ASA-5505 IPSEC VPN

 

 

 

 


Network Diagram:

192.168.1.0/24(lan) -- 10.0.1.1 <---> 10.0.2.1 -- 192.168.2.0/24(lan)

 


IPSEC Protocol Architecture

 

Firewall: ESP(protocol 50), AH(protocol 51) and IKE(UDP 500)

  • Authentication: Authentication Header (AH) and  Encapsulating Security Payload (ESP)
  • Integrity: Encapsulating Security Payload (ESP)
  • Confidentiality: Encapsulating Security Payload  (ESP)
  • Bringing it all together: Internet key Exchange (IKE)

 


Configuration

 

The security appliance functions as a bidirectional tunnel endpoint.

 

Step 1: To create an access list to define the traffic to protect

# access-list access-list-name {deny | permit} ip source source-netmask destination destination-netmask

# permit => traffic that matches the specified conditions to be protected by crypto

access-list 101 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

Step 2: To configure a transform set that defines how to protect the traffic (IKE Phase 2)

# crypto ipsec transform-set transform-set-name encryption [authentication]

# des, sha

crypto ipsec transform-set myset1 esp-des esp-sha-hmac

Step 3: To create a crypto map

a) access list -> a crypto map

# crypto map map-name seq-num match address access-list-name

crypto map mymap 10 match address 101

b) Specify the peer to which the IPsec protected traffic can be forwarded:

# crypto map map-name seq-num set peer ip-address

# sets up an SA with the peer assigned the IP address 192.168.1.100

crypto map mymap 10 set peer 192.168.1.100

c) Specify which transform

# crypto map map-name seq-num set transform-set transform-set-name1  [transform-set-name2, ...transform-set-name6]

crypto map mymap 10 set transform-set myset1

d) (Optional) Specify an SA lifetime

crypto map map-name seq-num set security-association lifetime {seconds seconds | kilobytes kilobytes}

e) (Optional) Specify that IPsec require perfect forward secrecy

crypto map mymap 10 set pfs group2

Step 4: Apply a crypto map set to an interface for evaluating IPsec traffic:

# crypto map map-name interface interface-name

crypto map mymap interface outside

Remark

[1] PFS

During the initial IKE Phase 1 negotiation, public DH key values are exchanged to derive the shared secret DH value.  
These public and private DH values are used to generate the session key used to encrypt the 5th and 6th main mode exchanges.  
If you do not specify PFS, the same public and private DH values dervied in Phase 1 are used to generate the subsequent keying material that protects IPSEC traffic.

When PFS is used, there is an additional DH key exchanged performed in IKE Phase 2.  
These new public/private DH values are then used to generate the keying material for the encrypted IPSEC traffic.

[2]

# Determining an ID Method for ISAKMP Peers

# During Phase I ISAKMP negotiations the peers must identify themselves to each other.

# The default setting is hostname.

crypto isakmp identity address

 


Verify

 

P1 info.

show crypto isakmp sa

正常時:

       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1   IKE Peer: w.w.w.w
        Type    : L2L             Role    : initiator
        Rekey   : no              State   : MM_ACTIVE

沒有 SA 時

There are no isakmp sas

Initiator 有機會出現的 Error

  • MM_WAIT_MSG2
  • MM_WAIT_MSG4
  • MM_WAIT_MSG6

MM_WAIT_MSG2

Initiator Initial DH public key sent to responder.
Awaiting initial contact reply from other side.

stuck on MM_WAIT_MSG2 for 2 reasons:

1. either an issue with the phase1 policies on the remote end

2. UDP 500 is not reaching the remote end or
   the remote end is sending the UDP 500 packet back and is not reaching the local ASA.

show crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.0.2.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : des             Hash    : MD5
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85286

P2 info.

show crypto ipsec sa [detail]

正常時

interface: outside
    Crypto map tag: map1, seq num: 30, local addr: 10.0.1.1

      access-list crypto_30_al extended permit ip host 192.168.1.254 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 10.0.2.1

