Today I would like to implement NAT based on the configuration presented in one of my last posts: “ASA ikev2 VPN s-2-s (PKI) - part one”. Assume that LAN networks have the same addresses on both sides:

       11.11.11.0/24      10.0.0.0/24       11.11.0.0/24

  /----\ .11     .1 -----  .1      .2 -----  .1      .11/----\
 |  R1  |----------| ASA1 |----------| ASA2 |----------|  R2  |
  \----/            -----      |.100  -----             \----/
  Loop0                     /----\                       Loop0
11.11.12.12                |  R3  |                     11.11.12.12
  Loop1                     \----/                       Loop1
11.11.13.13               PKI SERVER                    11.11.13.13

Sometimes it happens, for example when two companies merge together. For this post only I simplify the design and instead of the same subnets I have six hosts, where three have the...

I’d like to continue the ikev2 topic (ASA ikev2 VPN s-2-s (PKI) - part one) and introduce new features which allow me to achieve the same result. I strongly recommend to read the previous post first to have a clear picture what I’m going to do. I will work on the same network diagram.

 11.11.11.0/24    10.0.0.0/24         20.0.0.0/24

  /----\ .11     .1 -----  .1      .2 -----  .2       .1/----\
 |  R1  |----------| ASA1 |----------| ASA2 |----------|  R2  |
  \----/            -----      |.100  -----             \----/
  Loop0                     /----\                       Loop0
11.11.12.12                |  R3  |                     20.0.2.2
  Loop1                     \----/                       Loop1
11.11.13.13               PKI SERVER                    20.0.3.3

Let’s remove the group-policy IKEV2-GROUP-POLICY from the tunnel-group.

asa1 conf t
asa1(config) tunnel-group

Today I’d like to test ikev2 on ASA (PKI) and check some settings of the tunnel. I have 2 ASA as per below diagram. I set terminal enrolment to present how to install certificate manually without SCEP (Simple Certificate Enrollment Protocol). I have to set up the tunnel to allow following server to communicate:

a) 11.11.11.11 <-> 20.0.0.1

b) 11.11.12.12 <-> 20.0.2.2

c) 11.11.13.13 <-> 20.0.3.3

I’m not allowed to accept traffic between other hosts.

        11.11.11.0/24    10.0.0.0/24         20.0.0.0/24

  /----\ .11     .1 -----  .1      .2 -----  .2       .1/----\
 |  R1  |----------| ASA1 |----------| ASA2 |----------|  R2  |
  \----/            -----      |.100  -----             \----/
  Loop0                     /----\                       Loop0
11.11.12.12                |  R3  |                     20.0.2.2
  Loop1                     \----/                       Loop1

As I promised in one of my last posts I’m going to implement s-2-s VPN with certificates, which is more secure and scalable solution. The tunnel will be set up between IOS router and ASA.

                    |<-VPN->|

               /----\         -----                /----\ 
  Loop0 ----  |  R1  |-------| ASA1 |------Gig0/0-|  R2  |
11.11.11.11    \----/    |    -----       20.0.0.1 \----/ 
                      /----\ 
                     |  R3  | 
                      \----/ 
                     PKI SERVER

Let’s start from the PKI Server:

!
hostname R3
!
crypto pki server PKI-SERVER
 grant auto
 no shut
!
!
interface GigabitEthernet0/0
 ip address 10.0.0.100 255.255.255.0
 no sh
!
ip http server
!

We should check the server status to be sure it has started:

R3sh crypto pki server
Certificate Server PKI-SERVER:
    Status: enabled
    State: enabled
    Server's

I would like to review the commons mistakes in the L2L VPN (ikev2) configuration on IOS routers ans Cisco ASAs.

