Topology/:
Configuration :
| ASA0 | ASA1 |
| crypto ikev1 enable outside | crypto ikev1 enable outside |
| crypto ikev1 policy 1 | crypto ikev1 policy 1 |
| authentication pre-share | authentication pre-share |
| encryption 3des | encryption 3des |
| hash sha | hash sha |
| group 2 | group 2 |
| lifetime 43200 | lifetime 43200 |
| ! | ! |
| crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac | crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac |
| ! | ! |
| access-list L2L extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0 | access-list L2L extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 |
| ! | ! |
| tunnel-group 172.16.2.2 type ipsec-l2l | Tunnel-group 172.16.1.2 type ipsec-l2l |
| tunnel-group 172.16.2.2 ipsec-attributes | Tunnel-group 172.16.1.2 ipsec-attributes |
| ikev1 pre-shared-key cisco01 | ikev1 pre-shared-key cisco01 |
| ! | ! |
| crypto map IPSECMAP 1 match address L2L | crypto map IPSECMAP 1 match address L2L |
| crypto map IPSECMAP 1 set connection-type bi-directional | crypto map IPSECMAP 1 set connection-type bi-directional |
| crypto map IPSECMAP 1 set peer 172.16.2.2 | crypto map IPSECMAP 1 set peer 172.16.1.2 |
| crypto map IPSECMAP 1 set ikev1 phase1-mode main | crypto map IPSECMAP 1 set ikev1 phase1-mode main |
| crypto map IPSECMAP 1 set ikev1 transform-set FirstSet | crypto map IPSECMAP 1 set ikev1 transform-set FirstSet |
| crypto map IPSECMAP interface outside | crypto map IPSECMAP interface outside |
| interface | interface |
| ASA0# sh ip | ASA1# sh ip |
| System IP Addresses: | System IP Addresses: |
| Interface Name IP address Subnet mask Method | Interface Name IP address Subnet mask Method |
| GigabitEthernet0/1 inside 10.0.1.1 255.255.255.0 manual | GigabitEthernet0/1 inside 10.0.2.1 255.255.255.0 manual |
| GigabitEthernet0/2 outside 172.16.0.2 255.255.255.252 manual | GigabitEthernet0/2 outside 172.16.2.2 255.255.255.252 manual |
| Current IP Addresses: | Current IP Addresses: |
| Interface Name IP address Subnet mask Method | Interface Name IP address Subnet mask Method |
| GigabitEthernet0/1 inside 10.0.1.1 255.255.255.0 manual | GigabitEthernet0/1 inside 10.0.2.1 255.255.255.0 manual |
| GigabitEthernet0/2 outside 172.16.0.2 255.255.255.252 manual | GigabitEthernet0/2 outside 172.16.2.2 255.255.255.252 manual |
Verification:
ping from PC1 to PC1 whicah diffrent subnet
PC1> ping 10.0.2.10 84 bytes from 10.0.2.10 icmp_seq=1 ttl=64 time=8.256 ms 84 bytes from 10.0.2.10 icmp_seq=2 ttl=64 time=11.365 ms 84 bytes from 10.0.2.10 icmp_seq=3 ttl=64 time=7.692 ms 84 bytes from 10.0.2.10 icmp_seq=4 ttl=64 time=10.106 ms 84 bytes from 10.0.2.10 icmp_seq=5 ttl=64 time=12.254 ms
ISAKMP Status : SA0# sh crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 172.16.2.2 Type : L2L Role : responder Rekey : no State : MM_ACTIVE
we can see the status currently MM_ACTIVE , mean Phase 1 negotiate successfull
now we verified IPSEC does it build the tunnel up?
ASA0# sh ipsec sa
interface: outside
Crypto map tag: abcmap, seq num: 1, local addr: 172.16.0.2
access-list L2L extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
current_peer: 172.16.2.2
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.0.2/0, remote crypto endpt.: 172.16.2.2/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 1FFEC8F1
current inbound spi : E2BB0BFB
inbound esp sas:
spi: 0xE2BB0BFB (3803909115)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: abcmap
sa timing: remaining key lifetime (kB/sec): (3914998/27797)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00007FFF
outbound esp sas:
spi: 0x1FFEC8F1 (536791281)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: abcmap
sa timing: remaining key lifetime (kB/sec): (3914998/27797)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Yes it does, since we see the show command below :
local crypto endpt.: 172.16.0.2/0, remote crypto endpt.: 172.16.2.2/0 path mtu 1500, ipsec overhead 58(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 1FFEC8F1 current inbound spi : E2BB0BFB
mean the both WAN already hanshaking and tunneled m SPI ( Security Parameter Index) is unique id does it build to identify both firewall to communicate and identify its traffict as incomming and outgoing. next we would see ehat setting are use to encrypt and Access-list use to map the traffict and IKE version been used.
spi: 0xE2BB0BFB (3803909115)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
Suryantofang 