VMware Edge Gateway VPN to Cisco ASA

KB ID 0001658

Problem

I was asked to setup a VPN to help out a colleague this week. When I had a look, one end turned out to be an Edge Gateway, I wasn’t that concerned, I’d done similar things in my prior role, I just didn’t have access to the vCloud or VMware at this datacenter.

Depite my best efforts on the ASA, the tunnel refused to come up, it took a little looking ‘under the covers’ to accurately diagnose the problem. But to save you my pain, I’ll post the setup of both ends so yours will be a little less stressful.

VMware Edge Gateway VPN Setup

Locate the Edge Gateway in vCloud Director > VPN > Create new VPN > Tick ‘Enable This VPN‘ configuration > Set the local and remote networks > Local ID is the local public IP of the Edge Gateway > Remote ID is the pubic IP of the Cisco ASA > Set the encryption protocol as AES256 > Copy the pre-shared-key (Warning: some browsers wont select all of the key, and you will end up characters short, make sure you have it all!) > OK.

On the ‘Firewall’ Tab allow all traffic TO and FROM the remote subnet, (behind the Cisco ASA).

Note: There no need to make a NAT Exemption.

Cisco ASA VPN Setup (For Edge Gateway)

Note: The version of Edge Gateway I was using, was using (once AES256 is selected) 

  • IKE Version: 1
  • Encryption:AES-256
  • Hashing: SHA
  • Diffie Hellman: Group 2
  • Perfect Forward Secrecy: Enabled (group 2)

I’m aware that newer Edge Gateways support IKEv2 but debugging the incoming requests told me mine was using IKEv1.

[box]

crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
object network OBJ-vCloud-SN
subnet 172.16.10.0 255.255.255.0
object network OBJ-Site-SN
subnet 172.22.10.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-vCloud-SN object OBJ-Site-SN
nat (inside,outside) source static OBJ-vCloud-SN OBJ-vCloud-SN destination static OBJ-Site-SN OBJ-Site-SN no-proxy-arp route-lookup
!
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key gT65C9Muwjx4q73tXaxu9gge6psqyr83qcu93xL8xkdk594yzNgf4jeoj7ax85Nc
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 123.123.123.123
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
!
crypto map CRYPTO-MAP interface outside
!

[/box]

WARNING

Above assumes;

  1. Your interfaces are called inside, and outside.
  2. You DO NOT have any existing VPNs configured, (if you do, change the name of the CRYPTO-MAP (above) to match the name of your cryptomap and use a higher number, e.g. ‘outside_map 2‘).

Troubleshooting Edge Gateway End of the VPN

You need access to the underlying VMware infrastructure > Select Networking and Security > Locate the NSX Edge > VPN > IPsec VPN > Show IPsec Statistics > Here you can see some meaningful error massages if theres a problem.

Troubleshooting Cisco ASA End of the VPN

I’ve covered this to death in the past, so rather than reinvent the wheel;

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

Related Articles, References, Credits, or External Links

NA

Deploy Dual Virtual ASA Firewalls In Active/Standby Failover

KB ID 0000053

Problem

Now you have created your Virtual ASA platform you want to deploy 2 of them in failover configuration.

Solution

Notes:

Software To Download

Qemu with ASA

Dynamips

WinPcap

Sample Batch File

[box] @echo off ECHO Telnet to 127.0.0.1 on port 1234 to access ASA Console ECHO ——————————————————- ECHO * * * * * * *DO NOT CLOSE THIS WINDOWS* * * * * * * * qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-nolina.gz -m 256 –no-kqemu -append “auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32” -net nic,vlan=0,model=pcnet,macaddr=00:aa:00:00:01:01 -net pcap,vlan=0,ifname=DeviceNPF_{120662E6-8B8B-4A6D-A0B1-9159DBD283BA} -net nic,vlan=1,model=pcnet,macaddr=00:aa:00:00:01:02 -net pcap,vlan=1,ifname=DeviceNPF_{BF1F38D4-5D13-4DA2-B50B-17B1F35B1FA8} -net nic,vlan=2,model=pcnet,macaddr=00:aa:00:00:02:02 -net pcap,vlan=2,ifname=DeviceNPF_{2AA77C53-B558-4E7C-A377-E92BF9FAF1BB} -serial telnet::1234,server,nowait[/box]

MAKE SURE ALL THE MAC ADDRESSES AND Network ID’s are unique!!!!!!

Commands to enter at Telnet

modprobe e100 ifconfig eth0 up ifconfig eth1 up ifconfig eth2 up cd /mnt/disk0 ./lina_monitor

Command to save config

[box]copy run disk0:/.private/startup-config[/box]

Related Articles, References, Credits, or External Links

NA

Building a Virtual Cisco ASA

KB ID 0000051

Problem

You would like to create a virtual Cisco ASA platform in a virtualized environment for training and or testing.

Solution

Notes:

Software To Download

Qemu with ASA
Dynamips
WinPcap

Sample Batch File

[box]

@echo off
ECHO Telnet to 127.0.0.1 on port 1234 to access ASA Console
ECHO ——————————————————-
ECHO * * * * * * *DO NOT CLOSE THIS WINDOWS* * * * * * * *
qemupcap -L . -hda FLASH1 -hdachs 980,16,32 -kernel vmlinuz -initrd asa-nolina.gz -m 256 –no-kqemu -append “auto nousb ide1=noprobe bigphysarea=16384 console=ttyS0,9600n8 hda=980,16,32” -net nic,vlan=0,model=pcnet,macaddr=00:aa:00:00:01:01 -net pcap,vlan=0,ifname=DeviceNPF_{120662E6-8B8B-4A6D-A0B1-9159DBD283BA} -net nic,vlan=1,model=pcnet,macaddr=00:aa:00:00:01:02 -net pcap,vlan=1,ifname=DeviceNPF_{BF1F38D4-5D13-4DA2-B50B-17B1F35B1FA8} -net nic,vlan=2,model=pcnet,macaddr=00:aa:00:00:02:02 -net pcap,vlan=2,ifname=DeviceNPF_{2AA77C53-B558-4E7C-A377-E92BF9FAF1BB} -serial telnet::1234,server,nowait

[/box]

MAKE SURE ALL THE MAC ADDRESSES AND Network ID’s are unique!!!!!!

Commands to enter at Telnet

[box]
modprobe e100

ifconfig eth0 up

ifconfig eth1 up

ifconfig eth2 up

cd /mnt/disk0

./lina_monitor [/box]

Command to save config

[box]
copy run disk0:/.private/startup-config
[/box]

Related Articles, References, Credits, or External Links

GNS3 Cannot Connect Network Interfaces when running on VMware vSphere