Ikev1 Site to Site VPN configuration ASA

The aim here is to provide a breakdown of what happens when initiating an IPSEC tunnel on the ASA using IKEv1. We will first look at The components of IPSEC before moving on to explain how this is implemented over a VPN using IKE.
IPSEC

IPSEC is a layer 3 protocol that is used to provide secure communication over layer 3. IPSEC can be broken down into providing the following:

Confidentiality – Provided via encryption algorithms such as DES, 3DES and AES
Data Integrity – Hashing algorithms are used to validate that data has not been altered. Popular hashing algorithms include MD5 and SHA.
Authentication – Authentication of peers in IPSEC is provided by IKE (internet key exchange) IKE can use preshared keys or digital certificates.
Key Management – Allows for safe exchange of the generated keys used for encryption this is done via DH or ECDH

There are two primary framework protocols for IPSEC these are AH (authentication header) and ESP (Encapsulating security payload) AH is generally less used than ESP as AH does not provide data encryption. IPSEC can run in two different modes known as transport and tunnel mode.

Transport Mode:

In transport mode security is only provided for the data payload of the original packet and leaves the original IP address in clear text. A use of ESP transport mode is between hosts within a network.

Tunnel Mode:

Tunnel mode secures the entire original packet as the original packet is encrypted and encapsulated within a new packet. ESP tunnel mode is generally used between a host and security gateways such as between VPN peers.
Establishing an IPSEC VPN using IKEV1

So how does this all tie into VPNS well tunnel mode packets are how the data is transmitted across the IPSEC tunnel but before this takes place both endpoints within a site to site VPN need to authenticate each other and agree on the methods of confidentiality, data integrity, authentication and key management this is achieved using IKE. Internet key exchange can be broken down into 2 phases the first phase been to negotiate the security policy to be used for the ISAKMP(internet security association and key management protocol) SA, exchange keys through Diffie Hellman and authenticate the remote peer. The second phase establishes the IPSEC SAs for the identified interesting traffic between the peers by establishing the transform set to use and establishing the shared secret keying material this is done over the secure channel that was set up in phase 1.Below is an explanation of each phase and code examples of how this is set up on the ASA:
Phase 1

The first step in IKEv1 is negotiating the security policy that will be used for the ISAKMP security association an easy way to remember this is using the acronym H.A.G.L.E:

H- Hashing
A- Authentication method (pre shared key or digital signature)
G- Group so the Diffie Hellman group number to use
L- Lifetime of the tunnel
E- Encryption algorithm to use.

Security policies on the ASA are known as policy maps these are specified using the command crypto ikev1 policy <number> with the number been the priority as the ASA will try and match IKEV1 policies from the lowest number up so you should specify stronger policies with a lower policy number.
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

Once the security policies have been exchanged the second step of phase 1 is the Diffie-Hellmen key exchange this establishes a shared secret between the peers that can be used to encrypt communication between them resulting in the ISAKMP SA.
Diffie-Hellman Key exchange

Diffie Hellman key exchange is a method for sharing keying information over an insecure channel to arrive at a shared secret between the peers that can be used for encryption. The way this works is that each peer will generate a private and public key (public key is derived from the private key and 2 known values P & g which are specified in the diffie Hellman group) the peers would then exchange public keys over the un-secure medium once each peer has the others public key the received public key and local private key would be combined which would result in each peer generating the same shared secret key to be used. Please see below for the Differences between diffie Hellman groups and a visual representation of the exchange:

DH Group 1: 768-bit group
DH Group 2: 1024-bit group
DH Group 5: 1536-bit group
DH Group 14: 2048-bit group
DH Group 15: 3072-bit group
DH Group 19: 256-bit elliptic curve group
DH Group 20: 384-bit elliptic curve group


After the diffie hellman exchange the initial ISAKMP SA is set up and authenticated using the authentication method defined in the proposed policy. Once authenticated Phase 1 of IKEv1 is complete. Communication between the peers to complete the steps listed above can be completed for IKEv1 in one of two modes main mode and aggressive mode. Main mode exchanges a total of 6 messages to achieve the ISAKMP SA as a total of 3 message pairs whereas aggressive mode completes this in a total of 3 messages. Below details the message exchanges in both main and aggressive mode.

