12 Jun 2023

Cisco ASA IPsec setup

Cisco ASA has a different way setting up Phase1/Phase2 parameters for an IPsec tunnel. Where other vendors have specific menu/commands to enter the specific Phase1/Phase2 parameters, here we have groups of commands to accomplish basically the same thing.

PHASE 1

Enter your acceptable Phase1 parameters which will be offered for negotiation with the other ipsec peer.

For IKEv1:

#crypto ikev1 policy 10
   encryption 3des
   hash sha
   group 2
   lifetime 28800
#crypto ikev1 policy 20
   authentication rsa-sig
   encryption aes-256
   hash sha
   group 5
   lifetime 86400
   authentication pre-share

or for IKEv2:

#crypto ikev2 policy 2
   encryption aes-256
   integrity sha
   group 14
   prf sha
   lifetime seconds 86400

Then you setup the "tunnel-group" for attributes and most importantly pre-shared key (or certificate)

#tunnel-group 182.11.104.167 type ipsec-l2l
#tunnel-group 182.11.104.167 general-attributes
   default-group-policy Turkcell_GroupPolicy2
#tunnel-group 182.11.104.167 ipsec-attributes
   ikev1 pre-shared-key *****


PHASE 2

#crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
#crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
#crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

#crypto ipsec ikev2 ipsec-proposal STRONGPROPOSAL
   protocol esp encryption aes-256
   protocol esp integrity sha-1
#crypto ipsec ikev2 ipsec-proposal WEAKPROPOSAL 
   protocol esp encryption 3des
   protocol esp integrity sha-1

Here's where we define the interesting traffic and 

IKEv1 example cryptomap entry:

crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group5
crypto map outside_map1 1 set peer 182.11.104.167
crypto map outside_map1 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map1 1 set security-association lifetime seconds 28800

an IKEv2 example cryptomap entry:

crypto map internet_map0 1 match address internet_cryptomap
crypto map internet_map0 1 set peer 182.11.104.167
crypto map internet_map0 1 set ikev2 ipsec-proposal AES256-SHA1
crypto map internet_map0 interface internet





Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)