Jun 8, 2012

Route-based IPsec VPN on ASA

IOS (and some appliances from other vendors) has a feature called VTI (virtual tunnel interface) that can be used to setup route-based IPsec VPNs. Therefore we just need to create a static route to reach the remote networks, without update the encryption domain (proxy ACL).

ASA doesn't support tunnel interfaces, however we still can setup route-based IPsec VPNs and that is what I am going to show.

As we don't have tunnel interfaces available, we have to dedicate a physical interface or create a logical subinterface for this scenario, then we will have one outside interface for general internet access and another outside interface only for route-based VPN tunnels. I'm going to explain how to setup route-based VPNs on ASA using the following topology:


Interfaces settings on local-asa:

interface Ethernet0/0
 no shutdown
!
interface Ethernet0/0.100
 vlan 100
 nameif outside
 security-level 0
 ip address 172.16.100.2 255.255.255.0
!
interface Ethernet0/0.200
 vlan 200
 nameif vpn
 security-level 0
 ip address 172.16.200.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.0.1 255.255.255.0
 no shutdown


The ACL used for traffic encryption should match any packet sent through the vpn interface. It's the only difference between a policy-based VPN and a route-based one:

access-list enc-domain extended permit ip any any
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto map VPN 1 match address enc-domain
crypto map VPN 1 set peer 172.31.200.2
crypto map VPN 1 set transform-set esp-3des-sha
crypto map VPN interface vpn
crypto isakmp enable vpn
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
tunnel-group 172.31.200.2 type ipsec-l2l
tunnel-group 172.31.200.2 ipsec-attributes
 pre-shared-key cisco


We need a static route to the remote peer via vpn interface, otherwise the tunnel would be established on the outside interface. Also we add static routes for any remote subnet that we need to reach through the VPN tunnel:

route outside 0.0.0.0 0.0.0.0 172.16.100.1 1
route vpn 172.31.200.2 255.255.255.255 172.16.200.1 1
route vpn 10.2.0.0 255.255.255.0 172.31.200.2 1
route vpn 10.20.0.0 255.255.255.0 172.31.200.2 1


Interfaces settings on remote-asa:

interface Ethernet0/0
 no shutdown
!
interface Ethernet0/0.100
 vlan 100
 nameif outside
 security-level 0
 ip address 172.31.100.2 255.255.255.0
!
interface Ethernet0/0.200
 vlan 200
 nameif vpn
 security-level 0
 ip address 172.31.200.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.2.0.1 255.255.255.0
 no shutdown


VPN policy on remote-asa:

access-list enc-domain extended permit ip any any
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto map VPN 1 match address enc-domain
crypto map VPN 1 set peer 172.16.200.2
crypto map VPN 1 set transform-set esp-3des-sha
crypto map VPN interface vpn
crypto isakmp enable vpn
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
tunnel-group 172.16.200.2 type ipsec-l2l
tunnel-group 172.16.200.2 ipsec-attributes
 pre-shared-key cisco


Static routes on remote-asa:

route outside 0.0.0.0 0.0.0.0 172.31.100.1 1
route vpn 172.16.200.2 255.255.255.255 172.31.200.1 1
route vpn 10.1.0.0 255.255.255.0 172.16.200.2 1
route inside 10.20.0.0 255.255.255.0 10.2.0.2 1



IPsec SA on local-asa:

local-asa(config)# sh ipsec sa
interface: vpn
 Crypto map tag: VPN, seq num: 1, local addr: 172.16.200.2

  access-list enc-domain permit ip any any
  local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
  current_peer: 172.31.200.2

  #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
  #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt.: 172.16.200.2, remote crypto endpt.: 172.31.200.2
...

Routing table on local-asa:

local-asa(config)# sh route

Gateway of last resort is 172.16.100.1 to network 0.0.0.0

C    172.16.200.0 255.255.255.0 is directly connected, vpn
C    172.16.100.0 255.255.255.0 is directly connected, outside
S    172.31.200.2 255.255.255.255 [1/0] via 172.16.200.1, vpn
S    10.2.0.0 255.255.255.0 [1/0] via 172.31.200.2, vpn
C    10.1.0.0 255.255.255.0 is directly connected, inside
S    10.20.0.0 255.255.255.0 [1/0] via 172.31.200.2, vpn
S*   0.0.0.0 0.0.0.0 [1/0] via 172.16.100.1, outside

If you want to reach an additional remote subnet, you just need to add a static route on the local-asa. You don't need to change anything on the remote-asa.


asa(config)# end
asa# wr mem

37 comments:

  1. Interesting thought process. I was curious if you'd ever pairing an ASA with an IOS based configuration. Something tells me there would be some issue with the proxy IP. I truly wished we would get VTI on the ASA.

    ReplyDelete
  2. Replies
    1. The IP assigned to the sub-interface of the ISP router. This is used as the gateway for the VPN interface.

      Delete
  3. This is only static routes, am I correct in assuming that this would not work if you wanted to run dynamic routing (which is what every piece of documentation I've ever found says)

    ReplyDelete
    Replies
    1. Yes, it is possible. I will post an article explaining how it works with OSPF

      Delete
    2. http://packetsneverlie.blogspot.com.br/2013/03/route-based-ipsec-vpn-with-ospf.html

      Delete
    3. How would I configure it for multiple IPSec tunnels?
      Something like that?

      access-list enc-domainX extended permit ip any subnetX
      access-list enc-domainY extended permit ip any subnetY
      crypto map VPN 1 match address enc-domainX
      crypto map VPN 1 set peer 172.16.200.2
      crypto map VPN 1 set transform-set esp-3des-sha
      crypto map VPN 2 match address enc-domainY
      crypto map VPN 2 set peer z.z.z.z
      crypto map VPN 2 set transform-set esp-3des-sha
      route vpn 172.16.200.2 255.255.255.255 172.31.200.1 1
      route vpn z.z.z.z 255.255.255.255 172.31.200.1 1
      route vpn y.y.y.y 255.255.255.0 z.z.z.z 1

      Delete
    4. You have to create one sub-interface for each peer and use the same "permit ip any any" encryption domain. The other steps are the same.

      Delete
  4. So would the "vpn" subIF have to be an actual public ip or would I get away with just a public IP on the outside interface and then using an internal subnet dedicated for the endpoints?

    The idea is, if I have 5 offices, I don't want to (or can't) have 6 public IPs to use for vpn endpoints.

    ReplyDelete
    Replies
    1. You need a public IP assigned to each sub-interface, because it is the peer IP address that will be configured on the remote side. And you need one subif per tunnel.

      Although we can setup route-based VPNs on ASAs, it's not a scalable solution. For multiple offices, the best options are L2L IPsec (on ASAs), and DMVPN or GETVPN (on IOS routers).

      Delete
  5. Thanks Rentao, that's what I kind of figured, I just wanted to be sure! We were hoping to leverage some existing hardware to connect to some offices that use policy based vpn devices instead (and allow for a single 0.0.0.0/0 encryption).

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. It looks like it's trying to build the request to the outside interface and not the vpn interface.. any ideas?

    Sep 09 2013 16:38:08: %ASA-7-710005: UDP request discarded from 192.168.100.2/500 to outside:192.168.255.2/500


    ReplyDelete
    Replies
    1. Make sure you have the crypto map bound to the 'vpn' interface. Show me your config if the crypto map is correctly applied.

      Delete
    2. thanks again. it was a route on my end. The only odd thing I noticed about doing it this way is, I can't ping the "vpn" interface gateway or the actual remote peer external IP. I'm assuming this is because of the 0.0.0.0/0 crypto acl.

      otherwise I can ping through the tunnel just fine.

      Delete
  8. interface Ethernet0/0.100
    vlan 100
    nameif outside
    security-level 0
    ip address 192.168.200.2 255.255.255.252
    !
    interface Ethernet0/0.200
    vlan 200
    nameif vpn
    security-level 0
    ip address 192.168.255.2 255.255.255.252

    crypto ipsec transform-set TEST esp-3des esp-md5-hmac
    crypto map VPN 1 match address enc-domain
    crypto map VPN 1 set peer 192.168.100.2
    crypto map VPN 1 set transform-set TEST
    crypto map VPN interface vpn
    crypto isakmp enable vpn

    tunnel-group 192.168.100.2 type ipsec-l2l
    tunnel-group 192.168.100.2 ipsec-attributes
    pre-shared-key *

    route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
    route vpn 192.168.1.0 255.255.255.0 192.168.100.2 1
    route vpn 192.168.100.2 255.255.255.255 192.168.200.1 1

    ReplyDelete
  9. I think I see .. I have the vpn 192.168.100.2 going to the outside gw instead of the "vpn" gw.. Sorry to bother you! I'm going to assume that's it. Sometimes it's the simple things.

    ReplyDelete
  10. An advantage of VTI is that the output interface that is used can be made independent of the virtual interface. This allows routing to select the appropriate interface to get to the tunnel destination (ie selecting between a WAN and internet interface). Is there a means of achieving this with your technique?

    ReplyDelete
    Replies
    1. If you enable the crypto map on more than one interface, the ASA will use the routing table to find the best path to the remote peer and establish the tunnel.

      Delete
  11. Can we do this if we want to have route based VPN between Cisco ASA and Cisco 2921 Router ?

    ReplyDelete
  12. I was just looking at this as an option for connecting to a VPN. Looking at your config, my ISP would have to allow me to have to different subnets and 2 different VLANs to make this work, correct?

    ReplyDelete
  13. Is it possible to achieve this without a router sitting between your ASA and the internet? I have my ISP plugged directly into my ASA. The problem with this method is that the entire IP subnet block from my ISP must be assigned to my outside interface, so I can't pick out one public IP for another interface since it overlaps. I would REALLY love to make this work so that I can connect to an Azure dynamic gateway using my ASA.

    ReplyDelete
    Replies
    1. You don't need a router if you have an ethernet link with the ISP. Can't you split the range into small subnets?

      Delete
    2. I have the same problem
      I am connected directly to my ISP and only have a limited number of IP addresses (Less than the number of remote sites)
      Is there any other way than to have one IP per remote site?

      Delete
    3. In your case, you will need to use standard policy based VPN or replace the ASA with a device that supports route-based (e.g. IOS router).

      Delete
  14. Hello,

    I have followed the same IP addressing as above except am using a physical interface for vpn instead of a sub-interface however am facing an issue.

    interface Ethernet0/2
    nameif vpn
    security-level 0
    ip address 172.16.200.2 255.255.255.0

    route vpn 172.31.200.2 255.255.255.255 172.16.200.1 1
    route vpn 10.2.0.0 255.255.255.0 172.31.200.2 1

    I can see traffic coming in from inside interface but the firewall as per routes above is sending ARPs for 172.16.200.1 on the interface vpn. However I can see the phase-1 being attempted but stuck in MM_WAIT_MSG2. I have checked on the remote firewall and am not seeing any connection attempts.

    Please advise.

    Regards,

    Abid Ghufran

    ReplyDelete
    Replies
    1. It sounds like a routing problem between the peers. Do you see IKE traffic on the local gateway?

      Delete
  15. Hello,

    I can not ping inside of ASA (10.1.0.1 255.255.255.0) from hosts within 10.2.0.0/24 network and ping hosts within 10.2.0.0/24 directly from ASA (10.1.0.1 255.255.255.0).
    What's wrong?

    ReplyDelete
    Replies
    1. Have you enabled "management access" command and added icmp rules?
      http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_management.html#wp1064497

      Delete
    2. I found it (management-access inside) and this is not help.

      Delete
    3. Check the logs. You must find something useful there, otherwise you will need to troubleshoot using debugs and ASP type captures.

      Delete
    4. I thing that icmp acl's for interfaces are unnecessary, because all the traffic is tunnelled (thanks to cryptomap). Icmp traffic between LANs of sites is working correctly.

      Delete
    5. Do you have NAT rules? Check this bug report: CSCtr16184

      Delete
  16. no, I do not use NAT rules, because it is "route-based VPN".

    ReplyDelete
  17. but, I created NAT statements for test:

    object network any-network
    subnet 0.0.0.0 0.0.0.0
    nat (inside,outside) source static any-network any-network destination static any-network any-network no-proxy-arp route-lookup
    nat (outside,inside) source static any-network any-network destination static any-network any-network no-proxy-arp route-lookup

    problem is exist still. Do you can test such communication in your lab-environment?

    ReplyDelete