I’ve setup many vpn tunnels using the ASDM wizard, but Im starting to want to know the inner nuts and bolts of how and why things are happening. Does anyone have a good explaination of what the components of a VPN are and if possible the accompanying syntax?
I realize this may be a very broad question so keeping it to the core fundamentals is fine.
Thanks in advance.
IPSec VPN can be broken into two main phases:
Phase 1 - aka IKE settings in ASDM
Phase 1 is used to agree upon how the two VPN devices will negotiate all other communication between each other.
Phase 2 - aka IPSec settings in ASDM
Phase 2 is used to secure the actual traffic going through the VPN.
Phase 1 is used to determine how your peer (your ASA firewall) talks securely to the remote peer (the Peer IP in the connection profile.) Phase 1 includes these main components:
Peer - the IP of their VPN peer (something you are)
PSK - the preshared key or cert (something you have/know)
IKE policy - the encryption and authentication settings to secure the phase 1 communication - such as AES256 encryption and SHA authentication
IKE Mode - aggressive or main, basically how much effort goes into in initial handshakes. Not correct exactly but the general idea.
Phase 2 is used to actually build the SA’s (security associations) to say you are going to protect traffic from your networks to their networks. The main settings here are:
Local encryption network/domain - the networks on your side that will talk to the other side
Remote encryption network/domain - the networks on the other side that will talk to your side
IPSec proposal - the encryption and authentication settings to secure the actual traffic - such as AES256 encryption and SHA authentication
Other settings such as lifetimes (amount of time or data before re-securing the VPN,) perfect forward secrecy/PFS, NAT-T are just options that need to match, they just add to how the VPN negotiates or allow the VPN to operate in slightly different ways (like through NATs which normally break VPNs) There’s other nomenclature such as ISAKMP and a bunch of other acronyms - p1 and p2 basics are 95% of what all VPNs are composed of.
You can’t have Phase 2 come up without Phase 1 already being up. You can also have multiple Phase 2 SA’s, each network to network combination will basically establish a new SA pair.
Are you looking for an ELI5-type step-by-step answer, or a deep illustration going into the nitty-gritty details of each part of the protocol? VPNs are a bit of a specialty of mine, so I can go into some hideous detail if desired.
Well I’ve read several articles that describe the parts but I’m really interested in what happens step by step and the commands that make each step happen. I’m familiar with many of the terms and what they mean but not enough that I could describe them well enough to suit me.
So the idiots guide to VPN way should help me tie things together.
These are all fantastic posts, please feel free to keep contributing, everything I read helps me understand it just a little better.
FYI, lifetimes do not have to match according to the RFCs (endpoints are supposed to use the lower of the two proposed lifetimes) and NAT-T only needs to match on each endpoint if it’s actually needed.
Other than that, the above info is mostly correct for IKE version 1. IKE version 2 does not have aggressive or main modes. IKEv2 introduces EAP as an alternative authentication mechanism to PSKs and certs (also, different PSKs can be used on different endpoints as opposed to the PSK having to match on both/all endpoints in IKEv1).
You can’t have Phase 2 come up without Phase 1 already being up.
I’m not sure I’d say this is true when it comes to GDOI (although it’s certainly open to interpretation), but correct for the common-or-garden flavour of IKE that’s used in the majority of VPNs.
/u/bornar’s post is awesome, I’ll supplement with the CLI. I have a templated config that I use for CLI (I think/hope I’ve stripped the sensitive bits), so I can just paste parts of it with explanations. Note that we don’t use EZVPN or anything with dynamic IPs, so I can’t help there.
ISAKMP Policies - You can use variations of this - AES(128/192/256)/DES/3DES, SHA/MD5, Diffie-Hellman groups. The two sides have to match on the crypto policy.
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp enable outside
Similar to ISAKMP policies are the IPSec transform-sets:
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Here’s where we define the PSK for the tunnel:
tunnel-group IP.OF.PE.ER type ipsec-l2l
tunnel-group IP.OF.PE.ER ipsec-attributes
pre-shared-key *(whatever you want here)*
We define the crypto map using an ACL, I use the same ACL for NAT-exemption and tunneling (because we don’t NAT back to our headend, we just NAT to the internet). The ACLs on each end should match, and you should make sure your ordering is correct. Naturally, the headend has a similar ACL with the order reversed.
object-group network Main-Location
network-object 172.20.0.0 255.255.0.0
network-object 172.21.0.0 255.255.0.0
object-group network Local-Users
network-object [ip] [mask]
access-list Tunnel-ACL extended permit ip object-group Local-Users object-group Main-Location
Define the crypto map for phase 2, which uses the specified ACL and transform-set:
crypto map outside_map 1 match address Tunnel-ACL
crypto map outside_map 1 set peer IP.OF.PE.ER
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
Reference materials I’ve found helpful are these: