1st off why IKE version 2?
Will ike version2 ( aka ikev2) is suppose to be our cake and ice_cream, & with regards to configuration and setup. Here's some changes in IKEv2 vrs IKEv1
- Support for bi-directional authentication ( I can use one PSK locally and another remotely) or mix-match PSK and certificates between peers
- quicker setup with regards to ipsec-phase1
- and the phase1 setup interval is now shorten by 40%, or maybe more in setup time
- DPD and NAT-T is handled within the IKEv2 setup between peers
- the confusion of when to use aggressive or main-mode is now eliminated
- doesn't process the request until the requester is identified ( DoS protection )
- Support EAP authentication of initiator and requester
- explicit congestion notification is now included in IKEv2
- and finally less configuration required in most configurations
Okay the above are what's suppose to be better with IKEv2. Now let's explore IKEv2 supported devices. These are platforms that I'm aware of that supports IKEv2 and that I have configured IKEv2 on.
- strongswan
- openswan 2.6 or later
- pfsense 2.X ( TBD in the near future still beta code being worked out )
- later IOS routers running 12.4 code ( 15,X seems to not support IKEv2 under enterprise release from what I can tell on my ISR hardware )
- Fortigate Firewall
- Juniper Firewalls
- ASA firewalls codeset 8.4 or later
- Stonesoft Firewall appliances
Okay so that's just a brief listing of firewalls and routers that support IKEv2. This posting on the other hand, is about the ASA Security Appliance & the configuration of IKEv2. The ASA since release of code_set 8.4 has IKEv2 support available, and it's quite interesting, but not overly hard to configured.
VPN configurations with ASA has always been a struggle for most seasoned firewall admin/engineers, and very hard to troubleshoot.
Here's my steps in the configuration process for IKEv2;
1st let's create some ikev2 policies that we can call later. We are doing AES with either 192/256 bit key sizes. The 192/256 represent the key-size in bits. The default is always 128 or AES-128. Also not to be mistaken, AES only support 128bit data blocks regardless of the key size
crypto ikev2 policy 20
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 28000
!
!
!
crypto ikev2 policy 30
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 28000
We are also using df-group 5 with sha hashing. Now set a transform set and proposal that we will later use in our crypto map definitions.
crypto ipsec ikev2 ipsec-proposal vpn192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal vpn256
protocol esp encryption aes-256
protocol esp integrity sha-1
Now make sure to enable ikev2 on the correct interface that we expect ikev2 traffic on; in our case we have the classic inside/outside interfaces and will use the latter in this case;
crypto ikev2 enable outside
note: it critical that we enable this. Without that command, the firewall will not expect or know how to handle ikev2 packets. Okay now let's all put it together & see how it works;
In this case the far-end is addressed at 1.0.0.1
tunnel-group 1.0.0.1 type ipsec-l2l
tunnel-group 1.0.0.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key MkB3stK3yY3t!
ikev2 local-authentication pre-shared-key MyK3yh3r3forUyu0
here's a crypto map using the ipsec-proposals and peer 1.0.0.1;
crypto map vpnout 1 set peer 1.0.0.1
crypto map vpnout 1 match address cryptovpn01
crypto map vpnout 1 set ikev2 ipsec-proposal vpn192 vpn256
and don't forget to enable the crypto map to the interface
crypto map vpnout interface outside
The acl cryptovpn01 would a be a extended access-list permitting the left/right subnets ) local/remote ) . This would determine what traffic needs to be encrypt
access-list cryptovpn01 extend permit ip 192.168.110.0 255.255.255.0 10.100.100.0 255.255.255.0
you might want to deploy asa object . This would make acl cfgs simpler to build and managed.
i.e using objects
object network inside
subnet 192.168.110.0 255.255.255.0
object network remote-net01
subnet 10.100.100.0 255.255.255.0
and now how does the acl look when using objects
access-list cryptovpn01 extend permit ip object inside object remote-net01
And lastly, if your using nat-controls. You might need to enable a no-nat or aka nat-exemption for the traffic from left-2-right
i.e using our above objects to simplify
nat (inside,outside) source static inside inside destination static remote-net01 remote-net01
If you did not create nat-exemptions, than your ASA would try to nat all traffic if you had a nat statement that did ALL/ANY
Now to troubleshoot this, you will have some options but at minimum;
(packet trace )
packet input inside tcp 192.168.110.2 2000 10.100.100.100 80
show vpn-sessiondb
show crypto ike sa
debug crypto ikev2 platform 5 ( or higer for more details )
or
debug crypto ikev2 protocol 5 ( or higer for more details )
And a snippet of a typical debug output
IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [1.1.1.1.90]:500->[1.1.1.1.2]:500 InitSPI=0x01b912352a88ea61 RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-3: (8): Insert SA
IKEv2-PROTO-2: (8): Retransmitting packet
IKEv2-PROTO-3: Tx [L 1.1.1.1.90:500/R 1.1.1.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:01B912352A88EA61 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 01B912352A88EA61 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 502
SA Next payload: KE, reserved: 0x0, length: 92
IKEv2-PROTO-4: last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Next payload: N, reserved: 0x0, length: 200
DH group: 5, Reserved: 0x0
06 e8 a3 cf 58 f2 42 f7 93 84 14 3d e5 39 97 e3
14 22 b5 60 9c 22 88 4a d6 28 27 0e 24 55 27 15
7e 39 b7 71 bc 76 34 a7 34 a0 cf ae 37 84 97 c7
c0 94 e1 b5 15 1c ac 2b c6 c5 ee dd b7 3b 02 53
d7 e8 19 6e 05 ab bd f4 4b 14 9d 4a 71 fc b4 f9
2a 03 bc 96 32 37 c6 b4 ad b2 f5 7f 2c f3 c4 8d
d9 95 ca cc 74 e5 f0 f4 90 78 2d 19 ab ae 1d 46
10 a7 35 bc 8c 85 cc 44 e8 29 e0 55 d5 1d 08 aa
77 dc b7 d0 a1 33 6c 40 8d af 26 4a 95 9f 4f fe
a0 b8 d6 10 a0 65 47 fa b6 e8 4e f2 37 a6 d5 eb
cf b1 92 31 b0 8d 3f a7 a4 35 31 8e 3a a5 bb 34
3c 93 5b 60 01 e1 fd 17 ac c1 5f 11 11 c6 a8 8c
N Next payload: VID, reserved: 0x0, length: 24
78 93 88 9a 12 20 3d 83 fb fb 3f 72 51 6f 94 e0
a0 30 66 e7
VID Next payload: VID, reserved: 0x0, length: 23
43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
53 4f 4e
VID Next payload: NOTIFY, reserved: 0x0, length: 59
43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
73 2c 20 49 6e 63 2e
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
25 1b 55 5d 1f 08 fc 6d 25 8c 73 9c c0 81 d7 df
de 2b e1 31
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
c2 a8 f7 bb b8 d9 91 4a 4c 4f b5 81 e1 dc 69 48
c9 96 e9 5c
VID Next payload: NONE, reserved: 0x0, length: 20
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [1.1.1.1.90]:500->[1.1.1.2]:500 InitSPI=0x01b912352a88ea61 RespSPI=0x0000000000000000 MID=00000000
no debug all
asaken#
I hope this was helpful
Ken Felix
Freelance Security and Network Engineer
kfelix " a t " hyperfeed.com
This comment has been removed by the author.
ReplyDelete