Home » Security » [solved] How to setup IPSEC vpn tunnel in Cisco ASA step by step

[solved] How to setup IPSEC vpn tunnel in Cisco ASA step by step

IPsec VPN tunnels are used to connect to two network over internet and making it secure with Ipsec 1 or 2.

First we will need to configure the ISAKMP policies

Authentication method is used to enure the identity of the Ipsec  peers

Encryption method is used to encrypt the data

Hash message authentications codes are used to ensure the identity of the sender

A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm

Example of the ISAKMP policy and you can have maximum of 20 policies per device

2016-11-22-00_32_37-greenshot-capture-form

Once the ISAKMP policy is created then it needs to be enabled on the outside interface by the following command

crypto isakmp enable interface-name”

TRANSFORM SETS

IPsec transforms sets are for authentication and encryption for the Ipsec  tunnels – you can have multiple transforms sets configured

below is one example

crypto ipsec transform-set “Name” esp-3des esp-md5-hmac – this has to match on both sides of the VPN appliances

ACCESS LIST

You will need to create an access list to match the interesting traffic on both sides

If your local side is 172.16.1.0/24 and the remote side is 172.16.2.0/24 then you access should look something like this

access-list VPN1 extended permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0

You can also create network object-group, if you have more than one subnet

TUNNEL GROUPS

Tunnel groups are set of records that define the VPN policies and authentication servers

below are the steps to create the tunnel group.

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key myvpnkey1234

CRYPTO MAP

Crypto map ties all the policies together like your access-list and other policies – below is the command to tie a VPN peer to the access-list

crypto map map-name seq-num match address access-list-name 

In the below example "VPN" is the name of the Crypto Map,  1 is sequnce number and
VPN1 is the name of the ACL

2016-11-22-22_50_40-edit-post-aws_cloud_netwroking-articles_tutorials_certifications-wordpress

This will setup the point to point IPsec tunnel on your end

you can now test the the new tunnel by initiaing traffic to the other side using ICMP pings and this should bring the tunnel up. 

Thanks for reading the article

Regards

H
Post Views: 4,007
Security No Comment , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*
*