Cisco ASA implement IPSec Virtual Private Network (included troubleshooting)

Portal: the Cisco router configuration examples: https://blog.51cto.com/14227204/2448319
In fact, firewall and router configuration is very similar, you can refer to the top of the portal, will be introduced under the firewall configuration examples of a
failure a, router diagnostic investigation
1, show crypto isakmp sa

R1:show crypto isakmp sa               # 可以显示数据连接sa的细节信息

MM_NO_STATE: initial state ISAKMP SA established; management connection establishment will fail in this state
MM_SA_SETUP: ISAKMP policy negotiation between peers after the success in the state
MM_KEY_EXCH: peer successfully established by DH shared key algorithm, at this time no equipment to verify
MM_KEY_AUTH: peer device successfully validated, then will transition to QM_IDLE state
QM_IDLE: management connection is successfully established, the upcoming transition to phase 2 data connection establishment process

2、debug crypto isakmp

R1：debug crypto isakmp                # 诊断和排查管理连接出现的问题

Examples of a failure: both ends of the encryption algorithm does not match

ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      default group 1
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP:(0:0:N/A:0):Encryption algorithm offered does not match policy!                        # 加密算法不匹配
ISAKMP:(0:0:N/A:0):atts are not acceptable. Next payload is 0
……                            # 策略不被接受
ISAKMP:(0:0:N/A:0):no offers accepted!                  # 没有匹配策略
……
received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_NO_STATE                           # 策略进入未成功状态

Failure Case II: pre-shared key is inconsistent used at both ends

ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 1 policy
ISAKMP:      default group 1
ISAKMP:      encryption DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth pre-share
ISAKMP:      life type in seconds
ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80 
ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
……            # 算法已匹配，开始秘钥交换及身份验证
ISAKMP (0:134217729): received packet from 10.0.0.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP: reserved not zero on ID payload!
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 10.0.0.1     failed its sanity check or is malformed          
# 完整性验证失败，将停留在MM     KEY    EXCH 阶段

Second, the difference between a firewall and router:
IKE negotiation:
routing is enabled by default
ASA firewall off by default and must be manually opened, as follows:

ASA（config）# crypto  isakmp  enable  outside 

Into the tunnel set of characteristics:
Firewall version 6.x to upgrade to the new features introduced in version 7.0 from
mainly used to simplify the configuration and management of IPSec session
Third, start the configuration
environment as follows:

requirements are as follows:
lan1 lan2 regional and regional interoperability
lan1 area and lan3 regional exchange
lan2 lan3 regional and regional interoperability (lan2 → lan1 → lan3)
in all regions have access to intermediate ISP
ago with Notes (sorry, I'm here to router instead of the pc so little simple verification):

1. IP interfaces like self-configure
2. Here I use a router to act as a PC, so you need to configure a default route on the router acts as a gateway
3. Configuring a default route out of the firewall

R1 configuration (R3, R4 similar configuration):

R1#conf t
R1(config)#int f 0/0
R1(config-if)#ip add 192.168.1.10 255.255.255.0                # 配置接口IP
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1                   # 默认路由充当网关

R2 configured as follows (ISP not need to configure routes):

R2#conf t
R2(config)#int f 0/1
R2(config-if)#ip add 201.0.0.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#int f 0/1
R2(config-if)#ip add 202.0.0.1 255.255.255.0
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#int f 1/0
R2(config-if)#ip add 202.0.0.1 255.255.255.0
R2(config-if)#no shutdown

1, the configuration
ASA1 (lan1 → lan2) is configured as follows

ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# int e 0/0
ciscoasa(config-if)# nameif inside                    # 配置为内接口
ciscoasa(config-if)# ip add 192.168.1.1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# int e 0/1
ciscoasa(config-if)# nameif outside                  # 配置为外接口
ciscoasa(config-if)# ip add 201.0.0.2
ciscoasa(config-if)# no shutdown
ciscoasa(config)# route outside 0 0 201.0.0.2                   # 配置到外部的默认路由，这里的0相当于0.0.0.0 
ciscoasa(config)# crypto isakmp enable outside                 # 开启IKE协商功能
ciscoasa(config)# crypto isakmp policy 1                            # 配置管理连接
ciscoasa(config-isakmp-policy)# encryption aes                 # 加密为aes
ciscoasa(config-isakmp-policy)# hash md5                         # 认证为 md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# authentication pre-share      # 预先设置共享秘钥
ciscoasa(config-isakmp-policy)# lifetime 10000         
ciscoasa(config-isakmp-policy)# exit 
ciscoasa(config)# crypto isakmp key 123.com address 202.0.0.2               # 设置共享秘钥
# 防火墙中有两种配置，一会在ASA2中使用
ciscoasa(config)# access-list lan1_lan2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0                    # 编写1.0到2.0的ACL
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac           # 此四条配置数据连接
ciscoasa(config)# crypto map test-map 1 match address lan1_lan2
ciscoasa(config)# crypto map test-map 1 set peer 202.0.0.1
ciscoasa(config)# crypto map test-map 1 set transform-set  test-set
ciscoasa(config)# crypto map test-map interface outside          # 应用到外部的逻辑接口上

ASA2 configuration is as follows

ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# int e 0/0                          # 这里我就不介绍配置含义了，和上面基本相似
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip add 202.0.0.2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# int e 0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip add 192.168.2.1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# route outside 0 0 202.0.0.1
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# lifetime 10000
ciscoasa(config)# tunnel-group 201.0.0.2 type ipsec-l2l             # 另一种配置秘钥方式
ciscoasa(config)# tunnel-group 201.0.0.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key 123.com
ciscoasa(config-tunnel-ipsec)# exit
ciscoasa(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ciscoasa(config)# crypto map test-map 1 match address lan2_lan1
ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.2
ciscoasa(config)# crypto map test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-map interface outside
R1#ping 192.168.2.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.10, timeout is 2 seconds:
!!!!!

ASA1 (lan1 → lan3) is configured as follows

# 在ASA之前配置过到lan2区域，所以可以以上面为基础接着配置
ciscoasa(config)# tunnel-group 203.0.0.2 type ipsec-l2l
ciscoasa(config)# tunnel-group 203.0.0.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key 123.com
ciscoasa(config)# access-list lan1_lan3 permit ip 192.168.1.0 255.255.255.0 192.168.3.0  255.255.255.0
ciscoasa(config)# crypto map test-map 2 match address lan1_lan3
WARNING: The crypto map entry is incomplete!              # 这里出现的警告是正常的
ciscoasa(config)# crypto map test-map 2 set peer 203.0.0.2
WARNING: The crypto map entry is incomplete!
ciscoasa(config)# crypto map test-map 2 set transform-set test-set

ASA3 configuration is as follows (and in detail the basic configuration ASA2)

ciscoasa> en
Password:
ciscoasa# conf t
ciscoasa(config)# int e 0/0
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# ip add 203.0.0.2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# int e 0/1
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# ip add 192.168.3.1
ciscoasa(config-if)# no shutdown
ciscoasa(config)# route outside 0 0 203.0.0.1
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# encryption aes
ciscoasa(config-isakmp-policy)# hash md5
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# lifetime 10000
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)# crypto isakmp key 123.com address 201.0.0.2
ciscoasa(config)# access-list lan3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
ciscoasa(config)# crypto ipsec transform-set test-set esp-aes esp-md5-hmac
ciscoasa(config)# crypto map test-map 1 match address lan3_lan1
ciscoasa(config)# crypto map test-map 1 set peer 201.0.0.2
ciscoasa(config)# crypto map test-map 1 set transform-set test-set
ciscoasa(config)# crypto map test-map interface outside
R4#ping 192.168.1.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
!!!!!

2, to achieve the communication lan2 → lan3:
ASA1 configured as follows

ciscoasa(config)# same-security-traffic permit intra-interface         # 允许流量进入和离开同一个接口
ciscoasa(config)# access-list lan1_lan2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
ciscoasa(config)# access-list lan1_lan3 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

ASA2 configuration is as follows

ciscoasa(config)# access-list lan2_lan1 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

ASA3 configuration is as follows

ciscoasa(config)# access-list lna3_lan1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
R3#ping 192.168.3.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.10, timeout is 2 seconds:
!!!!!

3, access ISP
if you need to let the network can access the Internet, PAT needs to be done on the ASA, and enable nat control, exemption of traffic ***

ASA1 configuration is as follows

ciscoasa(config)# nat-control           # 启用nat控制
ciscoasa(config)# nat (inside) 1 0 0            # 配置pat
ciscoasa(config)# global (outside) 1 interface                # 映射到接口
# 不使用原来的ACL条目，因为有lan1_lan2和lan1_lan3,无法同时豁免两个，所以重新定义ACL
ciscoasa(config)# access-list aaa permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ciscoasa(config)# access-list aaa permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
ciscoasa(config)# nat (inside) 0 access-list aaa                # 应用到接口

ASA2 configuration is as follows

ciscoasa(config)# nat (inside) 1 0 0
ciscoasa(config)# global (outside) 1 interface
ciscoasa(config)# nat (inside) 0 access-list lan2_lan1

ASA3 configuration is as follows

ciscoasa(config)# nat (inside) 1 0 0
ciscoasa(config)# global (outside) 1 interface
ciscoasa(config)# nat (inside) 0 access-list lan3_lan1