\ntunnel-group VPN_F14-F16<\/span> type ipsec-l2l<\/span>
\ntunnel-group VPN_F14-F16<\/span> ipsec-attributes
\nikev1 pre-shared-key 123456
\n(The tunnel name for dynamic address end point is similar with Cisco remote access)
\n<\/span><\/td>\n | tunnel-group 10.50.2.10<\/span> type ipsec-l2l
\ntunnel-group 10.50.2.10<\/span> ipsec-attributes
\nikev1 pre-shared-key 123456
\n(The tunnel configuration in ASA-F16 does not have anything special)
\n<\/span><\/td>\n<\/tr>\n\ntunnel-group testgroup type remote-access<\/span>
\ntunnel-group testgroup general-attributes
\naddress-pool ciscovpn_pool
\ndefault-group-policy testgroup
\ntunnel-group testgroup ipsec-attributes
\nikev1 pre-shared-key cisco123<\/span><\/td>\n | <\/td>\n<\/tr>\n | \ncrypto dynamic-map cisco_remote_vpn 5 set ikev1 transform-set ESP-3DES-MD5
\ncrypto dynamic-map cisco_remote_vpn 5 set reverse-route
\n<\/span><\/td>\n |
\n<\/span><\/td>\n<\/tr>\n\ncrypto dynamic-map L2L-dynamic_IP 5 match address vpn-F14_to_F16
\ncrypto dynamic-map L2L-dynamic_IP 5 set ikev1 transform-set ESP-3DES-MD5
\n<\/span><\/td>\n |
\n<\/span><\/td>\n<\/tr>\n\ncrypto map vpn 65530 ipsec-isakmp dynamic L2L-dynamic_IP
\n(The L2L vpn is slightly higher than the Cisco VPN client profile)
\n<\/span><\/td>\n | crypto map vpn 50 match address vpn-F16_to_F14
\ncrypto map vpn 50 set peer 10.50.2.10
\ncrypto map vpn 50 set ikev1 phase1-mode aggressive
\ncrypto map vpn 50 set ikev1 transform-set ESP-3DES-MD5<\/span><\/span><\/td>\n<\/tr>\n\ncrypto map vpn 65535 ipsec-isakmp dynamic cisco_remote_vpn
\n<\/span><\/td>\n |
\n<\/span><\/td>\n<\/tr>\n\ncrypto map vpn interface untrust
\ncrypto ikev1 enable untrust
\n<\/span><\/td>\n | crypto map vpn interface untrust
\ncrypto ikev1 enable untrust
\n<\/span><\/td>\n<\/tr>\n\ncrypto ikev1 policy 1
\nauthentication pre-share
\nencryption 3des
\nhash sha
\ngroup 2
\nlifetime 86400
\ncrypto ikev1 policy 10
\nauthentication pre-share
\nencryption des
\nhash sha
\ngroup 2
\nlifetime 86400<\/span><\/td>\n | crypto ikev1 policy 1
\nauthentication pre-share
\nencryption 3des
\nhash sha
\ngroup 2
\nlifetime 86400
\ncrypto ikev1 policy 10
\nauthentication pre-share
\nencryption des
\nhash sha
\ngroup 2
\nlifetime 86400<\/span><\/td>\n<\/tr>\n\naccess-list vpn-F14_to_F16 extended permit ip 192.168.104.0 255.255.255.0 192.168.106.0 255.255.255.128
\n<\/span><\/td>\n | access-list vpn-F16_to_F14 extended permit ip 192.168.106.0 255.255.255.128 192.168.104.0 255.255.255.0
\n<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\nThe testing result:
\nThe ikev1 sa:
\nSince ASA-F16 does not have static IP address, the tunnel will be always initial right from F16 to F14, which is similar with the Cisco vpn client.<\/p>\n
\n\n\n| net-vASA-AS5052-F14# show crypto ikev1 sa<\/span><\/td>\n | net-vASA-AS5052-F16# show crypto ikev1 sa<\/span><\/td>\n<\/tr>\n\nIKEv1 SAs:<\/span>
\nActive SA: 2
\nRekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
\nTotal IKE SA: 2<\/span>
\n1\u00a0\u00a0 IKE Peer: 10.50.2.18
