Wednesday, October 31, 2012

Cisco ASA ikev2 setup

Okay cisco finally got on board with the rest of the  firewall appliance vendors and now finally  supports IKE version2.

1st off why IKE version 2?

Will ike version2 ( aka ikev2) is suppose to be our cake and ice_cream, & with regards to  configuration and setup. Here's some changes in  IKEv2 vrs IKEv1

  • Support for bi-directional authentication  ( I can use one PSK locally and another remotely) or mix-match PSK and certificates between peers
  • quicker setup with regards to ipsec-phase1 
  • and the phase1 setup interval is now shorten by 40%, or maybe more in  setup time
  • DPD and NAT-T is handled within the IKEv2 setup between peers
  • the confusion of when to use  aggressive or main-mode is now eliminated
  • doesn't process the request until the requester is identified ( DoS protection ) 
  • Support EAP authentication of initiator and requester
  • explicit congestion notification is now included in  IKEv2
  • and finally less configuration required in most configurations

Okay the above are what's suppose to be better with IKEv2. Now let's explore IKEv2 supported devices. These are platforms that I'm aware of that supports IKEv2 and that I have configured IKEv2 on.

  • strongswan
  • openswan 2.6 or later
  • pfsense 2.X ( TBD in the near future  still beta code being worked out )
  • later IOS routers running 12.4 code ( 15,X seems to not support IKEv2  under enterprise release from what I can tell on my  ISR hardware )
  • Fortigate Firewall
  • Juniper Firewalls
  • ASA firewalls codeset 8.4 or later
  • Stonesoft Firewall appliances


Okay so that's just a brief listing of firewalls and routers that support IKEv2.  This posting on the other hand, is about the ASA  Security Appliance & the configuration of IKEv2. The ASA since release of code_set 8.4 has IKEv2 support available,  and it's quite interesting, but not overly hard to configured.

VPN configurations with ASA  has always been a struggle for most seasoned firewall admin/engineers, and  very hard to  troubleshoot.

Here's my steps in the configuration process for IKEv2;

1st let's create some  ikev2 policies  that we can call later. We are doing   AES with either 192/256 bit key sizes. The 192/256 represent the key-size in bits. The default is always 128 or AES-128. Also not to be mistaken, AES only support 128bit data blocks regardless of the key size


crypto ikev2 policy 20
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 28000
!

!
!
crypto ikev2 policy 30
encryption aes-192
integrity sha
group 5
prf sha
lifetime seconds 28000


We are also using  df-group 5 with sha hashing. Now set a transform set and proposal that we will later use in our crypto map definitions.



crypto ipsec ikev2 ipsec-proposal  vpn192
protocol esp encryption aes-192
protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal vpn256
protocol esp encryption aes-256
protocol esp integrity sha-1



Now make sure to enable ikev2 on the correct interface that we expect ikev2 traffic on;  in our case we have the classic inside/outside interfaces and will use the latter in this case;


crypto ikev2 enable outside

note: it critical that we enable this. Without that command,  the firewall will not expect or know how to handle ikev2 packets. Okay now let's all put it together & see how it works;


In this case the far-end is addressed at 1.0.0.1

tunnel-group 1.0.0.1 type ipsec-l2l
tunnel-group 1.0.0.1  ipsec-attributes
ikev2 remote-authentication pre-shared-key MkB3stK3yY3t!
ikev2 local-authentication pre-shared-key MyK3yh3r3forUyu0



here's a crypto map using the ipsec-proposals and peer 1.0.0.1;



crypto map vpnout 1 set peer 1.0.0.1

crypto map vpnout 1 match address cryptovpn01
crypto map vpnout 1 set ikev2 ipsec-proposal vpn192 vpn256


and don't forget to enable the crypto map to the interface

crypto map vpnout interface outside



The acl  cryptovpn01   would a be a extended access-list permitting the left/right subnets ) local/remote ) . This would determine what traffic needs to be encrypt


access-list cryptovpn01 extend permit ip 192.168.110.0 255.255.255.0 10.100.100.0 255.255.255.0


you might want to deploy asa  object . This would make acl cfgs simpler to build and managed.


i.e  using objects



object network inside
   subnet 192.168.110.0 255.255.255.0

object network remote-net01
  subnet 10.100.100.0 255.255.255.0

and now how does the acl look when using objects


access-list cryptovpn01 extend permit ip object inside object remote-net01


And lastly, if your using nat-controls. You might need to enable a no-nat or aka nat-exemption for the traffic from left-2-right





i.e using our above objects to simplify

nat (inside,outside) source static inside inside destination static remote-net01 remote-net01


If you did not  create nat-exemptions, than your ASA would try to  nat all traffic if you had a nat statement that did ALL/ANY

Now to troubleshoot this, you will have some options but at minimum;

(packet trace )
packet input inside  tcp 192.168.110.2 2000 10.100.100.100 80

show vpn-sessiondb

show crypto ike sa

debug crypto ikev2  platform 5  ( or higer for more details )
or
debug crypto ikev2  protocol 5  ( or higer for more details )

  
And a snippet of a typical debug output 

IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [1.1.1.1.90]:500->[1.1.1.1.2]:500 InitSPI=0x01b912352a88ea61 RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-3: (8): Insert SA
IKEv2-PROTO-2: (8): Retransmitting packet
IKEv2-PROTO-3: Tx [L 1.1.1.1.90:500/R 1.1.1.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:01B912352A88EA61 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 01B912352A88EA61 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 502
 SA  Next payload: KE, reserved: 0x0, length: 92
IKEv2-PROTO-4:   last proposal: 0x2, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA1
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     06 e8 a3 cf 58 f2 42 f7 93 84 14 3d e5 39 97 e3
     14 22 b5 60 9c 22 88 4a d6 28 27 0e 24 55 27 15
     7e 39 b7 71 bc 76 34 a7 34 a0 cf ae 37 84 97 c7
     c0 94 e1 b5 15 1c ac 2b c6 c5 ee dd b7 3b 02 53
     d7 e8 19 6e 05 ab bd f4 4b 14 9d 4a 71 fc b4 f9
     2a 03 bc 96 32 37 c6 b4 ad b2 f5 7f 2c f3 c4 8d
     d9 95 ca cc 74 e5 f0 f4 90 78 2d 19 ab ae 1d 46
     10 a7 35 bc 8c 85 cc 44 e8 29 e0 55 d5 1d 08 aa
     77 dc b7 d0 a1 33 6c 40 8d af 26 4a 95 9f 4f fe
     a0 b8 d6 10 a0 65 47 fa b6 e8 4e f2 37 a6 d5 eb
     cf b1 92 31 b0 8d 3f a7 a4 35 31 8e 3a a5 bb 34
     3c 93 5b 60 01 e1 fd 17 ac c1 5f 11 11 c6 a8 8c
 N  Next payload: VID, reserved: 0x0, length: 24

     78 93 88 9a 12 20 3d 83 fb fb 3f 72 51 6f 94 e0
     a0 30 66 e7
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     25 1b 55 5d 1f 08 fc 6d 25 8c 73 9c c0 81 d7 df
     de 2b e1 31
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     c2 a8 f7 bb b8 d9 91 4a 4c 4f b5 81 e1 dc 69 48
     c9 96 e9 5c
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PLAT-4: SENT PKT [IKE_SA_INIT] [1.1.1.1.90]:500->[1.1.1.2]:500 InitSPI=0x01b912352a88ea61 RespSPI=0x0000000000000000 MID=00000000
no debug all
asaken# 




I hope this was helpful


Ken Felix

Freelance Security and Network Engineer

kfelix " a t " hyperfeed.com

1 comment: