Categories
ASA

IKEv2 Site to Site VPN Tunnel on ASA

Network Diagram

Site-A ASA Configuration

object-group network Site-A-Subnets 
   network-object 192.168.1.0 255.255.255.0
   network-object 192.168.2.0 255.255.255.0

object-group network Site-B-Subnets
   network-object 10.1.1.0 255.255.0.0
   network-object 10.1.2.0 255.255.0.0
	

access-list S2S-VPN-ACL extended permit ip object-group Site-A-Subnets object-group Site-B-Subnets

nat (inside,outside) source static Site-A-Subnets Site-A-Subnets destination static Site-B-Subnets Site-B-Subnets no-proxy-arp route-lookup description VPN NAT EXEMPTION

group-policy GroupPolicy_ikev2 internal
group-policy GroupPolicy_ikev2 attributes
   vpn-tunnel-protocol ikev2

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
   default-group-policy GroupPolicy_ikev2
tunnel-group 2.2.2.2 ipsec-attributes
   pre-shared-key 123456
   ikev2 remote-authentication pre-shared-key abcd
   ikev2 local-authentication pre-shared-key efgh

crypto ikev2 policy 50
   encryption aes-256
   integrity sha256
   group 14
   prf sha256
   lifetime seconds 86400
	
crypto ipsec ikev2 ipsec-proposal S2S-VPN-TRANSFORM
   protocol esp encryption aes-256
   protocol esp integrity sha-256

crypto map OUTSIDE_CMAP 80 match address S2S-VPN-ACL
crypto map OUTSIDE_CMAP 80 set peer 2.2.2.2
crypto map OUTSIDE_CMAP 80 set ikev2 ipsec-proposal S2S-VPN-TRANSFORM
crypto map OUTSIDE_CMAP interface outside
crypto isakmp identity address

crypto ikev2 enable outside

IMPORTANT TIPS

  • Don’t use the “OUTSIDE_CMAP” crypto map name if you already have VPN tunnels on this firewall. Doing this will replace the existing cryptomap that is tied to your outside interface and all the existing VPN tunnels will go down. So, just use different number (like I used 80 here)
  • Configure routes on the firewall for the internal subnets (if not already done)
  • Configure routes for Site-B subnets on Site-A internal network (all the way up to the firewall)
  • Replicate the configuration on Site-B (S2S, routes on firewall and internal network) – the above configuration is for Site-A Firewall. On the Site-B firewall, the source and destination subnets should be inverted in the ACL and NAT. For tunnel-group and peer, use 1.1.1.1 IP address

Leave a Reply

Your email address will not be published. Required fields are marked *