EdgeRouter - Site-to-Site IPsec VPN to Cisco ASA
Overview
Readers will learn how to configure a Policy-Based Site-to-Site IPsec VPN between an EdgeRouter and a Cisco ASA.
- EdgeRouter-4 (ER-4)
- Cisco ASA
Table of Contents
FAQ
1. What Site-to-Site IPsec VPN types can be configured on EdgeOS?
The following IPsec VPN types can be configured on EdgeOS:
|
2. What are the available encryption and hashing options for IKE and ESP?
Encryption
Hashing
|
Setting up a Policy-Based VPN
The 192.168.1.0/24 and 172.16.1.0/24 networks will be allowed to communicate with each other over the Policy-Based Site-to-Site VPN.
1. Enter configuration mode.
configure
2. Enable the auto-firewall-nat-exclude feature.
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs).
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 5
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
4. Create the ESP / Phase 2 (P2) SAs and disable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs disable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the remote peering address (replace <secret> with your desired passphrase).
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
6. Link the SAs created above to the remote peer and define the local and remote subnets.
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 192.0.2.1 tunnel 1 remote prefix 172.16.1.0/24
7. Commit the changes and save the configuration.
commit ; save
1. Enter configuration mode.
configure terminal
2. Define Network Objects for the remote and local subnets.
object network obj-local
subnet 172.16.1.0 255.255.255.0
object network obj-remote
subnet 192.168.1.0 255.255.255.0
3. Create an Access List that links to the Network Objects.
access-list ipsec-acl extended permit ip object obj-local object obj-remote
4. Create an IKE policy.
crypto ikev1 policy 100
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800
5. Configure a Transform Set for IPsec.
crypto ipsec ikev1 transform-set ipsec-ts esp-aes esp-sha-hmac
6. Create a crypto map and link it to the previously created transform-set and access-list.
crypto map ipsec-cm 100 set peer 203.0.113.1
crypto map ipsec-cm 100 set ikev1 transform-set ipsec-ts
crypto map ipsec-cm 100 set security-association lifetime seconds 3600
crypto map ipsec-cm 100 match address ipsec-acl
crypto map ipsec-cm interface outside
7. Create a tunnel group (replace <secret> with your desired passphrase).
tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
ikev1 pre-shared-key <secret>
8. Enable the IKE process.
crypto ikev1 enable outside
9. Exclude the IPsec traffic from being translated by NAT.
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote no-proxy-arp route-lookup
nat (inside,outside) source dynamic obj-local interface
10. Write the changes to the startup configuration.
copy running-config startup-config
Related Articles
EdgeRouter - Site-to-Site IPsec VPN to Cisco ISR
EdgeRouter - Policy-Based Site-to-Site IPsec VPN
Intro to Networking - How to Establish a Connection Using SSH