Cisco IPSEC

IKEv2 Site to Site VPN lab

EVE-NG Pro Lab guide

_____________________________________________
Author Uldis Dzerkals
EVE-NG Pro, 2020
S2S IPSEC VPN IKEv2 Lab
EVE-PRO, 2020
__________________________________________________________________________________

Contents
I. Lab nodes ........................................................................................................................................ 3
II. Lab objective................................................................................................................................... 3
III. Solution ....................................................................................................................................... 4
1. Configure ASAv1 and ASAv2 Interfaces and default route ......................................................... 4
2. Creating ASAv objects ................................................................................................................. 4
3. Configure DHCP Pools for inside network .................................................................................. 5
5. Permit intra and inter security traffic ......................................................................................... 5
6. Configure NAT ............................................................................................................................. 5
7. Configure IPSEC IKEv2. ................................................................................................................ 6
IV. Verification ................................................................................................................................. 7
1. Ping from Host-PC1 to Host-PC2 ................................................................................................. 7
2. Verify traffic encryption .............................................................................................................. 7

__________________________________________________________________________________
Created by Uldis Dzerkals, EVE-NG Ltd, 2020 2
S2S IPSEC VPN IKEv2 Lab
EVE-PRO, 2020
__________________________________________________________________________________

Preface: Site-to-Site IPSec IKEv2 VPN Tunnel is used to allow the secure transmission of data, voice
and video between two sites (e.g offices or branches). The VPN tunnel is created over the Internet
public network and encrypted using a number of advanced encryption algorithms to provide
confidentiality of the data transmitted between the two sites.

I. Lab nodes
1. Image versions used in lab.

• ASAv 9.14.2
• Router: i86bi_LinuxL3-AdvEnterpriseK9-M2_157_3_May_2018
• Switches: i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20190423.bin
• VPCS Node as host

2. Initial configurations

Router, switches and hosts configurations are preloaded in the lab. (Startup configuration).

NOTE: before start the lab, make sure your all nodes has set proper IOL image. Use side bar More
Options/Wipe all nodes.

II. Lab objective

Configure IP SEC IKEv2 Site to Site tunnel from Site 1 to Site 2. Host-PC1 must able to ping Host-PC2
and vice versa.

__________________________________________________________________________________
Created by Uldis Dzerkals, EVE-NG Ltd, 2020 3
S2S IPSEC VPN IKEv2 Lab
EVE-PRO, 2020
__________________________________________________________________________________

III. Solution
1. Configure ASAv1 and ASAv2 Interfaces and default route
ASAv1
hostname ASAv1
enable password cisco

interface GigabitEthernet0/0
no shut
nameif outside
security-level 0
ip address 20.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
no shut
nameif inside
security-level 100
ip address 192.168.101.254 255.255.255.0

route outside 0.0.0.0 0.0.0.0 20.1.1.254 1

ASAv2
hostname ASAv2
enable password cisco

!
interface GigabitEthernet0/0
no shut
nameif outside
security-level 0
ip address 30.1.1.1 255.255.255.0
!
interface GigabitEthernet0/1
no shut
nameif inside
security-level 100
ip address 192.168.102.254 255.255.255.0

route outside 0.0.0.0 0.0.0.0 30.1.1.254 1

2. Creating ASAv objects

Create extended ASAv objects

ASAv1
object network default-gw
host 20.1.1.254
object network remote-network
subnet 192.168.102.0 255.255.255.0
object network inside-network

__________________________________________________________________________________
Created by Uldis Dzerkals, EVE-NG Ltd, 2020 4
S2S IPSEC VPN IKEv2 Lab
EVE-PRO, 2020
__________________________________________________________________________________

subnet 192.168.101.0 255.255.255.0

ASAv2
object network default-gw
host 30.1.1.254
object network remote-network
subnet 192.168.101.0 255.255.255.0
object network inside-network
subnet 192.168.102.0 255.255.255.0

3. Configure DHCP Pools for inside network

ASAv1
dhcpd address 192.168.101.10-192.168.101.20 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd domain eve.lab interface inside
dhcpd enable inside

ASAv2
dhcpd address 192.168.102.10-192.168.102.20 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd domain eve.lab interface inside
dhcpd enable inside

4. Create Access lists

ASAv1
access-list outside_cryptomap extended permit ip 192.168.101.0
255.255.255.0 object remote-network

ASAv2
access-list outside_cryptomap extended permit ip 192.168.102.0
255.255.255.0 object remote-network

5. Permit intra and inter security traffic

ASAv1 and ASAv2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

6. Configure NAT
ASAv1
nat (inside,outside) source static inside-network inside-network
destination static remote-network remote-network no-proxy-arp route-lookup

