Cisco FTD Site to Site VPN

KB ID 0001681

Problem

While working out how to create a VPN on the Cisco FTD (Firepower 1010), I thought I might as well set it up to the Cisco ASA that I have in the Data Center on my test network. This is what I’m connecting;

 

Create Site to Site VPN On Cisco FTD (using FDM)

Using a web browser connect to the devices FDM > Site to Site VPN > View Configuration.

Create Site-to-site-connection.

  • Connection profile name: Something sensible like VPN-To-HQ or VPN-To-Datacentre.
  • Local VPN Access Interface: outside.
  • Local Network: Crete new network.

  • Name: This will be your local LAN so give it a recognisable name.
  • Type: Network
  • Network: Your local (behind the FTD) network i.e. 10.254.254.0/24
  • OK.

  • Remote IP Address: The public IP address of the other device (in my case the Cisco ASA).
  • Remote Network: Add
  • Crete new network

  • Name: This will be the remote sites LAN so give it a recognisable name.
  • Type: Network
  • Network: The remote (behind the ASA) network i.e. 192.168.100.0/24
  • OK.

 

Check the settings are correct > Next.

I’m using IKEv2 (if your ASA is older than version 8.4 you will need to use IKEv1) > IKE Version 2 Globally Applied > Edit.

Create new IKE Policy.

 

  • Priority: 1
  • Name: S2S-IKEv2-Policy
  • Encryption: DES Really! (Why is that the default?) Remove DES and replace with AES256

I leave the rest of the settings as they are some people might not like Sha1 if you want to change it to sha254 for example then do so, but remember to change it on the IKEv2 policy on the ASA also. Also DON’T CONFUSE PRF with PFS, we will get the chance to set PFS later. > OK.

IPsec Proposal > Edit.

Add in AES-SHA > OK. 

Enter (and confirm) the local and remote Pre-Shared Key (I usually set these the same, but they don’t have to be). Scroll down.

  • Nat Exempt: inside
  • Diffie Helman Group for Perfect Forward Secrecy (PFS): Leave disabled.
  • Next

Review the settings > Finish.

FTD VPN One Way VPN Traffic Warning!

At this point if you configure the ASA, the tunnel will come up, and if you’re behind the FTD everything will work. But If you’re behind the ASA and you want to talk to anything behind the FTD, it wont work. This confused me for a while, I could ping from my house to my servers at the DC but they could not ping me!

Resolution: What you need to do is (on the FTD) ALLOW traffic ‘inbound’ on the outside interface, for the subnet behind the ASA. (Yes that’s bobbins I know, it should do that for you, but at the moment it does not).

Policies > Access Control > Add.

  • Title: Allow-VPN-Traffic
  • Source Zone: outside_zone
  • Source Networks: The Network behind the ASA
  • Source Ports: ANY
  • Destination Zone: inside_zone
  • Destination Networks: ANY
  • Destination Ports/Protocols: ANY
  • OK

Pending changes > Deploy Now.

It can take a while to deploy, I recheck pending changes, and wait until it says it’s finished.

Create ASA Config for VPN to Cisco FTD

I’ve covered Cisco ASA IKEv2 VPN configs elsewhere, so I’ll just post the config here and you can change the details (in red) and copy and paste it into your ASA.

[box]

object network OBJ-SITE-A
 subnet 192.168.100.0 255.255.255.0
object network OBJ-SITE-B
 subnet 10.254.254.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
!
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key cisco123
 ikev2 local-authentication pre-shared-key cisco123
!

[/box]

Troubleshooting and debugging FTD VPN

All the traditional command line tools we used to use for VPN troubleshooting are available to you, you will need to SSH into the ‘Management Port’ before you can use them though! Or you can simply do the debugging and troubleshooting on the ASA!

Troubleshoot phase 1 (IKE)

[box]

show crypto isa
debug crypto ikev2 protocol

[/box]

Troubleshoot phase 2 (IPSec)

[box]

show crypto ipsec sa
debug crypto ipsec 255

[/box]

Related Articles, References, Credits, or External Links

NA

Cisco ASA Site to Site VPN ‘Using ASDM’

KB ID 0000072

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

Do the same from command line

Below is a walk-through for setting up one end of a site to site VPN Tunnel using a Cisco ASA appliance – Via the ASDM console. Though if (like me) you prefer using the Command Line Interface I’ve put the commands at the end.

click image for full subnet information

Solution

VPN Setup Procedure carried out on ASDM 6.4

Note: The video above uses IKE v1 and IKE v2, in reality you would choose one or the other, and for IKE v2 both ASA 5500 firewalls need to be running OS 8.4(1) or above.

