Cu hnh Site-to-Site VPN trn Cisco ASA

Sau khi trnh by v l thuyt ca IPsec VPN trong cc bi vit Tng quan v cng ngh
VPN v Tng quan v IPsec VPN, trong bi vit ny chng ta s i vo phn trin khai IPsec VPN,
c th l cu hnh site-to-site VPN trn Cisco ASA.
Ta s s dng m hnh sau:

Trong m hnh trn, yu cu t ra l thit lp mt VPN tunnel bo v traffic t PC1 i n PC2.

Trc khi c th cu hnh VPN th ta cn phi c y cc thng tin sau:
1) IKE Phase 1 policies: bao gm encryption, hash, authentication, DH group, lifetime, pre-sharedkey l g?
2) IKE Phase 2 policies (transform set): encryption, hash, lifetime, c dng PFS hay khng?
3) a ch IP public ca 2 VPN peers dng thit lp VPN tunnel.
4) Nhng network s c bo v bi VPN tunnel l g?
Trong bi ny, chng ta s s dng cc thng tin sau cho VPN tunnel:

1) IKE Phase 1 policies:

+ Encryption: 3DES
+ Hash: MD5
+ Authentication: pre-shared-key
+ DH group: 2
+ Pre-shared-key: cisco123
+ Lifetime: 3600s
2) IKE Phase 2 policies:
+ Encryption: AES 256
+ Hash: SHA1
+ PFS: Group 5
+ Lifetime: 1800s
3) a ch IP public ca ASA1 l 100.0.0.1 (cng outside1), a ch IP public ca ASA2 l 220.0.0.1
4) Hai network s c bo v bi VPN tunnel l 192.168.2.0/24 v 172.16.2.0/24.
Trc tin ta s bt IKE trn interface outside1 v cu hnh IKE Phase 1 policies. IKE c 2 version
l IKEv1 v IKEv2. y ta s dng IKEv1:

ASA1(config)# crypto ikev1

ASA1(config)# crypto ikev1
ASA1(config-ikev1-policy)#
ASA1(config-ikev1-policy)#
ASA1(config-ikev1-policy)#
ASA1(config-ikev1-policy)#
ASA1(config-ikev1-policy)#

enable outside1
policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600

Tip theo ta s cu hnh pre-shared-key chng thc VPN peer Phase 1:

ASA1(config)# tunnel-group 220.0.0.1 type ipsec-l2l

ASA1(config)# tunnel-group 220.0.0.1 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123
Bc k tip ta s cu hnh crypto ACL (ACL quy nh traffic no s c bo v bi VPN tunnel)
v transform set. Crypto ACL v transform set sau s c tham chiu n trong crypto map:

ASA1(config)# object network INSIDE_NETWORK

ASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA1(config)# object network REMOTE_NETWORK

ASA1(config-network-object)# subnet 172.16.2.0 255.255.255.0

ASA1(config)# access-list VPN_TRAFFIC extended permit ip object
INSIDE_NETWORK object REMOTE_NETWORK
ASA1(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA
esp-aes-256 esp-sha-hmac
Tip theo ta s cu hnh crypto map tham chiu n crypto ACL v transform set, ng thi
set a ch IP ca VPN peer:

ASA1(config)# crypto map

ASA1(config)# crypto map
ASA1(config)# crypto map
ASA1(config)# crypto map
AES-256-SHA
ASA1(config)# crypto map
lifetime seconds 1800

TO_BRANCH
TO_BRANCH
TO_BRANCH
TO_BRANCH

1
1
1
1

match address VPN_TRAFFIC

set pfs group5
set peer 220.0.0.1
set ikev1 transform-set ESP-

TO_BRANCH 1 set security-association

Bc cui cng, ta s p crypto map cu hnh vo interface outside1. Ta phi m bo ASA1 c

route n mng 172.16.2.0/24 tr ra interface outside1 th crypto map mi c kch hot, v khi
traffic mi c m ha v bo v bi VPN tunnel:

ASA1(config)# crypto map TO_BRANCH interface outside1

Cu hnh trn ASA2 hu nh tng t vi ASA1. Ta cng phi m bo ASA2 c route n mng
192.168.2.0/24 tr ra interface outside l interface s p crypto map:

ASA2(config)# crypto ikev1 enable outside

ASA2(config)# crypto ikev1 policy 11
ASA2(config-ikev1-policy)# authentication pre-share
ASA2(config-ikev1-policy)# encryption 3des
ASA2(config-ikev1-policy)# hash md5
ASA2(config-ikev1-policy)# group 2
ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config)# tunnel-group 100.0.0.1 type ipsec-l2l
ASA2(config)# tunnel-group 100.0.0.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123
ASA2(config)# object network INSIDE_NETWORK
ASA2(config-network-object)# subnet 172.16.2.0 255.255.255.0
ASA2(config)# object network REMOTE_NETWORK
ASA2(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA2(config)# access-list VPN_TRAFFIC extended permit ip object
INSIDE_NETWORK object REMOTE_NETWORK
ASA2(config)# crypto ipsec ikev1 transform-set ESP-AES-256-SHA
esp-aes-256 esp-sha-hmac

ASA2(config)# crypto map

ASA2(config)# crypto map
ASA2(config)# crypto map
ASA2(config)# crypto map
ESP-AES-256-SHA
ASA2(config)# crypto map
lifetime seconds 1800
ASA2(config)# crypto map

TO_CENTRAL
TO_CENTRAL
TO_CENTRAL
TO_CENTRAL

1
1
1
1

match address VPN_TRAFFIC

set pfs group5
set peer 100.0.0.1
set ikev1 transform-set

TO_CENTRAL 1 set security-association

TO_CENTRAL interface outside

Ch rng lifetime c Phase 1 v Phase 2 khng cn phi ging nhau gia 2 VPN peers, m
chng s t thng lng s dng gi tr no nh hn. Ngoi ra, trn ASA2 v c translation rule
dng NAT cc traffic i t cng inside ra outside l interface p crypto map nn ta phi
cu hnh Identity NAT khng NAT cc traffic c a qua VPN tunnel (trn ASA1 khng cn v
khng c translation rule no dng NAT traffic i t cng inside ra outside1 l interface p
crypto map):

ASA2(config)# nat (inside,outside) source static INSIDE_NETWORK

INSIDE_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK
Kim tra hot ng ca VPN tunnel bng cch ping t PC1 sang PC2. V qu trnh thit lp tunnel
phi mt mt khong thi gian nn cc gi ping u tin khng thnh cng:

Thc hin bt gi tin bng Wireshark, ta thy cn tng cng 6 gi tin thng lng xong Phase
1 Main Mode, v sau thng lng Phase 2 Quick Mode cn thm 3 gi tin na. Cc gi tin
tip theo (ESP) l traffic ca PC1 gi n PC2 c m ha bi VPN tunnel:

Xem thng tin tunnel ca Phase 1 bng lnh show crypto ikev1 sa detail

Xem thng tin tunnel ca Phase 2 bng lnh show crypto ipsec sa detail

Xem thng tin tm tt tunnel ca c Phase 1 v Phase 2 bng lnh show vpn-sessiondb l2l

Nu nh cc bn cu hnh site-to-site VPN trn Cisco router th thc hin nh sau (gi s trong m
hnh trn thay ASA2 bng router R2, v interface f0/0 ca R2 kt ni vi ISP2):

R2(config)# crypto isakmp enable

R2(config)# crypto isakmp policy 11
R2(config-isakmp)# encryption 3des
R2(config-isakmp)# hash md5
R2(config-isakmp)# authentication pre-share
R2(config-isakmp)# group 2
R2(config-isakmp)# lifetime 3600
R2(config)# crypto isakmp key cisco123 address 100.0.0.1
R2(config)# ip access-list extended VPN_TRAFFIC
R2(config-ext-nacl)# permit ip 172.16.2.0 0.0.0.255 192.168.2.0
0.0.0.255
R2(config)# ip access-list extended NAT_TRAFFIC
R2(config-ext-nacl)# deny ip 172.16.2.0 0.0.0.255 192.168.2.0
0.0.0.255 ! Khng NAT nhng traffic s i qua VPN tunnel !
R2(config-ext-nacl)# permit ip 172.16.2.0 0.0.0.255 any ! Nhng traffic
cn li (truy cp Internet) s c NAT !

R2(config)# crypto ipsec transform-set ESP-AES-256-SHA esp-aes

256 esp-sha-hmac
R2(config)# crypto map TO_CENTRAL 1 ipsec-isakmp
R2(config-crypto-map)# set peer 100.0.0.1
R2(config-crypto-map)# set security-association lifetime seconds
1800
R2(config-crypto-map)# set transform-set ESP-AES-256-SHA
R2(config-crypto-map)# set pfs group5
R2(config-crypto-map)# match address VPN_TRAFFIC
R2(config)# interface f0/0
R2(config-if)# crypto map TO_CENTRAL
Cc lnh kim tra trn router: show crypto isakmp sa detail xem thng tin v tunnel ca Phase
1, v show crypto ipsec sa detail xem thng tin v tunnel ca Phase 2 (IPsec tunnel).