__________________________________________________________________________________
Created by Uldis Dzerkals, EVE-NG Ltd, 2020 5
S2S IPSEC VPN IKEv2 Lab
EVE-PRO, 2020
__________________________________________________________________________________

ASAv2
nat (inside,outside) source static inside-network inside-network
destination static remote-network remote-network no-proxy-arp route-lookup

7. Configure IPSEC IKEv2.

ASAv1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 30.1.1.1
crypto map outside_map 1 set ikev2 ipsec-proposal AES256

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400

crypto ikev2 enable outside

group-policy GroupPolicy_30.1.1.1 internal

group-policy GroupPolicy_30.1.1.1 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy

tunnel-group 30.1.1.1 type ipsec-l2l

tunnel-group 30.1.1.1 general-attributes
default-group-policy GroupPolicy_30.1.1.1

tunnel-group 30.1.1.1 ipsec-attributes

ikev2 remote-authentication pre-shared-key eve
ikev2 local-authentication pre-shared-key eve

ASAv2
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 20.1.1.1
crypto map outside_map 1 set ikev2 ipsec-proposal AES256

__________________________________________________________________________________
Created by Uldis Dzerkals, EVE-NG Ltd, 2020 6
S2S IPSEC VPN IKEv2 Lab
EVE-PRO, 2020
__________________________________________________________________________________

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400

crypto ikev2 enable outside

group-policy GroupPolicy_20.1.1.1 internal

group-policy GroupPolicy_20.1.1.1 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy

tunnel-group 20.1.1.1 type ipsec-l2l

tunnel-group 20.1.1.1 general-attributes
default-group-policy GroupPolicy_20.1.1.1
tunnel-group 20.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key eve
ikev2 local-authentication pre-shared-key eve

IV. Verification
1. Ping from Host-PC1 to Host-PC2

From Host-PC2 to Host-PC1

2. Verify traffic encryption

ASAv1
ASAv1# show crypto ikev2 sa

__________________________________________________________________________________
Created by Uldis Dzerkals, EVE-NG Ltd, 2020 7
S2S IPSEC VPN IKEv2 Lab
EVE-PRO, 2020
__________________________________________________________________________________

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote

Status Role
2236767 20.1.1.1/500 30.1.1.1/500
READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK,
Auth verify: PSK
Life/Active Time: 86400/406 sec
Child sa: local selector 192.168.101.0/0 - 192.168.101.255/65535
remote selector 192.168.102.0/0 - 192.168.102.255/65535
ESP spi in/out: 0x5b0a309c/0x4b01f3a7

ASAv1# show ipsec sa

interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 20.1.1.1

access-list outside_cryptomap extended permit ip 192.168.101.0

255.255.255.0 192.168.102.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
current_peer: 30.1.1.1

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 20.1.1.1/500, remote crypto endpt.: 30.1.1.1/500

path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 4B01F3A7
current inbound spi : 5B0A309C

inbound esp sas:

spi: 0x5B0A309C (1527394460)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3916799/28557)
IV size: 16 bytes
replay detection support: Y

__________________________________________________________________________________
Created by Uldis Dzerkals, EVE-NG Ltd, 2020 8
S2S IPSEC VPN IKEv2 Lab
EVE-PRO, 2020
__________________________________________________________________________________

Anti replay bitmap:

0x00000000 0x000003FF
outbound esp sas:
spi: 0x4B01F3A7 (1258419111)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4331519/28557)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASAv2
ASAv2# show crypto ikev2 sa

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote

Status Role
3569047 30.1.1.1/500 20.1.1.1/500
READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK,
Auth verify: PSK
Life/Active Time: 86400/454 sec
Child sa: local selector 192.168.102.0/0 - 192.168.102.255/65535
remote selector 192.168.101.0/0 - 192.168.101.255/65535
ESP spi in/out: 0x4b01f3a7/0x5b0a309c

ASAv2# show ipsec sa

interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 30.1.1.1

access-list outside_cryptomap extended permit ip 192.168.102.0

255.255.255.0 192.168.101.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)
current_peer: 20.1.1.1

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

__________________________________________________________________________________
Created by Uldis Dzerkals, EVE-NG Ltd, 2020 9
S2S IPSEC VPN IKEv2 Lab
EVE-PRO, 2020
__________________________________________________________________________________

local crypto endpt.: 30.1.1.1/500, remote crypto endpt.: 20.1.1.1/500

path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5B0A309C
current inbound spi : 4B01F3A7

inbound esp sas:

spi: 0x4B01F3A7 (1258419111)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4008959/28494)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0x5B0A309C (1527394460)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239359/28494)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

__________________________________________________________________________________
Created by Uldis Dzerkals, EVE-NG Ltd, 2020 10