VPN Setup Procedure carried out on ASDM 5.2

1. Open up the ADSM console. > Click Wizards > VPN Wizard.

2. Select “Site-to-Site VPN” > Next.

3. Enter the Peer IP address (IP of the other end of the VPN tunnel – I’ve blurred it out to protect the innocent) > Select “Pre Shared Key” and enter the key (this needs to be identical to the key at the other end. > Give the tunnel group a name or accept the default entry of its IP address. > Next.

4. Choose the encryption protocol (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication Method (SHA or MD5), and choose the Diffie Hellman Group (1, 2, 5 or 7). Note the other end must match, this establishes phase 1 of the tunnel. > Next.

5. Now select the Encryption Protocols (DES, 3DES, AES-128, AES-192, or AES256), choose the Authentication method (SHA, MD5 or None). Note this is for phase 2 and will protect the encrypted traffic “In Flight”. > Next.

6. Now you need to specify what traffic to encrypt, on the left hand side enter the network or host details (of what’s behind the ASA you are working on), and on the right hand side the IP address of the network or host that’s behind the other VPN endpoint.  Note the other end should be a mirror image. > Next.

7. Review the Settings (Note I’ve blurred the IP address out again) > Next.

8. Back at the ASDM console commit the settings to the ASA memory, Click File > “Save Running Configuration to Flash.”

ASA 5500 VPN Setup from command line

[box]

object network Site-A-SN
subnet 192.168.1.0 255.255.255.0
object network Site-B-SN
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN
access-list outside_1_cryptomap extended permit ip object Site-A-SN object Site-B-SN
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer {Other Ends IP Address}
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
ikev1 pre-shared-key 12345678901234567890asdfg

[/box]

ASA 5500 VPN for Version 8.2 and older firewalls

[box]

access-list outside_20_cryptomap extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.0 10.1.0.0 255.255.0.0
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer {Other Ends IP Address}
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group {Other Ends IP Address} type ipsec-l2l
tunnel-group {Other Ends IP Address} ipsec-attributes
pre-shared-key 12345678901234567890asdfg

[/box]

 

Related Articles, References, Credits, or External Links

Original article written 09/11/09

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

KB ID 0001429

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

You want a secure IPSEC VPN between two sites using IKEv2.

Note: If the device you are connecting to does not support IKEv2 (i.e. it’s not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article;

Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI)

Solution

Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?” Because if it’s not already been done, you need to enable ISAKMP IKEv2 on the outside interface. To ascertain whether yours is on or off, issue a “show run crypto ” command and check the results, if you do NOT see  “crypto ikev2 enable outside” then you need to issue that command.

[box]

PetesASA# show run crypto
crypto ikev2 enable outside << Mines already enabled and its IKE version 2
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside

[/box]

1. I’m going to create access control lists next, one to tell the ASA what is “Interesting traffic”, that’s traffic that it needs to encrypt.

So below I’m saying “Don’t NAT Traffic from the network behind the ASA (10.254.254.0) that’s going to network behind the VPN device at the other end of the tunnel (172.16.254.0).

[box]

PetesASA(config)#object network Site-A-SN
PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0
PetesASA(config)#object network Site-B-SN
PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0
PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit 
ip object Site-A-SN object Site-B-SN
PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN 
destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup

[/box]

2. Now I’m going to create a “Tunnel Group” to tell the firewall it’s a site to site VPN tunnel “l2l”, and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value.

Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on.

[box]

PetesASA(config)# tunnel-group 123.123.123.123 type ipsec-l2l
PetesASA(config)# tunnel-group 123.123.123.123 ipsec-attributes
PetesASA(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
PetesASA(config-tunnel-ipsec)# exit

[/box]

3. Now we need to create a policy that will setup how “Phase 1” of the VPN tunnel will be established. It sets the encryption type (AES-256), the hashing/integrity algorithm (SHA-256), The Diffie Hellman group exchange version, and the Level of PRF (Pseudo Random Function). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (That’s 1440 Minutes – or 24 hours if your still confused 🙂 ).

[box]

PetesASA(config)# crypto ikev2 policy 10
PetesASA(config-ikev1-policy)# encryption aes-256
PetesASA(config-ikev1-policy)# integrity sha256
PetesASA(config-ikev1-policy)# group 19
PetesASA(config-ikev1-policy)# prf sha256
PetesASA(config-ikev1-policy)# lifetime 86400

[/box]

4. We stated above that we are going to use AES-256 and SHA-256, for Phase 1, so let’s use the same for the IPSEC proposal (Phase 2), ‘Transform Set’.

