Professional Documents
Culture Documents
Note:
For this task, you can use the configuration files that resulted from completing the
previous task, or you can load the Section 7 Initial Configuration Files to initialize your
rack.
Task
Configure ASA4 to accept remote VPN connections from Cisco Easy VPN Clients using a group
named EZVPN-ASA:
Use 3DES/MD5 as the cipher/hash for IPSec Phase1/Phase2.
Use address pool 21.0.0.0/24 to allocate IP addresses for remote clients, and push the
DNS server IP address of 136.1.100.101 to the clients.
Allow for split-tunneling to network 136.1.18.0/24.
Remote users should be authenticated using the name CISCO-ASA and the password
CISCO1234.
Ensure that this user is only allowed to log in under the group EZVPN-ASA.
Configuration
ASA4:
The configuration above is for ASA code 8.2.x. Beginning with code 8.3, multiple IPsec-related
commands have changed with the addition of IKEv2. You can still use the old commands, although
hidden. ASA will automatically convert to the new format.
ASA4:
Verification
Issue one debug crypto ikev1 64 on the ASA and initiate the connection from the Test PC.
When the connection is established, review the Cisco VPN Client statistics window to inspect the
negotiated IP address and algorithms.
Also review the Route details tab to inspect the split-tunneling configuration.
Generate traffic over the tunnel and verify packet statistics again.
: CISCO-ASA
Assigned IP : 21.0.0.1
Index
:4
Public IP
: 136.1.38.3
Protocol
: IKEv1 IPsecOverNatT
License
: Other VPN
Encryption
: 3DES
Hashing
: MD5
Bytes Tx
:0
Bytes Rx
:0
Login Time
Duration
: 0h:00m:25s
Inactivity
: 0h:00m:00s
NAC Result
: Unknown
VLAN
: none
On the ASA side, during the connection process, it receives an IKE AM message with the the
group ID, based on which the EzVPN server selects the tunnel-group EZVPN-ASA.
At this point, the EzVPN server attempts to find a matching entry in the local ISAKMP policy
database. After this, the server performs authentication and generates a response packet.
Notice the rich payload in the response packet: in addition to the selected SA, it contains the key
exchange payload and various VENDOR payload, plus the NAT-D payload.
The client responds, ending the IKE AM Phase 1. At this point, both devices may determine if any
is behind NAT.
IS
This
Re
After XAUTH is successful, the EzVPN server determines what Mode Config attributes will be sent
to the client based on the group policy configuration.
The next two IKE packets are for XAUTH successful confirmation from the EzVPN server and
XAUTH acknowledgment from the EzVPN client.
At this point, the EzVPN client requests Mode Config attributes from the EzVPN server.
The EzVPN server allocates an IUP address from the configured pool and sends it to the client,
along with all other attributes; the client also negotiates DPD.
At this point, the EzVPN client initiates IPsec Phase Quick Mode negotiations.
SA payload
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, processing
nonce payload
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, processing
ID payload
[IKEv1 DECODE]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, ID_IPV4_A
DDR ID received
21.0.0.1
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Received remote
Proxy Host data in ID Payload: Address 21.0.0.1, Protocol 0, Port 0
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, processing
ID payload
[IKEv1 DECODE]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, ID_IPV4_A
DDR_SUBNET ID received--0.0.0.0--0.0.0.0
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Received local I
P Proxy Subnet data in ID Payload:
ort 0
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, QM IsRekeyed old
sa not found by addr
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Selecting
only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT
-Traversal
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IKE Remote Peer
configured for crypto map: DYNAMIC
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, processing
IPSec SA payload
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IPSec SA P
roposal # 11, Transform # 1 acceptable Matches global IPSec SA entry # 100
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IKE: requesting
SPI!
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, IKE got SP
I from key engine: SPI = 0xaa3df74e
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, oakley con
stucting quick mode
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, constructi
ng blank hash payload
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, constructi
ng IPSec SA payload
[IKEv1]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Overriding Initi
ator's IPSec rekeying duration from 2147483 to 28800 seconds
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, constructi
ng IPSec nonce payload
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, constructi
ng proxy ID
[IKEv1 DEBUG]Group = EZVPN-ASA, Username = CISCO-ASA, IP = 136.1.38.3, Transmitti
ng Proxy Id:
Remote host: 21.0.0.1 Protocol 0 Port 0
Here we have the final two messages in Quick-Mode exchange. After the SA has been established,
the EzVPN server injects a reverse-route in the local routing table.