Site-to-Site VPN Setup Using Preshared Keys
To set up a site-to-site VPN tunnel, launch the VPN Wizard. The VPN Wizard guides you through an easy to follow set of configuration steps that results in a properly configured VPN tunnel.
Figure 21-2 illustrates a VPN topology between two sites, Chicago and London. The inside interface of Cisco ASA in Chicago is directly connected to the 192.168.10.0/24 subnet, while there is another inside network, 192.168.20.0/24, behind Router1. The public interface's IP address is 209.165.200.225/27, and the default route sends all traffic to the next-hop router toward the Internet. The ASDM client with an IP address of 172.18.124.100 is connected to the mgmt interface of the security Cisco ASA, which has an IP address of 172.18.124.205.
Figure 21-2. Site-to-Site ASA Setup
Cisco ASA in London is set up in a similar way with two inside networks, 192.168.30.0/24 and 192.168.40.0/24. The public interface's IP address is 209.165.201.1/27.
Use the following configuration steps to set up Cisco ASA in Chicago for a site-to-site tunnel using the preshared keys for IKE authentication:
Step 1. |
Launch the VPN Wizard by choosing Wizards > VPN Wizard, as shown in Figure 21-3.
Figure 21-3. Launching the VPN Wizard Through the Menu Bar You can also launch the VPN Wizard by navigating to Configuration > Wizards > VPN.
ASDM launches the VPN Wizard with the option to choose a tunnel type. Click the Site-to-Site radio button, as shown in Figure 21-4.
Figure 21-4. Choosing the Site-to-Site Tunnel Type Because the remote peer of the site-to-site VPN tunnel resides toward the outside interface of Cisco ASA, the Outside interface is chosen from the drop-down menu in the VPN Tunnel Interface field. Click Next to move to the Remote Site Peer window.
|
Step 2. |
Specify the peer's identity.
The VPN Wizard prompts you to specify peer information, such as its public IP address and ISAKMP authentication method. In the example, the public IP address of Cisco ASA in London is 209.165.201.1, as specified in the Peer IP Address field in Figure 21-5.
Figure 21-5. Site-to-Site ASA Setup As mentioned in Chapter 15, "Site-to-Site IPSec VPNs," Cisco ASA supports two authentication methods: preshared keys and RSA signatures (PKI). In this topology, preshared keys are used to authenticate the VPN peer. The administrator has chosen to use cisco123 as the preshared secret key for peer authentication. Click Next to move to the IKE Policy window.
|
Step 3. |
Select the IKE policy.
Cisco ASA allows you to choose the IKE parameters such as the encryption and authentication types and the Diffie-Hellman (DH) group. In Figure 21-6, the administrator has selected 3DES for encryption, SHA for authentication, and DH group 2 for key generation. Click Next to move to the IPSec Encryption and Authentication window.
Figure 21-6. Selecting the IKE Policy Note It is recommended to use AES-256 as an encryption algorithm. However, AES is a new standard and is not supported by all VPN devices. Check with the remote VPN device administrator to confirm whether it supports this standard. |
Step 4. |
Set up the IPSec transform set.
Configuring the IPSec transform set is accomplished by selecting an encryption and authentication algorithm. In Figure 21-7, the administrator has chosen 3DES for encryption and SHA for hash authentication. Click Next to move to the Local Hosts and Networks window.
Figure 21-7. Selecting the IPSec Transform Set |
Step 5. |
Identify local networks.
Select the hosts/subnets or networks to be used as the local proxy during the IPSec negotiation. Cisco ASA recognizes all the local networks, if their routes are in the routing table. You can click the . . . button to see a list of the local networks, as shown in Figure 21-8.
Figure 21-8. Selecting Networks from the List Optionally, you may manually add an address in the IP Address field with the appropriate subnet mask. After you enter the IP address, click Add to move the address to the Selected Hosts/Networks pane, as illustrated in Figure 21-9. In this example, the administrator has added 192.168.10.0/24 and 192.168.20.0/24 as local networks.
Figure 21-9. Adding Selected Networks as the Local Proxy Cisco ASA also allows you to specify the interface name or a tunnel group that identifies traffic. These options are hardly used in real-world site-to-site VPN deployments. Click Next to move to the next window.
|
Step 6. |
Define remote networks.
The Remote Hosts and Networks window allows you to identify the remote private network. This window looks very similar to the one in Step 5. In Figure 21-10, the administrator has identified two remote private networks: 192.168.30.0/24 and 192.168.40.0/24. Click Next.
Figure 21-10. Adding Selected Networks as the Remote Proxy |
Step 7. |
Verify the site-to-site configuration.
The last step in setting up a site-to-site VPN tunnel is to verify that all the parameters are accurate. If they look correct, click Finish to complete the VPN Wizard.
|
If the Preview Command Before Sending to the Device option is enabled on ASDM, the entire site-to-site configuration is displayed before being sent to the security Cisco ASA. If the configuration looks accurate, click Send to push it to Cisco ASA. Example 21-1 shows the site-to-site configuration generated by ASDM. ASDM does not add comments, but they are added here for ease of understanding.
Example 21-1. Complete Site-to-Site Configuration Sent by ASDM
!Access-list to bypass Address Translation access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0 !Access-list is linked to NAT 0 nat (inside) 0 access-list inside_nat0_outbound !IPSec transform-set for data encryption crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac !Access-list to define interesting traffic for the encryption process access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0 !Crypto map configuration crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 209.165.201.1 crypto map outside_map 20 set transform-set ESP-3DES-SHA !Crypto map is applied to the outside interface crypto map outside_map interface outside !ISAKMP Phase 1 policy isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 !Tunnel-group configuration to set 209.165.201.1 as a site-to-site peer tunnel-group 209.165.201.1 type ipsec-l2l tunnel-group 209.165.201.1 ipsec-attributes pre-shared-key * !Sysopt to bypass packet filtration sysopt connection permit-ipsec