[box]

PetesASA(config)# crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config-ipsec-proposal)# protocol esp encryption aes-256
PetesASA(config-ipsec-proposal)# protocol esp integrity sha-1

[/box]

5. Finally we need to create a “Cryptomap”, this is the ‘thing’ that fires up the tunnel, when the ACL INTERESTING TRAFFIC is used, it also defines the transform set for “Phase 2” of the VPN Tunnel, that will also use 3DES and SHA and PFS. And last of all we apply that Cryptomap to the outside interface.

[box]

PetesASA(config)# crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC 
PetesASA(config)# crypto map CRYPTO-MAP 1 set peer 123.123.123.123
PetesASA(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
PetesASA(config)# crypto map CRYPTO-MAP interface outside
 

[/box]

5. Don’t forget to save your hard work with a “write mem” command.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

6. Simply configure the other end as a “Mirror Image” of this one.

ASA 5500 Site to Site IKEv2 VPN Copy and Paste Config

Note: This uses AES-256 and SHA-256. It also assumes your outside interface is called ‘outside’. Check! I’ve seen them called Outside (capital O), wan, and WAN.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
object network OBJ-SITE-A
subnet 10.0.0.0 255.255.255.0
object network OBJ-SITE-B
subnet 10.0.3.0 255.255.255.0
!

access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
 
[/box]

Simply change the values in red where;

  • 10.0.0.0 255.255.255.0 is the network behind the ASA you are working on.
  • 10.0.3.0 255.255.255.0 is the destination network behind the device you are connecting to.
  • 2.2.2.2 is the peer IP address of the device you are attempting to connect to.
  • 1234567 Is the shared secret you will use at both ends.

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Enable Split Tunnel for Remote Clients

KB ID 0000066

Problem

This is a simple job to do from command line, however the world is full of people who would rather spend an hour in the ASDM working out how to do it! So I’ve included both methods.

What is split tunneling?

This is the process of letting a remote VPN user browse the web, and access local resources etc, from their location whilst connected to your VPN in this case via SSLVPN, but also from WebVPN or IPSEC VPN.

Solution

Option 1 Enable Split Tunnel via Command Line.

1. Connect to the ASA > Go to enable mode > Then to global configuration mode > Create an ACL that permits traffic from the network behind the ASA to any. (Note: Add additional ACL’s for additional internal networks).

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ******
PetesASA# configure terminal
PeteASA(config)# access-list Split-Tunnel standard permit 10.0.0.0 255.255.255.0

[/box]

2. Add the split tunnel to the policy you are using for you remote VPN, (if you are unsure issue a show run group-policy).

[box]

PeteASA(config)# group-policy SSL_Policy attributes
PeteASA(config-group-policy)# split-tunnel-policy tunnelspecified
PeteASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
PeteASA(config-group-policy)# exit
PeteASA(config)#

[/box]

3. Save the changes.

[box]

PeteASA(config)# write mem
Building configuration...
Cryptochecksum: cb28eeb2 3d203272 eda92e1c a3b70d09

3166 bytes copied in 0.890 secs
[OK]
PeteASA(config)#

[/box]

Enable Split Tunnel on an older (PIX Firewall)

[box]

Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ******
PetesPIX# configure terminal
PetesPIX(config)# access-list Split-Tunnel permit ip 10.0.0.0 255.255.255.0 any
PetesPIX(config)# vpngroup RemoteVPN split-tunnel Split-Tunnel

[/box]  

Option 2 Enable Split Tunnel via ASDM

1. Launch the ASDM > Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Select your policy.

2. Edit > Select Advanced > Split Tunneling.

3. Next to Policy > Untick “Inherit” > Change to “Tunnel Network List Below”.

4. Next to “Network List” remove the tick from Inherit > Click Manage.

5. Add ACL > Call it something sensible like Split-Tunnel > OK.

6. Then click Add ACE.

7. Select Permit and enter the network BEHIND THE ASA> OK.

8. Should look a bit like this > OK.

9. OK.

10. Apply > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Original Article Written 14/06/12

Troubleshooting Cisco ASA Split Tunnel

Cisco ASA – Remote VPN Client Internet Access

PPTP VPN – Enable Split Tunneling

Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall

KB ID 0001428

Problem

I got asked to put in a VPN for a client, this week, it went from a simple site to site, to a site to site with a Fortigate firewall at one end, to a VPN from and ASA to a Fortigate ‘through’ another ASA. 

It’s been a few years since I had to tunnel  ‘through’ a firewall, and experience tells me, if you don’t have control of BOTH ends of a new VPN tunnel, anything that stops the tunnel coming up, MUST be my fault. So I thought I’d build it on my test bench, (admittedly without a Fortigate, but thankfully that’s not my problem, so I used another ASA instead.) This is what I built.

