Cisco ASA Site to Site IKEv2 VPN Static to Dynamic

KB ID 0001602

Problem

Site to Site VPNs are easy enough, define some interesting traffic, tie that to a crypto map, that decides where to send the traffic, create some phase 1 and phase 2 policies, wrap the whole lot up in a tunnel-group, and you’re done! But there needs to be a ‘peer address‘ in the crypto map, and if one end of the VPN is on DHCP that address is likely to change, so you cant supply that?

The solution is quite simple, Cisco had to address this years ago when they had remote IPSec VPN clients, you use a Dynamic Cryptomap, and because you can’t have a tunnel group either, you use the DefaultL2LGroup, (this gets used when a specific IP address is not defined).

Note: If you have many remote sites using DHCP why not consider configuring EZVPN instead?

Static IP ASA Config

Use the following, change the values in red, to suit your own requirements;

[box]

!
object network OBJ-MAIN-SITE-LAN
 subnet 192.168.1.0 255.255.255.0
!
object network OBJ-REMOTE-SITE-LAN
 subnet 192.168.2.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit IP object OBJ-MAIN-SITE-LAN object OBJ-REMOTE-SITE-LAN
nat (inside,outside) source static OBJ-MAIN-SITE-LAN OBJ-MAIN-SITE-LAN destination static OBJ-REMOTE-SITE-LAN OBJ-REMOTE-SITE-LAN
!
crypto ipsec IKEv2 ipsec-proposal IPSEC-PROP-1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto dynamic-map DMAP-VPN 10 set IKEv2 ipsec-proposal IPSEC-PROP-1
crypto dynamic-map DMAP-VPN 10 set reverse-route
!
crypto map outside_map 999 ipsec-isakmp dynamic DMAP-VPN
crypto map outside_map interface outside
!
crypto IKEv2 policy 2
 encryption aes-256
 integrity sha512
 group 24
 prf sha512
 lifetime seconds 86400
!
crypto IKEv2 enable outside
!
group-policy GP-SITE-2-SITE internal
group-policy GP-SITE-2-SITE attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IKEv2 
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy GP-SITE-2-SITE
tunnel-group DefaultL2LGroup ipsec-attributes
 IKEv2 remote-authentication pre-shared-key Password123
 IKEv2 local-authentication pre-shared-key Password123
!

[/box]

Dynamic IP ASA Config

As above, change the values in red, to suit your own requirements, (this is essentially just a normal site to site IKEv2 config!)

[box]

!
object network OBJ-REMOTE-SITE-LAN
 subnet 192.168.2.0 255.255.255.0
!
object network OBJ-MAIN-SITE-LAN
 subnet 192.168.1.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit IP object OBJ-REMOTE-SITE-LAN object OBJ-MAIN-SITE-LAN
nat (inside,outside) source static OBJ-REMOTE-SITE-LAN OBJ-REMOTE-SITE-LAN destination static OBJ-MAIN-SITE-LAN OBJ-MAIN-SITE-LAN
!
crypto ipsec IKEv2 ipsec-proposal IPSEC-PROP-1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set IKEv2 ipsec-proposal IPSEC-PROP-1
crypto map outside_map interface outside
!
crypto IKEv2 policy 2
 encryption aes-256
 integrity sha512
 group 24
 prf sha512
 lifetime seconds 86400
!
crypto IKEv2 enable outside
!
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
 vpn-tunnel-protocol IKEv2
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
 IKEv2 remote-authentication pre-shared-key Password123
 IKEv2 local-authentication pre-shared-key Password123
!

[/box]

Related Articles, References, Credits, or External Links

NA

BT Business Hub 3 – And Cisco ASA 5500

KB ID 0000762 

Problem

Warning: If your ASA is running version 8.3(4) or above you are going to have problems assigning public IP addresses from your allocated BT Range (jump to the bottom of the article for a resolution).

You have a pool of public IP addresses and you wish to allocate one of these IP addresses to your Cisco ASA Firewall. Note: This is for customers using BOTH ADSL and BT Infinity

Solution

For this procedure I was running an ASA5505 (Unlimited) with version 8.4(5). You will need to know the public IP address range allocated to you by BT (and the IP allocated to the router/hub).

Allocating a Public IP address to an Internal Client with the BT Business Hub

1. Log into the router, (the password initially is on the pull out plastic tab on top of the router). Set the IP to the one allocated to the router by BT (from the IP range they have given you). Note: The router actually gets a different IP address externally, this is normal, don’t panic.

2. Apply > Wait for the changes to apply.

3. Under business Network > Devices> You should see your device listed > Select it.

4. Assign the public IP as shown, you need to select the two radio buttons before the drop-down list of IP addresses will work > Apply.

5. Note: additionally if you are installing a firewall you might want to disable the Business Hubs internal firewall. Settings >Port Forwarding > Firewall > “Allow all traffic…” > Apply.

Problem with Cisco ASA (Now Resolved: See below)

My firewall (after a reload) picked up the correct IP address, but was unable to connect to the internet. My laptop (also connected to the BT Business Hub) connected fine to the internet (both with an allocated public address, and using the public address of the router). The ASA could not get out at all, nor could it ping the IP address of the Business Hub. The ASA showed as disconnected for a while, then disappeared from the ‘Devices’ tab, even though it continued to get the correct IP address leased to it from the Business Hub, this persisted after a reload of the firewall – so the hub COULD see it. I tried giving the ASA the correct IP address statically, I also locked the speed and duplex of the ethernet interface (in case it was simply an auto-negotiation error), this did not resolve the problem. BT told me they had no record of anyone having the same problem, but that they would take a note in case it came up again. Luckily the client had his old 2Wire router as soon as I plugged that in everything worked fine.  

 

Update 210414 (and resolution)

Got an email from Nate Morris this week who had been working on this very problem, while debugging the ARP traffic he saw;

[box]

arp-in: request at external from 192.168.1.254 c0ac.54e4.d8d8 for 123.123.123.123 
0000.0000.0000 arp-in: Arp packet received from 192.168.1.254 which is in different subnet 
than the connected interface 123.123.123.123/255.255.255.248 

[/box]

This pointed to a known problem with Cisco ASA introduced in version 8.3(4). Cisco identified this as bug CSCty95468 (Cisco CCO Login required to view). To resolve this problem you need to allow the ASA to populate its ARP table from a non connected subnet. To do this you need to issue an arp permit-nonconnected command.

[box]

User Access Verification Password: 
Type help or '?' for a list of available commands. 
Petes-ASA> enable 
Password: ******** 
Petes-ASA# configure terminal 
Petes-ASA(config)# arp permit-nonconnected 
Petes-ASA(config)# exit 
Petes-ASA# write mem 
Building configuration... Cryptochecksum: 28790e0e 91da681e 7cf92e8a 85efb7ea 9449 bytes copied in 1.310 secs (9449 bytes/sec) [OK] 
Petes-ASA# 

[/box]

Update 260213

Got an Email from Andrew Joubert, to say that he had the same problem, and he was using the BT business hub via BT Infinity not ADSL.

Related Articles, References, Credits, or External Links

Original Article Written 26/02/13

Credit to: Nate Morris, for finding the resolution to the original problem.

Special thanks to Steve at BT, who rang me back on my mobile so I didn’t have wait in a queue, and then followed up afterwards to see what the outcome was, if I knew his surname I would publish it! He did a grand job, and does not get paid enough!

Also thanks to Chris at BT who pitched in and did as much as he could.