LAN-to-LAN IPSec VPN between PIX/ASA 7.2 hub and IOS spokes with dynamic IP addresses
From Internetworkpro
Contents |
[edit] Overview
The PIX/ASA 7.2 can terminate IPSec LAN-to-LAN tunnels from spokes with dynamic IP addresses.
Normally, everything that will do plain IPSec L2L with preshared keys (so no EzVPN/xauth or certificates) with dynamic IP addresses goes into the predefined tunnel-group DefaultL2LGroup, because you do not know the IP address of the spoke that usually defines as the name of your self-defined tunnel-group.
If you want to assign your spokes into different tunnel-groups with their own group-policies, the spoke needs to deliver a hint to the appliance during Phase 1, allowing the security appliance to put the spoke into the correct group. This must be done via Aggressive Mode Exchange (thanks, danshtr) by defining a FQDN and the preshared key.
This has also been tested on the following versions of ASA: 7.0(8)
For the reverse config see LAN-to-LAN_IPSec_VPN_between_IOS_hub_and_PIX/ASA_7.2_spokes_with_dynamic_IP_addresses
[edit] Configurations
The PIX/ASA hub config:
! tunnel group definition tunnel-group TGNAME type ipsec-l2l tunnel-group TGNAME general-attributes default-group-policy GPNAME tunnel-group TGNAME ipsec-attributes pre-shared-key <preshared key> ! group-policy definition group-policy GPNAME internal group-policy GPNAME attributes ! we filter traffic from/to the spoke with an ACL vpn-filter value ACLNAMEfilter ! we allow IPSec as tunnel protocol only vpn-tunnel-protocol IPSec ! the ACL describes traffic in the form <src: spoke networks> <dst: hub networks> access-list ACLNAMEfilter extended permit ... ! make sure you have a dynamic crypto map and generic IKE and IPSec policies defined crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
The IOS spoke config:
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp peer address XXX.XXX.XXX.XXX set aggressive-mode password <preshared key> set aggressive-mode client-endpoint fqdn <ASA tunnel group name, TGNAME in the example above> ! ! crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac crypto map mymap 1 ipsec-isakmp set peer XXX.XXX.XXX.XXX set transform-set myset set pfs group2 match address CMAP-ACL ! ip access-list extended CMAP-ACL permit ip <spoke nw> <hub nw> ! interface <external interface> crypto-map mymap
[edit] traffic flow considerations
The PIX/ASA vpn-filter describes only spoke-initiated traffic.
If you want to permit ASA-inside initiated traffic destined to the spoke, you have to include this traffic definition in your inside access-list.
In addition, make sure that you route the spoke LAN network via the ASA outside interface (default route or specific prefix) or turn on reverse-route-injection. This is not needed if you want to permit spoke-initiated traffic only.
The ASA will *not* allow spoke-spoke communication relayed through the security appliance by default (opposite to IOS routers). Each VPN tunnel is considered to be on the outside interface, so traffic between two tunnels flows in the outside interface and gets relayed out of the outside interface. Traffic coming in and then forwarded out of the same interface is denied by the security appliance by default; you have to enable this behavior with
same-security-traffic permit intra-interface
on the appliance. Also ensure that your vpn-filter definition permits the flow.
[edit] References
Initiate Aggressive Mode in IOS
--84.183.120.146 05:01, 29 April 2007 (CDT)
