This is a post in a series of “stream-of-study” content where I post loosely-structured notes taken while labbing various scenarios and technologies.
!----------------------------------------------!
! Policy-based IKEv2 VPN between ASA and IOS !
! With Manual NAT Exemption !
!----------------------------------------------!
!
!in this setup we will stand up an IKEv2 based tunnel between an ASA and an IOS router based on interesting traffic being generated from a downstream router on the ASA inside interface - like before, we need to NAT-exempt the 10.1.1.1 traffic before egress.
!
!
!-------------
! ASA
!-------------
!
!define the source and destination subnets as objects for better ACL scalability
!
object network lo10-1-1-1
subnet 10.1.1.0 255.255.255.0
nat (Inside,Outside) dynamic interface
!
object network lo10-2-2-2
subnet 10.2.2.0 255.255.255.0
!
!create our manual 'No-NAT" statement to match traffic going from 10.1.1.0/24 to 10.2.2.0/24 and make sure we don't translate it. ACL match happens after NAT, so if we don't do this, the traffic will be NATted based on the 0.0.0.0 route we have for 10.5.5.0/24 pointing to the Outside interface and it will wind up as 192.1.20.1:<port> by the time we do an ACL cryptomap check, and it wont match the ACL
!
nat (Inside,Outside) source static lo10-1-1-1 lo10-1-1-1 destination static lo10-2-2-2 lo10-2-2-2 no-proxy-arp route-lookup
!
!reference the objects in an ACL
!
access-list ikev2-PBVPN extended permit ip object lo10-1-1-1 object lo10-2-2-2
!
!create our IKEv2 phase 1 params
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
!
!configure our Ph2 ipsec-proposal, which replaces the transform set for ASA syntax
!
crypto ipsec ikev2 ipsec-proposal ikev2Prop
protocol esp encryption aes-256
protocol esp integrity sha-256
!
!configure our crypto-map, this is similar to IOS except we enable it on the interface inline, instead of directly in the interface config like in IOS
!
crypto map pbvpn_map 20 match address ikev2-PBVPN
crypto map pbvpn_map 20 set peer 192.1.20.2
crypto map pbvpn_map 20 set ikev2 ipsec-proposal ikev2Prop
crypto map pbvpn_map interface Outside
!
!create the tunnel-group and specify the PSK, note the specification of the type as well as the ikev2 psk - this is part of how the ASA uses tunnel-groups for a lot of different things and it keeps it fairly modular
!
tunnel-group 192.1.20.2 type ipsec-l2l
tunnel-group 192.1.20.2 ipsec-attributes
ikev2 local-authentication pre-shared-key cisco111
ikev2 remote-authentication pre-shared-key cisco222
!
!finally enable the IKEv2 protocol on the interface
!
crypto ikev2 enable Outside
!
!lets also allow icmp inspection on the ASA so we can test our tunnel ;)
!
policy-map global_policy
class inspection_default
inspect icmp
!
!-------------
! R2
!-------------
!
!create matching Phase 1 and 2 parameters and enable the cryptomap on the interface
!
crypto ikev2 proposal pbvpnProp
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy default
match fvrf any
proposal default
proposal pbvpnProp
crypto ikev2 keyring pbvpnKR
peer ASA
address 192.1.20.1
pre-shared-key local cisco222
pre-shared-key remote cisco111
!
crypto ikev2 profile pbvpnProfile
match identity remote address 192.1.20.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring pbvpnKR
!
crypto ipsec transform-set TFS esp-aes 256 esp-sha256-hmac
!
access-list 101 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.25
!
crypto map PBVPN 10 ipsec-isakmp
set peer 192.1.20.1
set transform-set TFS
set ikev2-profile pbvpnProfile
match address 101
crypto map PBVPN
!
interface Ethernet0/0
crypto map PBVPN
!
!-------------------
! Verifications
!-------------------
!
!IOS
show cry ikev2 sa [detail]
show cry ipsec sa [detail]
show access-list
!
!ASA
show cry ikev2 sa [detail]
show cry ipsec sa [detail]
show access-list
packet-tracer input inside icmp 10.1.1.1 8 0 10.5.5.5
show nat detail
show xlate
CCIE #TBD 