Flexvpn ASA-IOS
R2
int Loopback10
ip address 12.12.12.12 255.255.255.0
!
int g0/1
ip address 172.24.24.1 255.255.255.0
!
crypto ikev2 proposal IKEv2-PROP
encryption 3des
integrity sha1 md5
group 5 2
!
crypto pki certificate map CERT-MAP 10
subject-name co ou = cisco
!
crypto ikev2 policy IKEv2-POL
proposal IKEv2-PROP
!
crypto ikev2 keyring KR
peer ASA-4
address 172.24.24.4
pre-shared-key local cisco123
pre-shared-key remote cisco123
//to encrypt above passwords:
R2(config)#password encryption aes
R2(config)#key config-key password-encrypt
!
crypto ikev2 profile IKEv2-PROF
match certificate CERT-MAP
authentication local pre-share
authentication remote rsa-sig
keyring local KR
pki trustpoint IOS-CA
!
crypto ipsec transform-set TSET-ASA-4 esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC-PROF
set transform-set TSET-ASA-4
set ikev2-profile IKEv2-PROF
!
int Tunnel12
ip unnumbered g0/1
tunnel source g0/1
tunnel mode ipsec ipv4
tunnel destination 172.24.24.4
tunnel protection ipsec profile IPSEC-PROF
!
ip route 172.44.44.1 255.255.255.255 Tunnel12
ASA-4
int e0/0
switchport access vlan 13
!
int e0/1
switchport access vlan 50
int Vlan13
nameif outside
security-level 0
ip address 172.24.24.4 255.255.255.0
!
int Vlan50
nameif inside
security-level 100
ip address 172.44.44.1 255.255.255.0
!
crypto ikev2 policy 10
encryption 3des
integrity sha
group 5
prf sha
lifetime seconds 86400
!
access-list 150 extended permit ip host 172.44.44.1 host 12.12.12.12
!
crypto ipsec ikev2 ipsec-proposal PROP-IPSEC
protocol esp encryption 3des
protocol esp integrity sha-1 md5
!
crypto map CMAP 10 match address 150
crypto map CMAP 10 set peer 172.24.24.1
crypto map CMAP 10 set ikev2 ipsec-proposal PROP-IPSEC
crypto map CMAP 10 set trustpoint IOS-CA
crypto map CMAP interface outside
!
crypto ikev2 enable outside
!
tunnel-group 172.24.24.1 type ipsec-l2l
tunnel-group 172.24.24.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication certificate IOS-CA
//to see above passwords in config:
asa-4# more system:running-config
!
route outside 0.0.0.0 0.0.0.0 172.24.24.1
Let's test it from R2
R2#ping 172.44.44.1 source loopback 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.44.44.1, timeout is 2 seconds:
Packet sent with a source address of 12.12.12.12
.....
Success rate is 0 percent (0/5)
Checking routing
R2#sh ip route 172.44.44.1
% Network not in table
//there's no routing because interface tunnel12 is down
R2#sh ip int brief tunnel 12
Interface IP-Address OK? Method Status Protocol
Tunnel12 172.24.24.1 YES TFTP up down
Let's test it from ASA-4
//but how to ping from inside interface ????
asa-4(config)# management-access inside
asa-4# ping inside 12.12.12.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.12.12.12, timeout is 2 seconds:
?!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
asa-4# sh crypto ikev2 sa detail
IKEv2 SAs:
Session-id:25, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
692128737 172.24.24.4/500 172.24.24.1/500 READY INITIATOR
Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: RSA, Auth verify: PSK
Life/Active Time: 86400/9 sec
Session-id: 25
Status Description: Negotiation done
Local spi: CF7C5BE1864EEAD6 Remote spi: 09B78DAFBA000A9F
Local id: hostname=asa-4.lab.com,cn=asa-4.lab.com,ou=CISCO,c=PL
Remote id: 172.24.24.1
Local req mess id: 2 Remote req mess id: 0
Local next mess id: 2 Remote next mess id: 0
Local req queued: 2 Remote req queued: 0
Local window: 1 Remote window: 5
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 172.44.44.1/0 - 172.44.44.1/65535
remote selector 12.12.12.12/0 - 12.12.12.12/65535
ESP spi in/out: 0x636ba399/0x1af7b884
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: 3DES, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
big ping for checking encryption
asa-4# ping inside 12.12.12.12 repeat 500
Type escape sequence to abort.
Sending 500, 100-byte ICMP Echos to 12.12.12.12, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!
Success rate is 100 percent (500/500), round-trip min/avg/max = 1/1/10 ms
and
asa-4# sh crypto ipsec sa detail
interface: outside
Crypto map tag: CMAP, seq num: 10, local addr: 172.24.24.4
access-list 100 extended permit ip host 172.44.44.1 host 12.12.12.12
local ident (addr/mask/prot/port): (172.44.44.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (12.12.12.12/255.255.255.255/0/0)
current_peer: 172.24.24.1
#pkts encaps: 504, #pkts encrypt: 504, #pkts digest: 504
#pkts decaps: 504, #pkts decrypt: 504, #pkts verify: 504
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 504, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.24.24.4/500, remote crypto endpt.: 172.24.24.1/500
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: F135F870
current inbound spi : 944C0BE9
inbound esp sas:
spi: 0x944C0BE9 (2488011753)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 434176, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4054990/28783)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF135F870 (4046846064)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 434176, crypto-map: CMAP
sa timing: remaining key lifetime (kB/sec): (4101070/28783)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Check on R2
R2#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 172.24.24.1/500 172.24.24.4/500 none/none READY
Encr: 3DES, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: RSA
Life/Active Time: 86400/17 sec
CE id: 1832, Session-id: 26
Status Description: Negotiation done
Local spi: 07E2BAC60790AC55 Remote spi: 77C2A53023C6CCBA
Local id: 172.24.24.1
Remote id: hostname=asa-4.lab.com,cn=asa-4.lab.com,ou=CISCO,c=PL
Local req msg id: 1 Remote req msg id: 2
Local next msg id: 1 Remote next msg id: 2
Local req queued: 1 Remote req queued: 2
Local window: 5 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Cisco Trust Security SGT is disabled
Subscribe to:
Posts (Atom)