Question about an IPSec Tunnel

Terence Lockette · ‎08-28-2013

Hello all,

I have a customer who is requesting to set up an IPSec tunnel. What is the difference between a Site-to-Site VPN tunnel and an IPSec tunnel? The reason I'm asking is because I requested crypto info (hash, auth, encryption, lifetime, and group) but he said I didn't need those and that I only needed the requirements he specified (see below). I was under the impression that both were the same.

Here are his requirements:

Our IPSEC endpoint is <PUBLIC IP>

Also these ports are required to be open for the IPSEC tunnel…

Requirements

Below are the requirements for building the CPR Connection:

Physical connectivity from the second Ethernet on the <VENDOR>'s WAN router to the customer’s LAN is required. The connectivity must allow for Internet accessibility
IP address assigned to second Ethernet must be a statically assigned Internet reachable address. This can either be an address assigned to the Ethernet interface of the router or it can be a static NAT address that is Internet reachable.
IPSEC must be permitted from a <VENDOR> specified IP address to the IP address assigned to the second Ethernet or NAT address. Specifically, the following protocols and ports must be permitted in both directions:
IP Protocol 50
UDP Port 500
UDP Port 4500
ICMP (specifically ping)
Verification that the customer's Internet has sufficient capacity to handle the full capacity that is configured on their primary WAN configuration to <VENDOR>
The VPN will always be active and monitored by <VENDOR>.
No customer traffic will be carried on this VPN unless the <VENDOR> managed WAN connection(s) become unavailable

Any help regarding this will be greatly appreciated!

Regards,

Terence

Richard Burts · ‎08-28-2013

Terence

From a terminology perspective an IPSec tunnel could be a Remote Access VPN tunnel or a Site to Site VPN tunnel. When they specify both UDP 500 and UDP 4500 it does make me wonder a bit whether they do intend Remote Access VPN rather than Site to Site. But the requirements for the VPN to always be up and the capacity requirement do sound more like Site to Site VPN.

HTH

Rick

HTH

Rick

Terence Lockette · ‎08-29-2013

Rick,

Those were my thoughts exactly regarding their request for an always up tunnel. When asking the tech about the tunnel specs to negotiate the establishment of the tunnel, his response was this:

My request to the vendor:

What crypto policies and transform set are you using for the tunnel? The VPN tunnel will terminate to our ASA firewall and I need to specify that info. We can use the default settings:

Hash: SHA 1

Authentication: Pre-Share

Group: 2

Lifetime: 86400

Encryption: 3DES

I'll also need to know what subnets will be classified as interesting traffic across the tunnel in order for phase 2 of the connection to work.

Vendor's response to me:

Seems there may be some confusion. We will create the IPSEC tunnel on our routers. All you need to do is pass the traffic through your firewall which is detailed below.

I don't understand how a tunnel can be created if only one side is being built with IPSec. Any thoughts???

Regards,

Terence

Karsten Iwen · ‎08-29-2013

Well, based on the reply the ASA will not terminate the tunnel. The vendor provides a router that you have to install at your network. This router initiates the IPSec-tunnel to the router at the vendor-site. For that to work you need to make sure that the needed ports are open (which is only UDP/500 and UDP/4500 if the router will get an private IP in your network).

Edit: after reading your first post again the vendor want's to control the tunnel in both directions. So you should reserve one of your public IPs for a NAT-translation to the router that is provided to you.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Terence Lockette · ‎08-29-2013

Karsten,

Ok that makes sense and I know there's a router provided by the SP. Two 2811s that provide separate WAN links going back to our Vendor. In the event that both of these links fail, this third IPSec connection will be used. So they have a third interface on one of the routers that uses a next hop IP going back to our LAN (ASA with a named interface). So from there, will I need to create a couple of ACLs and build routes to their IPSec endpoint?

Karsten Iwen · ‎08-29-2013

Yes the router needs permission to access the Vendor IP and probably also the vendor IP needs access to the router in your network with ACLs and NAT.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Terence Lockette · ‎08-29-2013

The routers onsite belong to the service provider and we don't have access to them so I'm assuming they did all that's needed to be done on their equipment. I'll have an interface on our ASA that will be the gateway to the provider's CPE device. What will I need to do on the ASA to get traffic going across to their IPSec endpoint? Can you provide sample config examples?

Karsten Iwen · ‎08-29-2013

which version is your ASA running?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Terence Lockette · ‎08-29-2013

Version 8.4

Karsten Iwen · ‎08-29-2013

The config could look like that:

object network REMOTE-RTR

host 1.1.1.1

object network INT-RTR

host 10.10.10.10

nat (ROUTER-DMZ,outside) static 192.0.2.10

access-list OUTSIDE-ACCESS-IN extended permit udp object REMOTE-RTR object INT-RTR eq 500

access-list OUTSIDE-ACCESS-IN extended permit udp object REMOTE-RTR object INT-RTR eq 4500

access-list REMOTE-DMZ-ACCESS-IN extended permit udp object INT-RTR object REMOTE-RTR eq 500

access-list REMOTE-DMZ-ACCESS-IN extended permit udp object INT-RTR object REMOTE-RTR eq 4500

1.1.1.1 is the IP of the vendor-router, 10.10.10.10 the IP of the router in your network. 192.0.2.10 is one of your free public addresses that you have to tell the vendor which will be their IPSec-peer-address. The names of the interfaces and ACLs of course need to be adjusted to your environment.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Terence Lockette · ‎08-29-2013

Awesome, awesome, awesome. Once I set this up and test it out, I'll let you know if it worked for me but I'm sure it will. Thanks again!

Regards,

Terence

Terence Lockette · ‎09-03-2013

Karsten,

Quick question. I configured my firewall with the example you provided. To ensure that I understood correctly, this will basically allow the vendor to create an IPSec tunnel through the firewall, correct?

Karsten Iwen · ‎09-03-2013

Yes, it creates a translation for the internal vendor-router and allows the IPsec-traffic to be initiated in both directions through the firewall.

Sent from Cisco Technical Support iPad App