Note: The routers are just there, so I can ping the other site to test the tunnel.

Solution

So what I’m worried about, is how to configure the ASA in the middle (The Corporate Perimeter Firewall). This is not an exercise in setting up the VPNs, if that’s what you require, then see the link at the bottom of the page.

There are FIVE things you need to do;

  • Create a Static (One-To-One) NAT so that the ASA that has a private IP on its outside interface, (192.168.2.1) has a PUBLIC IP mapped to it, (I’m using 1.1.1.3).
  • Allow UDP 500 (ISAKMP) from the ASA (1.1.1.1) to the ASA (192.168.2.1)
  • Allow UDP 4500 (NAT-TRAVERSAL) from the ASA (1.1.1.1) to the ASA (192.168.2.1)
  • Allow UDP 500 (ISAKMP) from the ASA (192.168.2.1) to the ASA (1.1.1.1)
  • Allow UDP 4500 (NAT-TRAVERSAL) from the ASA (192.168.2.1) to the ASA (1.1.1.1)

That’s It! You DON’T need to allow ESP or AH, (protocols 50 and 51,) nor do you need to enable ‘ipsec-pass-through’. I’ve brought up the tunnel with both IKEv1 and IKEv2.

Config;

[box]

!
object network OBJ-ASA-SITE-1
 host 1.1.1.1
object network OBJ-ASA-SITE-2
 host 192.168.2.1
 nat (inside,outside) static 1.1.1.3
!
access-list outbound extended permit udp object OBJ-ASA-SITE-2 object OBJ-ASA-SITE-1 eq isakmp
access-list outbound extended permit udp object OBJ-ASA-SITE-2 object OBJ-ASA-SITE-1 eq 4500
!
access-list inbound extended permit udp object OBJ-ASA-SITE-1 object OBJ-ASA-SITE-2 eq isakmp
access-list inbound extended permit udp object OBJ-ASA-SITE-1 object OBJ-ASA-SITE-2 eq 4500
!
access-group inbound in interface outside
access-group outbound in interface inside
!

[/box]

WARNING: Read the following article before executing the access-group commands;

Cisco ASA – ‘access-group’ Warning

 

Related Articles, References, Credits, or External Links

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

Cisco ASA5500 Site to Site VPN from ASDM

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall

Cisco ASA – Remote IPSEC VPN With the NCP Entry Client

KB ID 0001260 

Problem

I’ve covered Cisco IPSEC Remote VPNs a long time ago, and I’ve also blogged about the Cisco IPSEC VPN Client Software. Yes you can get the Cisco VPN Client Working on Windows 10, but can you imagine rolling that out to a few hundred users?

The bottom line is Remote Cisco IPSEC VPN is a dead technology, Cisco, (and Me!) want you to use AnyConnect. For a couple of users you can use the work arounds above, but that wont scale well. So if you don’t want to ditch IPSEC VPN, then you will have to go with third party software to connect to your device. In this example I will use the NCP Secure Entry Client.

Solution

Configure the ASA, I’ve done this to death in the past, (read the links above), so here’s the config (taken from a firewall running version 9.x) to copy and paste in.

[box]

!
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec ikev1 transform-set TS-IPSEC-VPN esp-3des esp-sha-hmac
!
ip local pool PNL-POOL-IPSEC 192.168.198.1-192.168.198.254 mask 255.255.255.0
!
access-list SPLIT-TUNNEL standard permit 192.168.100.0 255.255.255.0
!
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 dns-server value 192.168.100.10
 vpn-simultaneous-logins 3
 default-domain value petenetlive.com
!
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
 address-pool PNL-POOL-IPSEC
 default-group-policy IPSEC-VPN
 authentication-server-group LOCAL
tunnel-group IPSEC-VPN ipsec-attributes
 ikev1 pre-shared-key Cisco123456
!
crypto dynamic-map DYNAMIC-CRYPTO-MAP 65535 set ikev1 transform-set TS-IPSEC-VPN
!
crypto map CRYPTO-MAP 65535 ipsec-isakmp dynamic DYNAMIC-CRYPTO-MAP
!
crypto map CRYPTO-MAP interface outside
!
crypto ikev1 enable outside
!
object network OBJ-IPSEC-SUBNET
 subnet 192.168.198.0 255.255.255.0
!
nat (inside,outside) source static any any destination static OBJ-IPSEC-SUBNET OBJ-IPSEC-SUBNET no-proxy-arp route-lookup
!

[/box]

Points to Note:

  • I’m using 3DES and SHA1 for Phase 1 (ISAKMP,) and phase 2 (IPSEC).
  • The Network behind my ASA is 192.168.100.0/24.
  • I’ve allocated 192.168.198.0/24 to my remote VPN clients. (If you have a complicated network, ensure this is routable from the LAN back to the firewall!)
  • I’ve enabled split tunnelling.
  • My interfaces are called inside and outside, yours might be different!
  • Crypto Map Warning: If you already have a crypto map applied to the outside interface use the name of the existing one (i.e NOT CRYPTO-MAP,) or your exiting VPN’s will stop working! Issue a ‘show run crypto map‘ command to check.
  • I have not enabled PFS. (If I had it would have been in the crypto map).

Configure NCP Entry Client

OK it’s not free, but you do get a 30 day trial to give it a test run an see if you like it. Once installed and rebooted launch the software. Configuration > Profiles > Add/Import > Link to Corporate Network Using IPSEC > Next

Note: As indicated below if you have a PCF file you can import that. 


Give the profile a name i.e. ‘Connection to Office’ > Next > Communication Medium = LAN (over IP) > Next > Gateway = Public name or IP of your Cisco ASA > User ID details is the username and password that you need to enter to connect. (Note: Not the Group name and pre-shared key) > Next.

Usernames should be supplied by your firewall admin (tell them to issue a ‘show run | begin username’ command).

Exchange Mode = Aggressive Mode > PFS Group = {blank} > Next > Local Identity IKE Type = ‘Free string used to identify groups’ > ID = {Your Tunnel Group-Name} > Shared Secret = {Your Group Pre-Shared-Key} > Next.

Tunnel group name, and Pre-Shared Keys also need to be given to you by your firewall admin. Ask them to run  ‘more system:running-config | begin tunnel-group‘ if they don’t know.

Change IP Address Assignment to IKE Config Mode > Next > Firewall (leave it off) > Finish.

OK > Click switch to enable.

It Wont Work?

On the client you can go to Help > Logbook to see what the problem is.

On the firewall debug crypto isakmp 255 will debug phase 1 and debug crypto ipsec sa 255 will debug phase 2.

Related Articles, References, Credits, or External Links

NA

Windows and Cisco (IPSEC) VPN Client

KB ID 0000693 

Problem

I’d been running Windows 8 for a while now. But was the first time I needed to use my Cisco VPN Client software. So I was not happy when this happened.

Note: Using VPN Client version 5.0.07.0440

Secure VPN Connection terminated locally by the Client. Reason 442: Failed to enable Virtual Adapter.

Solution

As it turns out this is a known problem with Windows 8, and there is a work-around.

1. Press Windows Key+R to open the run prompt > regedit {enter}

2. Navigate to;

[box] HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>CVirtA [/box]

Locate the DisplayName > Edit its value > Delete all the text to the LEFT of “Cisco Systems VPN Adapter for 64bit Windows.”

2. So it looks like this.

3. Then it should work as before.

 

Related Articles, References, Credits, or External Links

Download Cisco VPN Client Software

Cisco Simple GRE Tunnels (With IPSEC)

KB ID 0000951

Problem

I’ve spent years setting up VPN tunnels between firewalls. The only time I’ve ever dealt with GRE is for letting VPN client software though firewalls. GRE’s job is to ‘encapsulate’ other protocols and transport those protocols inside a virtual point to point link. Below is the topology, I’m going to use.

The tunnel will run form Router R1 to Router R3, once complete I should be able to ping Host2 from Host1.

Solution

Configure Router R1 for GRE

1. Create and configure a tunnel interface on the R1 Router. It will need an IP address, (here I’m using 10.0.0.1/30). Then you need to specify the source and destination of the GRE tunnel. Finally I’ve changed some MTU settings because typically MTU’s are set to 1500 and GRE adds an overhead, I’m dropping the MTU to 1400 and setting the maximum segment size to 1360.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#interface Tunnel0
*Mar 1 00:01:27.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 10.0.0.1 255.255.255.252
R1(config-if)#ip mtu 1400
R1(config-if)#ip tcp adjust-mss 1360
R1(config-if)#tunnel source 1.1.1.1
R1(config-if)#tunnel destination 2.2.2.1
R1(config-if)#exit

[/box]

2. Then we need to add a static route to the router’s routing table so it knows to use that tunnel for traffic destined for the 192.168.2.0/24 network.

[box]

R1(config)#ip route 192.168.2.0 255.255.255.0 Tunnel0

[/box]

Configure Router R3 for GRE

3. This is simply a mirror image, of the configuration you carried our on router R1.

[box]

R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface Tunnel0
*Mar 1 00:01:30.747: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#ip address 10.0.0.1 255.255.255.252
R3(config-if)#ip mtu 1400
R3(config-if)#ip tcp adjust-mss 1360
R3(config-if)#tunnel source 2.2.2.1
R3(config-if)#tunnel destination 1.1.1.1
R3(config-if)#exit
R3(config)#ip route 192.168.1.0 255.255.255.0 Tunnel0
[/box]

Verify GRE Tunnel

 

4. Use the following command to check the status of the GRE tunnel.

[box]

R1# show interface tunnel 0
Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.0.0.1/30
  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 1.1.1.1, destination 2.2.2.1
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

[/box]

5. Then make sure that traffic passes over the tunnel.

[box]

R1#ping 192.168.2.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/64/88 ms
R1#

[/box]

Securing the Tunnel with IPsec

6. Our traffic is now going where we want it to, and it’s encapsulated, but it’s still being ‘sent in clear’ if traffic is intercepted ‘in flight’ it can be read. So we need to secure that traffic by encrypting it. First Job is to create an ISAKMP policy that will establish ‘phase-1’ of our secure tunnel. I’m using AES, with Diffie Hellman group 2, and SHA hashing. Ive specified that I will be using a pre-shared-key so that’s been created with the last command, and is assigned to the IP of the ‘other end’ of the VPN tunnel.

[box]

R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
R1(config-isakmp)#exit
R1(config)#crypto isakmp key 0 Sh@reds3cret address 2.2.2.1

[/box]

7. Phase 2 of our tunnel (IPsec) is encrypted and hashed with a ‘transform set’ again I’m using AES and SHA, then I create a profile that uses my transform set.

[box]

R3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#exit
R1(config)#crypto ipsec profile PF-PNL
R1(ipsec-profile)#set transform-set TFS-PNL
R1(ipsec-profile)#exit

[/box]

8. The last job is to apply the profile I created above, to our GRE tunnel interface.

[box]

R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
*Mar 1 00:20:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:20:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:20:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]

9. Again configure router 3 as a mirror image.

[box]

R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#crypto isakmp policy 10
R3(config-isakmp)#authentication pre-share
R3(config-isakmp)#encryption aes
R3(config-isakmp)#group 2
R3(config-isakmp)#hash sha
R3(config-isakmp)#exit
R3(config)#crypto isakmp key 0 Sh@reds3cret address 1.1.1.1
R3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
R3(cfg-crypto-trans)#exit
R3(config)#crypto ipsec profile PF-PNL
R3(ipsec-profile)#set transform-set TFS-PNL
R3(ipsec-profile)#exit
R3(config)#interface tun0
R3(config-if)#tunnel mode ipsec ipv4
R3(config-if)#tunnel protection ipsec profile PF-PNL
R3(config-if)#
*Mar 1 00:25:32.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R3(config-if)#
*Mar 1 00:25:33.175: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R3(config-if)#
*Mar 1 00:25:33.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R3(config-if)#exit
R3(config)#
[/box]

Cisco IOS Verify IPsec VPN Tunnel Is Up

 

Note: To bring up the tunnel simply send some traffic over it by pinging something on the other side of the tunnel. If you get a reply then the tunnel is up! But to check it status firstly make sure phase 1 has established.

[box]

R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1         2.2.2.1         QM_IDLE           1001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R3#

[/box]

QM_IDLE means that phase 1 has established (in Quick Mode), and is in an idle state (this is what you want to see, if you see any other state message you may need to start debugging things).

Once you know phase 1 is established you need to check phase 2.

[box]

R3#show crypto ipsec sa
interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 2.2.2.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 1.1.1.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.1, remote crypto endpt.: 1.1.1.1
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x3AA3F6B0(983824048)

     inbound esp sas:
      spi: 0x5C5C5EF1(1549557489)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: SW:1, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4559832/3506)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3AA3F6B0(983824048)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: SW:2, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4559832/3506)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

[/box]

 

Related Articles, References, Credits, or External Links

NA

Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN

KB ID 0000954

Problem

A while back I uploaded a run through on how to deploy GRE tunnels and protect those tunnels with IPsec. That point-to-point GRE tunnel is a good solution, but if you have a lot of sites it’s not a solution that scales very well. Yes you can have 2147483647 tunnel interfaces, but good luck manually configuring all those tunnels and even if you did, if you want each of your remote sites to talk to each other you have all those tunnels to configure as well.

To address that we have DMVPN, rather than a point-to-point GRE tunnel it uses multipoint GRE that can have more than two endpoints. In fact it acts like a ‘network overlay’ that joins all the sites together. It is typically deployed in a hub-and-spoke configuration where one router (the hub) sits at the center and each remote site (spoke) joins the multipoint GRE, tunnels back to the hub. The magic part is, if one spoke needs to speak to another spoke, this is done by building a dynamic tunnel between them ‘on the fly’.

Below is the the network topology I’m going to use;

Note: If you use GNS3 heres the topology and configs for all the routers.

I have a main site that will be the ‘Hub Site’ and at that site MainSiteRTR will be the NHS router. The remaining three hub sites will act as ‘spokes’, so my ‘network overlay’ will be 192.168.1.0/24.

Solution

Configure DMVPN Hub (NHS) Router

Before I start, all the sites are pre-configured as per figure1 above, all the routers can see each other via EIGRP.

1. To begin the setup looks very much like a standard GRE tunnel, but we define a source but no destination (we don’t need to, because we specify tunnel mode gre multipoint). There are two commands for the NHRP setup, ‘ip nhrp map multicast dynamic‘ lets EIGRP information propagate to the ‘spokes’. And ‘ip nhrp network-id 1’ creates a group ID for the DMVPN group. All the spokes will need to share this ID to form tunnels with this NHS Router.<.p>

[box]

MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#interface Tunnel0
MainSiteRTR(config-if)# ip address 192.168.0.1 255.255.255.0
MainSiteRTR(config-if)# ip nhrp map multicast dynamic
MainSiteRTR(config-if)# ip nhrp network-id 1
MainSiteRTR(config-if)# tunnel source 1.1.1.1
MainSiteRTR(config-if)# tunnel mode gre multipoint
*Mar 1 00:02:31.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
MainSiteRTR(config-if)#exit
*Mar 1 00:02:41.635: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
MainSiteRTR(config)#

[/box]

Configure the Branch ‘Spoke’ Routers

2. There are a few differences here, first ‘ip nhrp map 192.168.0.1 1.1.1.1’ tells the branch router to map the 192.168.0.2 private IP permanently to the 1.1.1.1 public address. ‘ip nhrp map multicast 1.1.1.1’ tells the router to relay ALL its multicast traffic back to the hub router. ‘ip nhrp nhs 192.168.0.1’ tells the spoke router where the hub router is.

[box]

Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#interface Tunnel0
Branch1(config-if)# ip address 192.168.0.2 255.255.255.0
Branch1(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch1(config-if)# ip nhrp map multicast 1.1.1.1
Branch1(config-if)# ip nhrp network-id 1
Branch1(config-if)# ip nhrp nhs 192.168.0.1
Branch1(config-if)# tunnel source 2.2.2.1
Branch1(config-if)# tunnel mode gre multipoint
*Mar 1 00:07:28.403: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch1(config-if)#exit
*Mar 1 00:07:38.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch1(config)#

[/box]

3. Then configure each branch router the same, (apart from the tunnel source and the endpoint IP).

[box]

Branch 2 Router Config

Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#interface Tunnel0
Branch2(config-if)# ip address 192.168.0.3 255.255.255.0
Branch2(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch2(config-if)# ip nhrp map multicast 1.1.1.1
Branch2(config-if)# ip nhrp network-id 1
Branch2(config-if)# ip nhrp nhs 192.168.0.1
Branch2(config-if)# tunnel source 3.3.3.1
Branch2(config-if)# tunnel mode gre multipoint
Branch2(config-if)# exit
*Mar 1 00:09:32.631: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch2(config)#

Branch 3 Router Config

Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#interface Tunnel0
Branch3(config-if)# ip address 192.168.0.4 255.255.255.0
Branch3(config-if)# ip nhrp map 192.168.0.1 1.1.1.1
Branch3(config-if)# ip nhrp map multicast 1.1.1.1
Branch3(config-if)# ip nhrp network-id 1
Branch3(config-if)# ip nhrp nhs 192.168.0.1
Branch3(config-if)# tunnel source 4.4.4.1
Branch3(config-if)# tunnel mode gre multipoint
Branch3(config-if)# exit
*Mar 1 00:11:05.259: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Branch3(config)#
*Mar 1 00:11:15.247: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
Branch3(config)#

[/box]

Verifying and Testing the DMVPN Setup

4. On the main site;

[box]

MainSiteRTR#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Hub, NHRP Peers:3,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         2.2.2.1     192.168.0.2    UP    never D
     1         3.3.3.1     192.168.0.3    UP    never D
     1         4.4.4.1     192.168.0.4    UP    never D

[/box]

5. On a branch site (Note: There is only one tunnel to the Main Site);

[box]

Branch1#show dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:1,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         1.1.1.1     192.168.0.1    UP 00:08:24 S

[/box]

6. But if from the same branch site you ping another branch site, it will dynamically build a tunnel to that site also. (Note: The S denotes static, and the D denotes dynamic).

[box]

Branch1#ping 192.168.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/60/108 ms

Branch1#show dmvpn

Legend: Attrb --> S - Static, D - Dynamic, I - Incompletea
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer

Tunnel0, Type:Spoke, NHRP Peers:2,
 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1         1.1.1.1     192.168.0.1    UP 00:08:52 S
     1         4.4.4.1     192.168.0.4    UP    never D

[/box]

Protect and Encrypt the Tunnel(s) with IPSEC

7. BE AWARE the traffic traveling over these tunnels is still being sent in cleartext, it’s simply been ‘encapsulated’ with GRE. To rectify that we can protect the tunnels with IPSEC.

[box]

MainSiteRTR#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MainSiteRTR(config)#crypto isakmp policy 10
MainSiteRTR(config-isakmp)# authentication pre-share
MainSiteRTR(config-isakmp)# encryption aes
MainSiteRTR(config-isakmp)# group 2
MainSiteRTR(config-isakmp)# hash sha
MainSiteRTR(config-isakmp)# crypto isakmp key Sh@reds3cret address 2.2.2.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 3.3.3.1
MainSiteRTR(config)# crypto isakmp key Sh@reds3cret address 4.4.4.1
MainSiteRTR(config)# crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
MainSiteRTR(cfg-crypto-trans)# crypto ipsec profile PF-PNL
MainSiteRTR(ipsec-profile)# set transform-set TFS-PNL
MainSiteRTR(ipsec-profile)# interface Tunnel0
MainSiteRTR(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:25:34.055: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
MainSiteRTR(config-if)# exit
MainSiteRTR(config)#

[/box]

8. Then simply repeat on the branch routers, the only difference is the peer addresses.

[box]

Branch 1 Router Config

Branch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch1(config)#crypto isakmp policy 10
Branch1(config-isakmp)# authentication pre-share
Branch1(config-isakmp)# encryption aes
Branch1(config-isakmp)# group 2
Branch1(config-isakmp)# hash sha
Branch1(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch1(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch1(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch1(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch1(ipsec-profile)# set transform-set TFS-PNL
Branch1(ipsec-profile)#interface Tunnel0
Branch1(config-if)# tunnel protection ipsec profile PF-PNL
Branch1(config-if)#exit
Branch1(config)#
*Mar 1 00:36:47.179: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch1(config)#

Branch 2 Router Config

Branch2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch2(config)#crypto isakmp policy 10
Branch2(config-isakmp)# authentication pre-share
Branch2(config-isakmp)# encryption aes
Branch2(config-isakmp)# group 2
Branch2(config-isakmp)# hash sha
Branch2(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch2(config)#crypto isakmp key Sh@reds3cret address 4.4.4.1
Branch2(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch2(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch2(ipsec-profile)# set transform-set TFS-PNL
Branch2(ipsec-profile)#interface Tunnel0
Branch2(config-if)# tunnel protection ipsec profile PF-PNL
Branch2(config-if)#exit
Branch2(config)#
*Mar 1 00:37:57.239: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch2(config)#

Branch 3 Router Config

Branch3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Branch3(config)#crypto isakmp policy 10
Branch3(config-isakmp)# authentication pre-share
Branch3(config-isakmp)# encryption aes
Branch3(config-isakmp)# group 2
Branch3(config-isakmp)# hash sha
Branch3(config-isakmp)#crypto isakmp key Sh@reds3cret address 1.1.1.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 2.2.2.1
Branch3(config)#crypto isakmp key Sh@reds3cret address 3.3.3.1
Branch3(config)#crypto ipsec transform-set TFS-PNL esp-aes esp-sha-hmac
Branch3(cfg-crypto-trans)#crypto ipsec profile PF-PNL
Branch3(ipsec-profile)# set transform-set TFS-PNL
Branch3(ipsec-profile)#interface Tunnel0
Branch3(config-if)# tunnel protection ipsec profile PF-PNL
*Mar 1 00:39:10.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Branch3(config-if)#exit

[/box]

9. To test re-establish the tunnels, and this time you can see they are protected;

[box]

MainSiteRTR#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
1.1.1.1         3.3.3.1         QM_IDLE           1002    0 ACTIVE
1.1.1.1         4.4.4.1         QM_IDLE           1003    0 ACTIVE
1.1.1.1         2.2.2.1         QM_IDLE           1001    0 ACTIVE

[/box]

Download the DMVPN labs and have a play

Related Articles, References, Credits, or External Links

Cisco Simple GRE Tunnels (With IPSEC)