
If you’ve been following from Page 1 we’re now ready to set up the VPN between the two sites.
ASA IKE, IPSEC, and VTI
First we create our IKE Policy and finally our IPSec Policy and Proposal.
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ipsec ikev1 transform-set PHASE-TWO-PROPOSAL esp-aes-256 esp-sha-hmac
crypto ipsec profile TO-SRX
set ikev1 transform-set PHASE-TWO-PROPOSAL
set pfs group1
set security-association lifetime seconds 86399
interface Tunnel100
nameif ASA-SRX-TUNNEL
ip address 10.255.255.1 255.255.255.252
tunnel source interface OUTSIDE
tunnel mode ipsec ipv4
tunnel protection ipsec profile TO-SRX
Finally on the ASA we create a tunnel-group that specifies what type of tunnel to create and our pre-shared-keys to be used for local and remote authentication.
tunnel-group 203.0.113.1 type ipsec-l2l
tunnel-group 203.0.113.1 ipsec-attributes
ikev1 pre-shared-key TheCatInFranceSlept
With that, we are done with the configuration on the ASA. Now we can move on to the SRX
SRX IKE, IPSEC, and STo.0
Same as above: IKE Policy and Proposal followed with the IPSec Policy and Proposal.
set security ike proposal ASA-PHASE-ONE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal ASA-PHASE-ONE-PROPOSAL dh-group group5
set security ike proposal ASA-PHASE-ONE-PROPOSAL authentication-algorithm sha1
set security ike proposal ASA-PHASE-ONE-PROPOSAL encryption-algorithm aes-256-cbc
set security ike policy ASA-IKE-POLICY mode main
set security ike policy ASA-IKE-POLICY proposals ASA-PHASE-ONE-PROPOSAL
set security ike policy ASA-IKE-POLICY pre-shared-key ascii-text TheCatInFranceSlept
set security ipsec proposal ASA-IPSEC-PROPOSAL protocol esp
set security ipsec proposal ASA-IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal ASA-IPSEC-PROPOSAL encryption-algorithm aes-256-cbc
set security ipsec proposal ASA-IPSEC-PROPOSAL lifetime-seconds 86399
set security ipsec policy ASA-IPSEC-POLICY perfect-forward-secrecy keys group1
set security ipsec policy ASA-IPSEC-POLICY proposals ASA-IPSEC-PROPOSAL
In addition on the SRX we’ll need to create an IKE Gateway, VPN and an ST0 interface. (St0 is similar to a VTI)
set security ike gateway ASA-GATEWAY ike-policy ASA-IKE-POLICY
set security ike gateway ASA-GATEWAY address 198.51.100.1
set security ike gateway ASA-GATEWAY external-interface ge-0/0/0
set security ike gateway ASA-GATEWAY version v1-only
set security ipsec vpn ASA-VPN bind-interface st0.0
set security ipsec vpn ASA-VPN ike gateway ASA-GATEWAY
set security ipsec vpn ASA-VPN ike ipsec-policy ASA-IPSEC-POLICY
set interfaces st0 unit 0 family inet address 10.255.255.2/30
set security zones security-zone SRX-TO-ASA interfaces st0.0
Adding the final Security Policies
The final part is to add two final security policies on the SRX to allow traffic to flow to and from the TRUST zone over the tunnel.
