crypto map: CMAP
        sa timing: remaining key lifetime (k/sec): (4456786/3543)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


R3#ping 192.168.1.3 source 172.16.3.3 repeat 10    // TO GENERATE MORE IPSEC VPN TRAFFIC STATS

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.1.3, timeout is 2 seconds:
Packet sent with a source address of 172.16.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 84/90/124 ms

No comments:

Post a Comment