Configuration of Site to Site VPN with ASAv using CLI

Steps to perform configuration of Site to Site VPN with ASAv using CLI

  1. Enable IKEv2
crypto ikev2 enable outside
  1. Create object for DR Site
object network Site-DR
    subnet 20.20.8.0 255.255.255.0
  1. Create an ACL to allow traffic from PROD to DR Site
access-list ACL_S2S_DR extended permit ip object Site-RPOD object Site-DR
  1. Create a rule for traffic from PROD to DR site without NAT
nat (inside,outside) source static Site-PROD Site-PROD destination static Site-DR Site-DR no-proxy-arp route-lookup
  1. Create a tunnel group by entering the IP address of remote ASAv with Pre-Share-Key Authentication
tunnel-group 20.20.20.254 type ipsec-l2l
tunnel-group 20.10.20.254 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
  1. Create an IKEv2 Policy – MUST MATCH for both ASAv
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
  1. Create an Ipsec-Proposal – MUST MATCH for both ASAv
crypto ipsec ikev2 ipsec-proposal IKEv2-SET
    protocol esp encryption aes-256
    protocol esp integrity sha-1
  1. Create a new IKEv2-MAP with ACL, peer ip and ipsec-proposal we created and activate it on outside interface
crypto map IKEv2-MAP 10 match address ACL_S2S_DR
crypto map IKEv2-MAP 10 set peer 20.20.20.254
crypto map IKEv2-MAP 10 set ikev2 ipsec-proposal IKEv2-SET
crypto map IKEv2-MAP interface outside
  1. Configure the ASAvDR with the following
crypto ikev2 enable outside

object network Site-PROD
    subnet 10.10.8.0 255.255.255.0

access-list ACL_S2S_DR extended permit ip object Site-DR object Site-PROD

nat (inside,outside) source static Site-PROD Site-PROD destination static Site-DR Site-DR no-proxy-arp route-lookup

tunnel-group 10.10.10.254 type ipsec-l2l
tunnel-group 10.10.10.254 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400

crypto ipsec ikev2 ipsec-proposal IKEv2-SET
    protocol esp encryption aes-256
    protocol esp integrity sha-1

crypto map IKEv2-MAP 10 match address ACL_S2S_RPOD
crypto map IKEv2-MAP 10 set peer 10.10.10.254
crypto map IKEv2-MAP 10 set ikev2 ipsec-proposal IKEv2-SET
crypto map IKEv2-MAP interface outside
  1. The tunnel should be up and Workstations from Site-PROD and Site-DR Site are able to ping to each other now

  2. Verify the IKEv2 IPSec Tunnel is running with show isakmp sa and show ipsec sa

ASAv# sh isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:31, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
 81109503 10.10.10.254/500                                    20.20.20.254/500                                         READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/685 sec
Child sa: local selector  10.10.8.0/0 - 10.10.8.255/65535
          remote selector 20.20.8.0/0 - 20.20.8.255/65535
          ESP spi in/out: 0xb6f15e63/0xe1443dc8
ASAv# sh ipsec sa
interface: outside
    Crypto map tag: IKEv2-MAP, seq num: 10, local addr: 10.10.10.254

      access-list ACL_S2S_DR extended permit ip 10.10.8.0 255.255.255.0 20.20.8.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.8.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (20.20.8.0/255.255.255.0/0/0)
      current_peer: 20.20.20.254


      #pkts encaps: 1368, #pkts encrypt: 1368, #pkts digest: 1368
      #pkts decaps: 1368, #pkts decrypt: 1368, #pkts verify: 1368
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1368, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.254/500, remote crypto endpt.: 20.20.20.254/500
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: E1443DC8
      current inbound spi : B6F15E63

    inbound esp sas:
      spi: 0xB6F15E63 (3069271651)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 203300864, crypto-map: IKEv2-MAP
         sa timing: remaining key lifetime (kB/sec): (4054941/28092)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE1443DC8 (3779345864)
         SA State: active
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 203300864, crypto-map: IKEv2-MAP
         sa timing: remaining key lifetime (kB/sec): (4101021/28092)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

B. Site to Site VPN with Certificate

  1. Convert the Let’s Encrypt Wildcard PFX Certificate to BASE64 with openssl
openssl base64 -in AventisLab.pfx > AventisLab.base64
  1. View and copy all the contents
cat AventisLab.base64
  1. Import the SSL Certificate to Cisco ASAv.
crypto ca import star.aventistech.info pkcs12 XXXXX (XXX - Password to open the pfx file)

Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:

PASTE ALL CONTENT FROM THE OUTPUT FROM CAT CERT.BASE64

quit

The CA cert is not self-signed.

Do you also want to create trustpoints for CAs higher in the hierarchy? [yes/no]: yes
INFO: Import PKCS12 operation completed successfully
  1. Modify the Tunnel-Group to use Certificate and remote the pre-shared-key in Cisco ASAv (10.10.10.254) in PROD
tunnel-group 20.20.20.254 ipsec-attributes
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate AventisLab.com
 no ikev2 remote-authentication pre-shared-key 
 no ikev2 local-authentication pre-shared-key 
  1. Repeat the step 1 to 3 on Cisco ASAv (20.20.20.254) in DR

  2. Modify the Tunnel-Group to use Certificate and remote the pre-shared-key

tunnel-group 10.10.10.254 ipsec-attributes
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate AventisLab.com
 no ikev2 remote-authentication pre-shared-key 
 no ikev2 local-authentication pre-shared-key 
  1. Verify the tunnel is up and running with Auth Sign: RSA and Auth Verify: RSA
ASAv(config)# sh isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:33, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
383951229 10.10.10.254/500                                    20.20.20.254/500                                         READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/1127 sec
Child sa: local selector  10.10.8.0/0 - 10.10.8.255/65535
          remote selector 20.20.8.0/0 - 20.20.8.255/65535
          ESP spi in/out: 0xfda3d0dd/0x646fb86c

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top