set security policies from-zone TRUST to-zone SRX-TO-ASA policy ALLOW-EGRESS match source-address any
set security policies from-zone TRUST to-zone SRX-TO-ASA policy ALLOW-EGRESS match destination-address any
set security policies from-zone TRUST to-zone SRX-TO-ASA policy ALLOW-EGRESS match application any
set security policies from-zone TRUST to-zone SRX-TO-ASA policy ALLOW-EGRESS then permit
set security policies from-zone SRX-TO-ASA to-zone TRUST policy ALLOW-INGRESS match source-address any
set security policies from-zone SRX-TO-ASA to-zone TRUST policy ALLOW-INGRESS match destination-address any
set security policies from-zone SRX-TO-ASA to-zone TRUST policy ALLOW-INGRESS match application any
set security policies from-zone SRX-TO-ASA to-zone TRUST policy ALLOW-INGRESS then permit
Last part of the configuration: the routes
ASA
route ASA-SRX-TUNNEL 192.168.50.0 255.255.255.0 10.255.255.2 1
SRX
set routing-options static route 172.16.100.0/24 next-hop 10.255.255.1
Verifying and Testing
ASA
First we verify our phase one and then our phase two
ASAv# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: ASA-TO-SRX
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86362
ASAv# show crypto ipsec sa detail
interface: ASA-SRX-TUNNEL
Crypto map tag: __vti-crypto-map-4-0-100, seq num: 65280, local addr: 198.51.100.1
access-list __vti-def-acl-0 extended permit ip any any
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: ASA-TO-SRX
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 198.51.100.1/0, remote crypto endpt.: ASA-TO-SRX/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F4423134
current inbound spi : CAD09FA2
inbound esp sas:
spi: 0xCAD09FA2 (3402669986)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, VTI, }
slot: 0, conn_id: 1228800, crypto-map: __vti-crypto-map-4-0-100
sa timing: remaining key lifetime (kB/sec): (3915000/86285)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xF4423134 (4097978676)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, VTI, }
slot: 0, conn_id: 1228800, crypto-map: __vti-crypto-map-4-0-100
sa timing: remaining key lifetime (kB/sec): (3915000/86284)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASAv#
Look at all those 0’s. As we can see, both phase one and phase two are up however we haven’t sent any data through the tunnel. Lets do that now!
WestPC> ping 192.168.50.2
84 bytes from 192.168.50.2 icmp_seq=1 ttl=63 time=9.671 ms
84 bytes from 192.168.50.2 icmp_seq=2 ttl=63 time=2.579 ms
84 bytes from 192.168.50.2 icmp_seq=3 ttl=63 time=3.505 ms
84 bytes from 192.168.50.2 icmp_seq=4 ttl=63 time=2.653 ms
84 bytes from 192.168.50.2 icmp_seq=5 ttl=63 time=2.493 ms
ASAv# show crypto ipsec sa detail | i encaps:|decaps:
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
ASAv# show route 192.168.50.0
Routing entry for 192.168.50.0 255.255.255.0
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 10.255.255.2, via ASA-SRX-TUNNEL
Route metric is 0, traffic share count is 1
SRX
root@vSRX-1> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-256/sha1 f4423134 86394/ 4608000 - root 500 198.51.100.1
>131073 ESP:aes-cbc-256/sha1 cad09fa2 86394/ 4608000 - root 500 198.51.100.1
root@vSRX-1> show security ike security-associations detail
IKE peer 198.51.100.1, Index 6355135, Gateway Name: ASA-GATEWAY
Role: Responder, State: UP
Initiator cookie: d3571252c13d577f, Responder cookie: 6fad532d597e1cf7
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 203.0.113.1:500, Remote: 198.51.100.1:500
Lifetime: Expires in 86068 seconds
Reauth Lifetime: Disabled
Peer ike-id: 198.51.100.1
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-5
Traffic statistics:
Input bytes : 3876
Output bytes : 3676
Input packets: 36
Output packets: 35
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 203.0.113.1:500, Remote: 198.51.100.1:500
Local identity: 203.0.113.1
Remote identity: 198.51.100.1
Flags: IKE SA is created
root@vSRX-1> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: ASA-VPN
Local Gateway: 203.0.113.1, Remote Gateway: 198.51.100.1
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
, Copy-Outer-DSCP Disabled
Bind-interface: st0.0
Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Tunnel events:
Sat Feb 23 2019
: IPSec SA negotiation successfully completed (1 times)
Sat Feb 23 2019
: IKE SA negotiation successfully completed (1 times)
Direction: inbound, SPI: f4423134, AUX-SPI: 0
Hard lifetime: Expires in 85986 seconds
Lifesize Remaining: 4607998 kilobytes
Soft lifetime: Expires in 85396 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled
, Replay window size: 64
Direction: outbound, SPI: cad09fa2, AUX-SPI: 0
Hard lifetime: Expires in 85986 seconds
Lifesize Remaining: 4607998 kilobytes
Soft lifetime: Expires in 85396 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled
, Replay window size: 64
root@vSRX-1> show interfaces st0.0 | match put
Input packets : 5
Output packets: 5
root@vSRX-1> show route 172.16.100.0
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.100.0/24 *[Static/5] 13:42:01
> to 10.255.255.1 via st0.0
We’re good! Thanks for reading.