Main Mode

Aggressive Mode

In Aggressive mode fewer exchanges are made as almost all the information is placed into the first packet resulting in a faster exchange however it is vulnerable to packet sniffing. Once phase 1 is complete a secure connection exists between the peers to communicate the IPSEC SAs and keying information for phase 2. You can check this on the ASA by using the following command

Show isakmp sa detail | b <peer address or name>

1 IKE Peer: 1.2.3.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 30668
Phase 2

In Phase 2 the IPSEC SAs are negotiated/renegotiated for the identified interesting network traffic that will traverse the VPN tunnel. As the SAs that IPSEC use are unidirectional a separate SA is set up for each data flow. On the ASA the IPSEC policies are defined using crypto maps. A crypto map is made up of the following elements:

Transform Set – contains the payload encryption/authentication methods to be used by the tunnel.
IPSEC Peer – specifies the peer address where the IPSEC protected packets are sent
Crypto ACL – This contains the interesting traffic and local \ remote encryption domains identifying the traffic to be protected by IPSEC
Lifetime(optional) – setting to specify the lifetime of the tunnel before it is re keyed if this is not specified the tunnel will use the default
PFS(optional) – Perfect forward secrecy is an additional option where phase 2 tunnels will use a separate DH agreement for each phase 2 negotiation as by default phase 2 keys are derived from the phase 1 keys.

Example:

CryptoACL
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Transform Set
crypto ipsec ikev1 transform-set EXAMPLE-TRANSFORM esp-aes-256 esp-sha-hmac

crypto map EXAMPLE 10 match address 150
crypto map EXAMPLE 10 set pfs
crypto map EXAMPLE 10 set peer 1.2.3.4
crypto map EXAMPLE 10 set ikev1 transform-set EXAMPLE-TRANSFORM
crypto map EXAMPLE 10 set security-association lifetime seconds 3600
crypto map EXAMPLE interface OUTSIDE

Phase 2 negotiations in IKEV1 take place using quick mode which consists of a 3 packet exchange making use of the already established ISAKMP tunnel from phase 1 for the exchange. Below details the messages exchanged in quick mode:

Quick mode:

Once this is complete The IPSEC VPN is formed between peer A and peer B to check the status of the VPN on the ASA you can use the command show vpn-sessiondb detail l2l filter name <peer>please see below for an example out put of this command:

Connection : 1.2.3.4
Index : 248 IP Addr : 1.1.99.80
Protocol : IKE IPsec
Encryption : AES128 Hashing : MD5
Bytes Tx : 173280 Bytes Rx : 173280
Login Time : 19:02:57 UTC Mon May 19 2014
Duration : 16h:46m:22s
IKE Tunnels: 1
IPsec Tunnels: 1

IKE:
Tunnel ID : 248.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES128 Hashing : MD5
Rekey Int (T): 86400 Seconds Rekey Left(T): 26018 Seconds
D/H Group : 2
Filter Name :

IPsec:
Tunnel ID : 248.2
Local Addr : 192.168.101.0/255.255.255.0/0/0
Remote Addr : 192.168.108.0/255.255.255.0/0/0
Encryption : AES128 Hashing : MD5
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 17378 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607968 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 173280 Bytes Rx : 173280
Pkts Tx : 1805 Pkts Rx : 1805
Configuration of IKEv1 tunnel

Now that we have had a look at how an IKEv1 tunnel is formed we can see how to configure it on a ASA firewall below is a breakdown of a VPN configuration split between global policies that can be used for multiple tunnels and per tunnel configuration.

Global Configuration

Optional:

Per Tunnel Configuration

This concludes the outline of IKEv1 VPN tunnels stick around for more fun in future posts covering IKEv2 and Other VPN fundamentals.

Scroll Up