Friday 26 April 2013

ASA IPsec ezVPN server


Scenario:


  • IKE config
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
  • Tunnel-Group and Tunnel Group Policies
tunnel-group ezVPN type remote-access
tunnel-group ezVPN general-attributes
 default-group-policy ezVPN
tunnel-group ezVPN ipsec-attributes
 ikev1 pre-shared-key TEST

 group-policy ezVPN internal
group-policy ezVPN attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
 address-pools value ezVPN
where
  • SPLIT_TUNNEL is:
access-list SPLIT_TUNNEL standard permit 10.1.1.0 255.255.255.0 
  • address-pool ezVPN is:
ip local pool EZVPN 20.0.0.1-20.0.0.254


  • IPsec config

crypto ipsec ikev1 transform-set 3DES esp-3des esp-md5-hmac
crypto dynamic-map DYNAMIC 10 set ikev1 transform-set 3DES
crypto dynamic-map DYNAMIC 10 set reverse-route
crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC
crypto map VPN interface outside
  • Authentication config
username VPN_USER password  CISCO
username VPN_USER attributes
 group-lock value ezVPN
Verification:

ciscoasa# show crypto ikev1 sa detail
IKEv1 SAs:
   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1   IKE Peer: 172.20.1.6
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : 3des            Hash    : MD5      
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85154

ciscoasa# show crypto ipsec sa detail
interface: outside
    Crypto map tag: DYNAMIC, seq num: 10, local addr: 172.20.1.2
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
      current_peer: 172.20.1.6, username: CISCO
      dynamic allocated peer ip: 20.0.0.1
      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0
      local crypto endpt.: 172.20.1.2/0, remote crypto endpt.: 172.20.1.6/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 308A930C
      current inbound spi : 776D8DD3

ciscoasa# show ip local pool EZVPN
Begin           End             Mask            Free     Held     In use
20.0.0.1        20.0.0.254      0.0.0.0           253        0        1

No comments:

Post a Comment