- Silver, 250 points or more
Current Cisco configuration documentation shows the use of 3des encryption and MD5 hashing functions. According to the Cisco document on Next Gen Encryption (NGE) both are listed as ‘avoid’ and ‘legacy’. Using this document the tunnel shown here will used the recommend strength of encryption and hashing, whilst at the same time not crippling my 5505 with computations!!
The configuration of the ASA’s is pretty much identical with the exception of pre-shared key phrases and ACLs needing to be flipped.
The first step is to create the IKE policies. We will be using IKEv2 which was introduced in the ASA 8.4 software release. IKEv2 adds many improvements, one of which that will be visible in the configuration is asymmetric keys.
Configured on both:
A tunnel-group is a set of connection polices related to the specified peer. In this config we are utilising a feature of IKEv2, asymmetric authentication methods. For the sake of simplicity either ends will be using pre-shared keys.
The ACL is used to match traffic, which when used with the crypto map below will ensure it is sent down the tunnel.
Configured on the 5505:
Configured on the 5545-X:
The crypto map draws together all of the above configuration:
- The ACL defines what traffic should be protected by IPSec
- The IKEv2 IPSec proposal allows for the configuration of multiple transform-sets; one of which both peers must agree on. Once agreed the transform-set is used to define of transmitted data is to be protected.
- Specify the ASA interface to apply the crypto map. All traffic passing through the interface will be evaluated against the crypto map.
Configured on both:
Now specify for each crypto map, where matching traffic should be sent.
The VPN will not become active until it starts to pass traffic. To test start a ping which will match the ACL of whichever tunnel endpoint is closest, eg from a host on the 2001:470:AAAA:2::/64 subnet:
$ ping6 2001:630:BBBB:2::100
Now check the CLI on each ASA: