NOTE – Once a VPN is established and if RRI (reverse-route injection) is enabled under the crypto map, the remote networks of Branch1 will be injected into the routing table. Redistribute static route-map REMOTE_VPN_NETWORKS Match ip address prefix-list REMOTE_VPN_NETWORKSĬonfigure the dynamic routing protocol (could be BGP, EIGRP or OSPF) and redistribute the static routes with the route-map router bgp 7500 Enable the crypto map on the OUTSIDE interfaceĬrypto map CMAP 1 set ikev2 ipsec-proposal AES-GCMĬrypto map CMAP 1 set reverse-route dynamicĭefine an NAT Exemption rule, to ensure traffic between the DC networks and Branch1 networks are NOT NATTED nat (INSIDE,OUTSIDE) source static DC DC destination static BRANCH1 BRANCH1ĭefine a Prefix-list to identify the Branch1 networks prefix-list REMOTE_VPN_NETWORKS seq 10 permit 10.10.3.0/24ĭefine a route-map to match the prefix-list used to match the Branch1 networks route-map REMOTE_VPN_NETWORKS permit 10.Set reverse-route injection (RRI), for the VPN networks to be redistributed.Match the crypto ACL to identify interesting traffic.Ikev2 local-authentication pre-shared-key *****Ĭreate an ACL to identify the interesting traffic and establish the VPN tunnel access-list BRANCH1 extended permit ip object DC object BRANCH1Ĭreate a crypto map, reference the following: – Ikev2 remote-authentication pre-shared-key *****
Protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcmĬonfigure IKEv2 Policy and enable on OUTSIDE interface crypto ikev2 policy 10Įnsure IKEv2 protocol is enabled in the Default Group Policy group-policy DfltGrpPolicy attributesĬreate objects to reflect the DC and Branch1 sites object network BRANCH1Ĭreate a tunnel-group for Branch1, matching on the public IP address and defining the IKEv2 pre-shared key tunnel-group 2.2.2.1 type ipsec-l2l The following configuration is common amongst all ASA used in this scenario.Ĭonfigure IPSec Proposal crypto ipsec ikev2 ipsec-proposal AES-GCM
#Cisco vpn setup using ikev2 software#
The ASAs in this scenario will be using IKEv2, therefore ASA version 9.14 software image must be utilised. DC-2 ASA will then advertise the Branch1 networks in it’s routing table and redistribute to the core switch, in order for the DC LAN to route traffic destined to Branch1 via DC-2 ASA, instead of via DC-1 ASA. In the event the primary peer (DC-1 ASA) fails, a VPN will be established to DC-2 ASA (1.1.2.90). These routes will be redistributed into the DC LAN, for the DC core switch to route the Branch1 VPN traffic to the correct ASA.
#Cisco vpn setup using ikev2 install#
Under normal operations Branch1 ASA will establish a VPN tunnel to the primary peer (DC-1 ASA), once bi-directional IPSec SAs have been established, DC-1 ASA will install the Branch1 networks into it’s routing table, by the use of reverse route injection (RRI). Branch1 ASA will be configured with 2 peer IP address in the crypto map configuration, DC-1 ASA (1.1.1.90) will be the primary peer and DC-2 ASA (1.1.2.90) will be the backup/secondary peer. There are 2 sites (DC and Branch1), the DC has 2 ASA firewalls with 2 different ISP connections, Branch1 has 1 ASA and 1 ISP connection. The diagram below represents the topology used in this guide. In total this takes approximately 2 minutes to failover.įigure 1 – IKEv2 Multi-peer failover process Refer to the Cisco ASA 9.14 documentation for more information To detect tunnel failure, when a peer VPN tunnel goes down, the ASA will transmit 5 x SA_INIT packets to the peer, if after the final retransmit the peer is still unreachable it will attempt to establish a connection to the next peer by sending an SA_INIT. The VPN’s are Active/Standby, only 1 tunnel per crypto map sequence will be active. Multi-peer crypto map allows the configuration of up to a maximum of 10 peer addresses to establish a VPN, when a peer fails and the tunnel goes down, IKEv2 will attempt to establish a VPN tunnel to the next peer. As of ASA version 9.14 this feature is now supported on IKEv2. High Availability VPN can be achieved on a Cisco ASA firewall using multi-peer crypto map, previously this feature was only supported on the ASA using IKEv1/ISAKMP not IKEv2.
0 kommentar(er)
