Cisco ASA VPN Configuration Scenario 1: Gateway-to-gateway with preshared secrets The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication. 10.5.6.0/24 172.23.9.0/24 | | --| |-- | +-----------+ /-^-^-^-^--\ +-----------+ | |-----| Gateway A |=====| Internet |=====| Gateway B |-----| | AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL | --| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |-- | | Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A. The IKE Phase 1 parameters used in Scenario 1 are: * Main mode * TripleDES * SHA-1 * MODP group 2 (1024 bits) * pre-shared secret of "hr5xb84l6aa9r6" * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are: * TripleDES * SHA-1 * ESP tunnel mode * MODP group 2 (1024 bits) * Perfect forward secrecy for rekeying * SA lifetime of 3600 seconds (one hour) with no kbytes rekeying * Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets To set up Gateway A for this scenario, use the following steps: Start the Cisco ASDM Launcher and log into the graphical interface. Configure the interfaces as usual. For this scenario, assume that the interface that has the address 14.15.16.17 (the one that leads to the Internet) is called "Ext", and the interface that has the address 10.5.6.1 (the one that leads to the protected network) is called "Int". In the Wizards menu, select "VPN Wizard". This brings up a set of dialog boxes that are labelled with the step of the process they represent. Step 1: Choose "Site-to-Site" for the tunnel type. Choose "Ext" for the tunnel interface. Click Next. Step 2: Enter 22.23.24.25 for the peer IP address. Enter "22.23.24.25" for the tunnel group name (note that the tunnel group name must be the same as the peer address). Enter "hr5xb84l6aa9r6" for the pre-shared key. Click Next. Step 3: Choose 3DES for encryption, SHA for authentication, and 2 for the Diffie-Hellman group. Click Next. Step 4: Choose 3DES for encryption and SHA for authentication. Click Next. Step 5: Choose "Int" for the interface. Enter 10.5.6.0 for the IP address. Enter 255.255.255.0 for the mask. Click Add. Click Next. Step 6: Choose "Ext" for the interface. Enter 172.23.9.0 for the IP address. Enter 255.255.255.0 for the mask. Click Add. Click Next. Step 7: Click Finish. Click the Configuration button in the toolbar. Click the VPN button in the features list at the left of the window. Choose Tunnel Policy under IPsec in the list of VPN features. Choose the tunnel you just created and click Edit. In that dialog, click Advanced. Choose to enable perfect forward secrecy and select group 2. Click OK, then OK, then Apply. Click the Configuration button in the toolbar. Click the Routing button in the features list at the left of the window. Choose Static Route under Routing in the list of routing features. Click Add. Select Ext for the interface, enter 172.23.9.0 for the IP address. Enter 255.255.255.0 for the mask. Enter 22.23.24.25 for the gateway. Click OK, then Apply. To debug problems in setting up IPsec tunnels, click the Monitoring button in the toolbar. To see the current VPN status, click the VPN button in the features list at the left of the window. To see the detailed log, click the Logging button in the features list at the left of the window, then choose Log Buffer.