Today I would like to implement GET VPN solution based on following scenario:

As you see there are many components like two key servers, CA server, three members and one firewall. I start the configuration with only one key server and without CA server. Later on I will add them to my design.

Key Server 1:

!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set TS
!
crypto gdoi group GDOI-GROUP
 identity number 1
 server local
  rekey retransmit 10 number 2
  rekey authentication mypubkey rsa GETVPN-KEY
  rekey transport unicast
  sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 101
   replay counter window-size 64
  address ipv4 3.3.3.2
!
ip route 0.0.0.0 0.0.0.0 3.3.3.1
!
access-list 101 permit ip

In this post I would like to analyze most common mistakes and check how we can troubleshoot them. Please check my previous post to learn more about scenario and the configuration.

http://myitmicroblog.svbtle.com/ikev2-asa-ios-part-one

1. problem 1

The configuration has been changed and now I try to establish the secure connection.

R18ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R18

on the ASA and the router I enabled debug command:

asa2 debug crypto ikev2 protocol 127
asa2 IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (6): Getting

Today I would like to work with the new Internet Key Exchange protocol v2, which was introduced some time ago. This is a totally new protocol (https://tools.ietf.org/html/rfc7296) and you can’t consider it as an updated ikev1. You can’t mix these version because they are not compatible. In my today’s scenario I need to build the secure connection between two LANs using ASA and Cisco router (IOS).

Due to many limitation on ASA (IPsec profiles, DVTI, GRE tunnel) the new protocol has totally different configuration steps on IOS and ASA. Let’s start with ASA as the differences between ikev1 and ikev2 are very small.

a) phase 1

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside

b) phase 2

crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-1

c)...

Next remote access VPN I would like to work with is SSL VPN clientless on ASA. The biggest advantage of this version is lack of software on the client machine, you only need internet browser.
Minimum configuration required is very simple:

webvpn
 port 444
 enable outside

username cisco password cisco
username cisco attributes
 service-type remote-access

and now we can test it:

On the ASA we can also monitor this session:

asa1 sh vpn-sessiondb webvpn

Session Type: WebVPN

Username     : cisco                  Index        : 16
Public IP    : 192.168.202.237
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 7367                   Bytes Rx     : 12748
Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 12:50:22 UTC Thu Dec 11 2014
Duration     : 0h:04m:55s

I think that every kickoff call or meeting should start from reading this one RFC 1925 (The Twelve Networking Truths). Just to be sure no one will ask you to increase the speed of light…

source: https://tools.ietf.org/html/rfc1925

Strongly recommend !

In my previous post I configured the remote access IPsec VPN on ASA and today I’d like to change some settings. I added one more router which will play a role of a www server.

In my last scenario all traffic was sent over the tunnel:

and today I need to separate the traffic in two categories: first one - protected and it should be sent over the tunnel; second one - can be sent over the Internet. On my updated network diagram you can see R16 /192.168.202.222/. Assume it is a www server, and we should be able to access it not via the VPN tunnel. The traffic to servers behind the ASA have to be protected.

First I add a new access list:

asa1(config) access-list SPLIT-TUN standard permit host 192.168.202.222

next, I need to change group policy settings:

group-policy VPN-GP attributes
 split-tunnel-policy excludespecified
 split-tunnel-network-list value SPLIT-TUN

I try now to...

Today I implement IPsec remote access VPN on ASA. Please review below diagram:

In first step I implement solution where all traffic will be sent over the tunnel. Later on I try to add more requirements.

As for each VPN configuration I need to implement following elements:

a) Isakmp

crypto isakmp policy 10
auth pre
enr 3des
hash md5
gr 2

crypto isakmp enable outside

b) Ipsec

crypto ipsec ikev1 transform TS esp-3des esp-sha

c) IP pool

ip local pool VPN-POOL 8.8.8.1-8.8.8.8

d) Group policy

group-policy VPN-GP internal
group-policy VPN-GP attributes
vpn-tunnel-prot IPSec
address-pools value VPN-POOL

e) Tunnel group

tunnel-group VPN-ASA type remote-access

tunnel-group VPN-ASA ipsec-attributes
pre-share cisco123

tunnel-group VPN-ASA general-attributes
default-group-policy VPN-GP

f) Crypto map

crypto dynamic-map DMAPA 10 set ikev1 transform TS
crypto dynamic-map

Today I change the configuration from my previous post, and instead of ACS I will add ISE (version 1.1).

First modification:

!
radius-server host 192.168.202.152 key cisco123
!

Next I add a new network device on ISE:

In next step I add a new user group and next a new user: “ezvpn”

And now the new user:

Now it’s time to add a new authorization profile with radius attributes:

And then a new Authorization Profile:

When I try to connect I see following log messages:

*Nov 24 20:17:04.534: RADIUS/ENCODE(00000086):Orig. component type = VPN IPSEC
*Nov 24 20:17:04.538: RADIUS:  AAA Unsupported Attr: interface         [221] 8   1767295532
*Nov 24 20:17:04.538: RADIUS(00000086): Config NAS IP: 0.0.0.0
*Nov 24 20:17:04.542: RADIUS(00000086): Config NAS IPv6: ::
*Nov 24 20:17:04.542: RADIUS/ENCODE(00000086): acct_session_id: 123
*Nov 24 20:17:04.546: RADIUS(00000086):

I decided to gather some information about encryption algorithms and hash functions in one place. I will try to update this post regularly.

Two posts earlier I mentioned about another way how to control traffic in the VPN tunnel – a downloadable access list. This way is the most flexible because we can define different policies per user or group. The static control, I implemented together with isakmp and ipsec policies, allow on only one access list. Today I add a radius server to the existing configuration you can find here.
I start with a new aaa configuration:

!
radius-server host 192.168.202.151 key cisco123!
!
aaa authentication login USERS group radius
aaa authorization network AUTH-LIST group radius
!

On ACS I need to add a Network Device:

Next I need to add a new user – ezvpn:

My ezVPN configuration:

!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local POOL
!
crypto isakmp client configuration group ezvpn
 key cisco
 pool POOL
 acl 101