VPN IKEv2 asa-ios with crypto map


lo0 2.2.2.2 R2---------------ASA-4---------------sw3 vlan33 192.168.0.33

R2:
crypto ikev2 proposal IKEv2-PROP
 encryption aes-cbc-128 3des
 integrity sha1
 group 2 5
!
crypto ikev2 policy IKEv2-POL
 match address local 172.24.24.1
 proposal IKEv2-PROP
!
crypto ikev2 keyring KR
 peer ASA-4
  address 172.24.24.4
  pre-shared-key local 0 cisco123
  pre-shared-key remote 0 cisco123
!
crypto ikev2 profile IKEv2-PROF
 match identity remote address 172.24.24.4 255.255.255.255
 identity local address 172.24.24.1
 authentication local pre-share
 authentication remote pre-share
 keyring local KR
!
crypto ipsec transform-set TSET-ASA-4 esp-3des esp-sha-hmac //by default mode is tunnel
!
ip access-list extended CRYPTO-ACL
 permit ip host 2.2.2.2 host 192.168.0.33
!
crypto map CMAP-IKEv2 10 ipsec-isakmp
 set peer 172.24.24.4
 set transform-set TSET-ASA-4
 set ikev2-profile IKEv2-PROF
 match address CRYPTO-ACL
 crypto map CMAP-IKEv2
!
interface GigabitEthernet0/1
 ip address 172.24.24.1 255.255.255.0
 crypto map CMAP-IKEv2

ASA-4:
crypto ikev2 policy 10
 encryption aes 3des
 integrity sha
 group 5 2
 prf sha
!
crypto ikev2 enable outside
!
crypto ipsec ikev2 ipsec-proposal IKEv2-PROP
 protocol esp encryption aes 3des
 protocol esp integrity sha-1
!
access-list CRYPTO-ACL extended permit ip host 192.168.0.33 host 2.2.2.2
!
crypto map CMAP-IKEv2 10 match address CRYPTO-ACL
crypto map CMAP-IKEv2 10 set peer 172.24.24.1
crypto map CMAP-IKEv2 10 set ikev2 ipsec-proposal IKEv2-PROP
crypto map CMAP-IKEv2 interface outside
!
tunnel-group 172.24.24.1 type ipsec-l2l
tunnel-group 172.24.24.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key 0 cisco123
 ikev2 local-authentication pre-shared-key 0 cisco123
!
interface Vlan13
 nameif outside
 security-level 0
 ip address 172.24.24.4 255.255.255.0
!
route outside 2.2.2.2 255.255.255.255 172.24.24.1

Verification:

R2#ping 192.168.0.33 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.33, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

R2#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 172.24.24.1/500 172.24.24.4/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/38 sec
CE id: 1022, Session-id: 7
Status Description: Negotiation done
Local spi: E8CD52B49258D592 Remote spi: E3B183B4B991283D
Local id: 172.24.24.1
Remote id: 172.24.24.4
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
IPv6 Crypto IKEv2 SA

R2#sh crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: CMAP-IKEv2, local addr 172.24.24.1
protected vrf: (none)
local ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.0.33/255.255.255.255/0/0)
current_peer 172.24.24.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 73, #pkts encrypt: 73, #pkts digest: 73
#pkts decaps: 69, #pkts decrypt: 69, #pkts verify: 69
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.24.24.1, remote crypto endpt.: 172.24.24.4
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x74F360E4(1962107108)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB81AC94F(3088763215)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2014, flow_id: Onboard VPN:14, sibling_flags 80000040, crypto map: CMAP-IKEv2
sa timing: remaining key lifetime (k/sec): (4240126/3499)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x74F360E4(1962107108)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2013, flow_id: Onboard VPN:13, sibling_flags 80000040, crypto map: CMAP-IKEv2
sa timing: remaining key lifetime (k/sec): (4240126/3499)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:

sw3#ping 2.2.2.2 source vlan 33 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.33
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/9 ms

asa-4# sh crypto ipsec sa detail
interface: outside
Crypto map tag: CMAP-IKEv2, seq num: 10, local addr: 172.24.24.4
access-list CRYPTO-ACL extended permit ip host 192.168.0.33 host 2.2.2.2
local ident (addr/mask/prot/port): (192.168.0.33/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer: 172.24.24.1
#pkts encaps: 104, #pkts encrypt: 104, #pkts digest: 104
#pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 104, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 172.24.24.4/500, remote crypto endpt.: 172.24.24.1/500
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B81AC94F
current inbound spi : 74F360E4
inbound esp sas:
spi: 0x74F360E4 (1962107108)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 28672, crypto-map: CMAP-IKEv2
sa timing: remaining key lifetime (kB/sec): (3916789/28564)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xB81AC94F (3088763215)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 28672, crypto-map: CMAP-IKEv2
sa timing: remaining key lifetime (kB/sec): (3962869/28564)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

asa-4# sh crypto ikev2 sa detail
IKEv2 SAs:
Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
493044183 172.24.24.4/500 172.24.24.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/297 sec
Session-id: 7
Status Description: Negotiation done
Local spi: E3B183B4B991283D Remote spi: E8CD52B49258D592
Local id: 172.24.24.4
Remote id: 172.24.24.1
Local req mess id: 22 Remote req mess id: 2
Local next mess id: 22 Remote next mess id: 2
Local req queued: 22 Remote req queued: 2
Local window: 1 Remote window: 5
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 192.168.0.33/0 - 192.168.0.33/65535
remote selector 2.2.2.2/0 - 2.2.2.2/65535
ESP spi in/out: 0x74f360e4/0xb81ac94f
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: 3DES, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

asa-4# sh vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 172.24.24.1
Index : 7 IP Addr : 172.24.24.1
Protocol : IKEv2 IPsec
Encryption : AES128 3DES Hashing : SHA1 SHA1
Bytes Tx : 10400 Bytes Rx : 10400
Login Time : 10:32:09 UTC Tue Apr 8 2014
Duration : 0h:05m:43s


Subscribe to: Posts (Atom)