1) ikev2 pre-share-key mismatch :

asa1 debug crypto ikev2 protocol 127

IKEv2-PROTO-4: Next payload: ENCR, version: 2.0 
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE 
IKEv2-PROTO-4: Message id: 0x1, length: 68

REAL Decrypted packet:Data: 8 bytes
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

Decrypted packet:Data: 68 bytes
IKEv2-PROTO-5: (29): SM Trace-> SA: I_SPI=84F7CA31A3A18FA7 R_SPI=C6233B5952724D83 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (29): Action: Action_Null

–

R1debug crypto ikev2 event 

May  4 17:45:46.382: IKEv2:(1): Stopping timer to wait

Recently I have worked on few VPN projects where my customers requested VPN connections to their Amazon VPCs (Virtual Private Cloud). As you probably know, today’s companies are very complex and in the same building there can be many organizations, contractors, etc. In my project I had to set up VPN tunnels for three different organizations located behind the same VPN concentrator. One of them had their VPC in US, the second one in Europe. The project was completed without any issues. The problems appeared when third organization, located behind the same VPN concentrator. They requested a new tunnel to their VPC located in Europe. Let’s sum up all requirements:

• Customer “A” has a tunnel to the VPC “A” in US DC
• Customer “B” has a tunnel to the VPC “B” in Europe DC Above ones already configured and both are working fine.
• Customer “C” requires a new tunnel to the VPC “C” in Europe...

In my last post I tested ikev2 on ASA and IOS and when I tried to work on the configs which I posted there I found one missing parameter. The tunnel didn’t come up and I tried to find why.

R1: Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)

ASA1: Cisco Adaptive Security Appliance Software Version 8.4(2)

ISAKMP settings for ASA1 and R1:

ASA1:

!
crypto ikev2 policy 10
 encryption 3des
 integrity md5
 group 5
 prf sha
 lifetime seconds 86400
!

R1:

!
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption 3des
 integrity md5
 group 5
!

When I try to ping I see the tunnel can’t come up:

R1
*May  4 17:28:52.815: IKEv2:(SA ID = 1):Initial exchange failed
R1
*May  4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:28:54.791: IKEv2:(SA ID = 1):Received Policies: Proposal 1:  3DES SHA1 MD596

Today I would like to test a new version of s-2-s VPN - ikev2. This is improved and more secure version of ikev1. I will configure the tunnel working on the below case scenario:

                     |<-VPN->|

               /----\         -----                /----\ 
  Loop0 ----  |  R1  |-------| ASA1 |------Gig0/0-|  R2  |
11.11.11.11    \----/         -----       20.0.0.1 \----/ 

Let’s start to define an ACL to match interesting traffic:

R1(config)access-list 101 permit ip host 11.11.11.11 host 20.0.0.1

asa1(config) access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11

Now I configure ikev2 proposals on R1:

R1(config)crypto ikev2 proposal IKEV2-PROPOSAL
R1(config-ikev2-proposal)encryption 3des
R1(config-ikev2-proposal)group 5
R1(config-ikev2-proposal)integrity md5
R1(config-ikev2-proposal)exit

and then policy:

R1(config)crypto ikev2 policy IKEV2-POLICY

The SeND protocol can protect our network against non-authorized routers which can send RA messages. To mitigate the risk you can enable IPv6 SeND protocol. All RA messages will be accepted only from devices with a valid certificate and from source IP with CGA enabled (Cryptographically Generated Addresses). Let’s test this feature working on the following scenario:

    PKI SERVER                     ROUTER
      /----\         -----         /----\ 
     |  R1  |-------| sw1 |-------|  R2  |
      \----/         -----         \----/ 
                       |      
                       |         
                    /----\   
                   |  R3  |
                    \----/  
                SPOOFED ROUTER 

Configure r1 as a PKI server:

crypto key generate rsa general-keys modulus 1024 label KEY1024
!
interface FastEthernet0/0
ipv6 cga rsakeypair KEY1024
 ipv6 address FE80::

I wanted to configure PKI Server based on IPv6 and I found one problem. According to Cisco documentation you should use ‘[]’ for IPv6 addresses:

Router (ca-trustpoint) enrollment url http://[2001:DB8:1:1::1]:80

When I wanted to do the same I found one bug:

Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(3)T2, RELEASE SOFTWARE (fc1)

r2conf t
Enter configuration commands, one per line.  End with CNTL/Z.
r2(config)crypto pki trustpoint PKI-TRUSTPOINT
r2(ca-trustpoint) enrollment url http://[2001:100::1]:80
r2(ca-trustpoint) revocation-check crl
r2(ca-trustpoint)end
r2
May  1 23:18:26.699: %SYS-5-CONFIG_I: Configured from console by console
r2sh run | b PKI-TRUSTPOINT
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://[2001:100
 revocation-check crl
!
!

As you see the address is truncated just after ‘::’.

I tested also IOS 15.2(3)T3 and it...