Date created: Friday, December 14, 2012 1:31:44 PM. Last modified: Sunday, January 20, 2013 4:24:36 PM

ASA 8.3 - IPSEC Tunnel (IKEv1)

As of 8.3 Cisco have changed the way tunnels are configured on ASAs; Additionally, they have introduced a new kind of tunnel called an "IKEv2" tunnel, which has various additional features. A "typical" IPSEC tunnel is therefore now called an "IKEv1" tunnel. This is the configuration for an IKEv1 tunnel below between two ASAs on 8.4.3. This local device config below is only tunneling one local subnet (192.168.100.0/24) but the remote device has multiple remote subnets (192.168.1.0/24, 10.0/24, 20.0/24 and 30.0/24). The configuration is essentially the same for tunnel one subnet or many when using "network" objects, as they are nested into "object-groups". An object-group can contain one network object or many. The same configuration below can be used for many-to-many subnet tunnels or one-to-one subnet tunnels (or in this case, one-to-many), by adding or removing network objects from the appropriate object-group ("RemoteSubnets" or "LocalSubnets").

!
! Define some remote subnets as network objects
!
object network Management
 subnet 192.168.1.0 255.255.255.0
object network Production
 subnet 192.168.10.0 255.255.255.0
object network UAT
 subnet 192.168.20.0 255.255.255.0
object network VPN_Users
 subnet 192.168.30.0 255.255.255.0
!
!
! Group these all up as one object-group
!
object-group network RemoteSubnets
 network-object object Management
 network-object object Production
 network-object object UAT
 network-object object VPN_Users
!
!
! Define the local LAN subnet
!
object network LocalLAN
 subnet 192.168.100.0 255.255.255.0
!
!
! Group this up into an object-group for better flexibility
!
object-group network LocalSubnets
 network-object object LocalLAN
!
!
! Next we must add a rule to not NAT traffic between the local and remote subnets ("No NAT" rules of previous ASA versions are gone, this is how its done now)
! This is required if you have a default NAT rule, but even without, its good practice to have it!
!
nat (inside,outside) source static LocalSubnets LocalSubnets destination static RemoteSubnets RemoteSubnets
!
!
! Start the IPSEC configuration by defining the ISAKMP phase 1 tunnel settings for IKE
!
crypto ikev1 policy 1001
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ikev1 enable inside
crypto ikev1 enable outside
!
!
! Configure the phase 1 tunnel attributes and policy setting this to an IKEv1 tunnel and configuring the PSK
!
tunnel-group 1.1.123.123 type ipsec-l2l
tunnel-group 1.1.123.123 general-attributes
 default-group-policy 1001_LocalSubs-RemoteSubs_GrpPolicy
tunnel-group 1.1.123.123 ipsec-attributes
 ikev1 pre-shared-key woefeagphgpweuhgpe
!
group-policy 1001_LocalSubs-RemoteSubs_GrpPolicy internal
group-policy 1001_LocalSubs-RemoteSubs_GrpPolicy attributes
 vpn-tunnel-protocol ikev1 
!
!
! Create a transform set for the phase 2 tunnel
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
! Now we need an access list that matches all IP traffic between the local subnets and remote subnets
!
access-list outside_1001_cryptomap extended permit ip object-group LocalSubnets object-group RemoteSubnets
!
!
! Create the crypto map for the phase 2 tunnel with our previous transform set and access list (If there is an existing crypto map
! that is configured on the same interface this tunnel with run to/from, extend that crypto map, you can't have multiple different maps
! on the same interface)
!
crypto map outside_map 1001 match address outside_1001_cryptomap
crypto map outside_map 1001 set pfs 
crypto map outside_map 1001 set peer 1.1.123.123
crypto map outside_map 1001 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1001 set security-association lifetime seconds 86400
!
!
! Finally we must enable the crypto map on the outside interface (facing the other VPN endpoint device)
!
crypto map outside_map interface outside