      #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
      #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 12, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.1.1, remote crypto endpt.: 10.0.2.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 3EEB1391
      current inbound spi : CC665787

    inbound esp sas:
      spi: 0xCC665787 (3429259143)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 6467584, crypto-map: map1
         sa timing: remaining key lifetime (kB/sec): (4373999/3324)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000007FF
    outbound esp sas:
      spi: 0x3EEB1391 (1055593361)
         transform: esp-des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 6467584, crypto-map: map1
         sa timing: remaining key lifetime (kB/sec): (4373999/3322)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

沒有 connection 時

There are no ipsec sas

 


Statistics

 

# Show ISAKMP statistics

show crypto isakmp stats

Output:

    Global IKE Statistics
    Active Tunnels: 0
    Previous Tunnels: 1545
    In Octets: 3915864
    In Packets: 20219
    ...............
    Out Octets: 2695472
    Out Packets: 22221
    ...............

# Show IPsec global statistics

show crypto ipsec stats

Output:

IPsec Global Statistics
-----------------------
Active tunnels: 0
Previous tunnels: 4166
Inbound
    Bytes: 0
    Decompressed bytes: 0
    Packets: 577500
    Dropped packets: 0
    Replay failures: 0
    Authentications: 577500
    Authentication failures: 0
    Decryptions: 577500
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
Outbound
    Bytes: 0
    Uncompressed bytes: 0
    Packets: 655748
    Dropped packets: 0
    Authentications: 655748
    Authentication failures: 0
    Encryptions: 655748
    Encryption failures: 0
    Fragmentation successes: 0
        Pre-fragmentation successses: 0
        Post-fragmentation successes: 0
    Fragmentation failures: 0
        Pre-fragmentation failures: 0
        Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0

 


VPN

 

show vpn-sessiondb [opts]

Active Session Summary

Sessions:
                           Active : Cumulative : Peak Concurrent : Inactive
  SSL VPN               :       0 :          0 :               0
    Clientless only     :       0 :          0 :               0
    With client         :       0 :          0 :               0 :        0
  Email Proxy           :       0 :          0 :               0
  IPsec LAN-to-LAN      :       1 :       1546 :               2
  IPsec Remote Access   :       0 :          0 :               0
  Totals                :       1 :       1546

License Information:
  IPsec   :     25    Configured :     25    Active :      1    Load :   4%
  SSL VPN :      2    Configured :      2    Active :      0    Load :   0%
                            Active : Cumulative : Peak Concurrent
  IPsec               :          1 :       1546 :               2
  SSL VPN             :          0 :          0 :               0
    AnyConnect Mobile :          0 :          0 :               0
    Linksys Phone     :          0 :          0 :               0
  Totals              :          1 :       1546

Tunnels:
               Active : Cumulative : Peak Concurrent
  IKE    :          1 :       1546 :               2
  IPsec  :          1 :       1548 :               3
  Totals :          2 :       3094

Active NAC Sessions:
  No NAC sessions to display

Active VLAN Mapping Sessions:
  No VLAN Mapping sessions to display

opts:

  • l2l          IPsec LAN-to-LAN sessions
  • summary      Show VPN Session summary
  • ...........

show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : 10.0.2.1
Index        : 1579                   IP Addr      : 10.0.2.1
Protocol     : IKE IPsec
Encryption   : DES                    Hashing      : MD5
Bytes Tx     : 1270                   Bytes Rx     : 1242
Login Time   : 11:00:32 HKST Wed Jun 25 2014
Duration     : 0h:23m:10s

 


Disconnect active VPN tunnels

 

# Phase 1 (deletes the active IKE security associations for the specified peer)

clear crypto isakmp sa <peer ip address>

# Phase 2 (deletes the active IPSec security associations for the specified peer)

clear crypto ipsec sa peer <peer IP address>

 


Debug

 

# default debug level 1

debug crypto isakmp <debug level>

debug crypto ipsec <debug level>