\nType\u00a0\u00a0\u00a0 : L2L<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Role\u00a0\u00a0\u00a0 : responder<\/span><\/strong>
\nRekey\u00a0\u00a0 : no\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 State\u00a0\u00a0 : AM_ACTIVE
\n2\u00a0\u00a0 IKE Peer: 192.168.109.10
\nType\u00a0\u00a0\u00a0 : user<\/span>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Role\u00a0\u00a0\u00a0 : responder
\nRekey\u00a0\u00a0 : no\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 State\u00a0\u00a0 : AM_ACTIVE<\/span><\/td>\nIKEv1 SAs:<\/span>
\nActive SA: 1
\nRekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
\nTotal IKE SA: 1<\/span>
\n1\u00a0\u00a0 IKE Peer: 10.50.2.10
\nType\u00a0\u00a0\u00a0 : L2L\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Role\u00a0\u00a0\u00a0 : initiator<\/span><\/strong>
\nRekey\u00a0\u00a0 : no\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 State\u00a0\u00a0 : AM_ACTIVE<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\nThe ipsec sa from both ASA.<\/p>\n
\n\n\nnet-vASA-AS5052-F14# sho crypto ipsec sa
\n<\/span><\/td>\n | net-AS5052-vASA-F16# sho crypto ipsec sa<\/span><\/td>\n<\/tr>\n\ninterface: untrust
\nCrypto map tag: L2L-dynamic_IP, seq num: 5, local addr: 10.50.2.10<\/span><\/span><\/span>access-list vpn-F14_to_F16 extended permit ip 192.168.104.0 255.255.255.0 192.168.106.0 255.255.255.128
\nlocal ident (addr\/mask\/prot\/port): (192.168.104.0\/255.255.255.0\/0\/0)
\nremote ident (addr\/mask\/prot\/port): (192.168.106.0\/255.255.255.128\/0\/0)
\ncurrent_peer: 10.50.2.18<\/span>#pkts encaps: 36168, #pkts encrypt: 36168, #pkts digest: 36168
\n#pkts decaps: 36168, #pkts decrypt: 36168, #pkts verify: 36168
\n#pkts compressed: 0, #pkts decompressed: 0
\n#pkts not compressed: 36168, #pkts comp failed: 0, #pkts decomp failed: 0
\n#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
\n#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
\n#TFC rcvd: 0, #TFC sent: 0
\n#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
\n#send errors: 0, #recv errors: 0<\/span>local crypto endpt.: 10.50.2.10\/0, remote crypto endpt.: 10.50.2.18\/0
\npath mtu 1500, ipsec overhead 58(36), media mtu 1500
\nPMTU time remaining (sec): 0, DF policy: copy-df
\nICMP error validation: disabled, TFC packets: disabled
\ncurrent outbound spi: 19C913BD
\ncurrent inbound spi : B6018C1C<\/span>inbound esp sas:
\nspi: 0xB6018C1C (3053554716)
\ntransform: esp-3des esp-md5-hmac no compression
\nin use settings ={L2L, Tunnel, IKEv1, }
\nslot: 0, conn_id: 540672, crypto-map: L2L-dynamic_IP
\nsa timing: remaining key lifetime (kB\/sec): (3912880\/10092)
\nIV size: 8 bytes
\nreplay detection support: Y
\nAnti replay bitmap:
\n0xFFFFFFFF 0xFFFFFFFF
\noutbound esp sas:
\nspi: 0x19C913BD (432608189)
\ntransform: esp-3des esp-md5-hmac no compression
\nin use settings ={L2L, Tunnel, IKEv1, }
\nslot: 0, conn_id: 540672, crypto-map: L2L-dynamic_IP
\nsa timing: remaining key lifetime (kB\/sec): (3912880\/10092)
\nIV size: 8 bytes
\nreplay detection support: Y
\nAnti replay bitmap:
\n0x00000000 0x00000001<\/span><\/td>\n | interface: untrust
\nCrypto map tag: vpn, seq num: 50, local addr: 10.50.2.18<\/span>access-list vpn-F16_to_F14 extended permit ip 192.168.106.0 255.255.255.128 192.168.104.0 255.255.255.0
\nlocal ident (addr\/mask\/prot\/port): (192.168.106.0\/255.255.255.128\/0\/0)
\nremote ident (addr\/mask\/prot\/port): (192.168.104.0\/255.255.255.0\/0\/0)
\ncurrent_peer: 10.50.2.10<\/span>#pkts encaps: 36041, #pkts encrypt: 36041, #pkts digest: 36041
\n#pkts decaps: 36041, #pkts decrypt: 36041, #pkts verify: 36041
\n#pkts compressed: 0, #pkts decompressed: 0
\n#pkts not compressed: 36041, #pkts comp failed: 0, #pkts decomp failed: 0
\n#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
\n#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
\n#TFC rcvd: 0, #TFC sent: 0
\n#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
\n#send errors: 0, #recv errors: 0<\/span>local crypto endpt.: 10.50.2.18\/0, remote crypto endpt.: 10.50.2.10\/0
\npath mtu 1500, ipsec overhead 58(36), media mtu 1500
\nPMTU time remaining (sec): 0, DF policy: copy-df
\nICMP error validation: disabled, TFC packets: disabled
\ncurrent outbound spi: B6018C1C
\ncurrent inbound spi : 19C913BD<\/span>inbound esp sas:
\nspi: 0x19C913BD (432608189)
\ntransform: esp-3des esp-md5-hmac no compression
\nin use settings ={L2L, Tunnel, IKEv1, }
\nslot: 0, conn_id: 503808, crypto-map: vpn
\nsa timing: remaining key lifetime (kB\/sec): (4371888\/10156)
\nIV size: 8 bytes
\nreplay detection support: Y
\nAnti replay bitmap:
\n0xFFFFFFFF 0xFFFFFFFF
\noutbound esp sas:
\nspi: 0xB6018C1C (3053554716)
\ntransform: esp-3des esp-md5-hmac no compression
\nin use settings ={L2L, Tunnel, IKEv1, }
\nslot: 0, conn_id: 503808, crypto-map: vpn
\nsa timing: remaining key lifetime (kB\/sec): (4371888\/10156)
\nIV size: 8 bytes
\nreplay detection support: Y
\nAnti replay bitmap:
\n0x00000000 0x00000001<\/span><\/td>\n<\/tr>\n\nCrypto map tag: cisco_remote_vpn, seq num: 5, local addr: 10.50.2.10<\/span>
\nlocal ident (addr\/mask\/prot\/port): (0.0.0.0\/0.0.0.0\/0\/0)
\nremote ident (addr\/mask\/prot\/port): (192.168.0.10\/255.255.255.255\/0\/0)
\ncurrent_peer: 192.168.109.10, username: netuser
\ndynamic allocated peer ip: 192.168.0.10
\ndynamic allocated peer ip(ipv6): 0.0.0.0<\/span>
\n#pkts encaps: 25946, #pkts encrypt: 25946, #pkts digest: 25946
\n#pkts decaps: 25946, #pkts decrypt: 25946, #pkts verify: 25946
\n#pkts compressed: 0, #pkts decompressed: 0
\n#pkts not compressed: 25946, #pkts comp failed: 0, #pkts decomp failed: 0
\n#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
\n#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
\n#TFC rcvd: 0, #TFC sent: 0
\n#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
\n#send errors: 0, #recv errors: 0<\/span>
\nlocal crypto endpt.: 10.50.2.10\/0, remote crypto endpt.: 192.168.109.10\/0
\npath mtu 1500, ipsec overhead 58(36), media mtu 1500
\nPMTU time remaining (sec): 0, DF policy: copy-df
\nICMP error validation: disabled, TFC packets: disabled
\ncurrent outbound spi: 8C8BE792
\ncurrent inbound spi : 64FABA97<\/span>
\ninbound esp sas:
\nspi: 0x64FABA97 (1694153367)
\ntransform: esp-3des esp-md5-hmac no compression
\nin use settings ={RA, Tunnel, IKEv1, }
\nslot: 0, conn_id: 532480, crypto-map: cisco_remote_vpn
\nsa timing: remaining key lifetime (sec): 25858
\nIV size: 8 bytes
\nreplay detection support: Y
\nAnti replay bitmap:
\n0xFFFFFFFF 0xFFFFFFFF
\noutbound esp sas:
\nspi: 0x8C8BE792 (2357979026)
\ntransform: esp-3des esp-md5-hmac no compression
\nin use settings ={RA, Tunnel, IKEv1, }
\nslot: 0, conn_id: 532480, crypto-map: cisco_remote_vpn
\nsa timing: remaining key lifetime (sec): 25858
\nIV size: 8 bytes
\nreplay detection support: Y
\nAnti replay bitmap:
\n0x00000000 0x00000001<\/span><\/td>\n | <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\nPing test:
\nThe ASA-F16 shows the 192.168.106.10 can ping to 192.168.104.10.
\nThe ASA-F14 shows the both L2L VPN and remote vpn can ping to 192.168.104.10.<\/p>\n
\n\n\nnet-AS5052-vASA-F16# sho conn | in ICMP
\nICMP untrust 192.168.104.10:0 trust\u00a0 192.168.106.10:512, idle 0:00:00, bytes 72736, flags
\nICMP untrust 192.168.104.10:512 trust\u00a0 192.168.106.10:0, idle 0:00:00, bytes 72896, flags
\n<\/span><\/td>\n<\/tr>\n\nnet-vASA-AS5052-F14# sho conn | in ICMP
\nICMP untrust 192.168.0.10<\/span>:768 trust\u00a0 192.168.104.10:0, idle 0:00:00, bytes 916384, flags
\nICMP untrust 192.168.106.10<\/span>:512 trust\u00a0 192.168.104.10:0, idle 0:00:00, bytes 92672, flags
\n<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nFrom the lab above, it shows the ASA to run the IPSec VPN with dynamic IP address does not have any issue. Plus, it can co-operate with the Cisco vpn client.<\/p>\n","protected":false},"excerpt":{"rendered":" Setting up a policy based site to site IPSec VPN tunnel with static IP address is quite stright forward in Cisco ASA, but what if one of the end point is using dymanic IP address? In this lab, I will be using 2 virtual ASA (9.6(2)) to create a site to site IPSec VPN tunnel, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,3],"tags":[14,26,28,71,84,96,136,163,195,207],"class_list":["post-1371","post","type-post","status-publish","format-standard","hentry","category-networking","category-virtualization","tag-asa-en","tag-cisco-en","tag-cisco-vpn-client-en","tag-ikev1-en","tag-ipsec-en","tag-l2l-en","tag-remote-vpn-en","tag-site-to-site-en","tag-virtual-asa-en","tag-vpn-en"],"_links":{"self":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts\/1371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1371"}],"version-history":[{"count":0,"href":"http:\/\/notes4it.com\/index.php?rest_route=\/wp\/v2\/posts\/1371\/revisions"}],"wp:attachment":[{"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1371"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/notes4it.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} | | | | | | | | | | | | | | | |
![\"20161221-mpls-2vrfs\"](\"https:\/\/networkingnotesblog.files.wordpress.com\/2016\/12\/20161221-mpls-2vrfs.png\")