How to IPsec to the Cisco ASA 5505 v9.x Firewall Using Pre-shared Key Authentication


#1

This guide covers configuring an IPsec VPN between Peplink and Cisco ASA firewall. The example assumes the following settings:

IPSEC Network Simulation Diagram

IPsec VPN Settings

Peplink WAN1 IP Address: 210.211.10.1/29
Peplink LAN Network: 192.168.30.0/24
Peplink LAN IP Address: 192.168.30.1/24
Cisco ASA WAN IP Address: 66.80.3.1/29
Cisco ASA LAN Network: 10.1.1.0/24
Cisco ASA LAN IP Address: 10.1.1.1/24
Mode: Main
Pre Shared Key: password123
IPsec Phase 1 Authentication: SHA-1
IPsec Phase 1 Encryption: AES-256
IPsec Phase 1 DH Group: 5
IPsec Phase 1 SA Lifetime: 3600
IPsec Phase 2 Authentication: SHA-1
IPsec Phase 2 Encryption: AES-256
IPsec Phase 2 PFS Group: 5
IPsec Phase 2 SA Lifetime: 28800

Cisco ASA Configuration

The following example configuration is based on Cisco ASA version 9.2 and implements the example settings above:

//Assign ethernet 0/0 to VLAN 2, which will be the “WAN” side
ciscoasa(config)# interface ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
//Enable ethernet 0/1 and 0/2 which will be the “LAN” side
ciscoasa(config)# interface ethernet 0/1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)# interface ethernet 0/2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
//Configure “LAN” – VLAN 1
ciscoasa(config)# interface vlan 1
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ciscoasa(config-if)# exit
//Configure “WAN” – VLAN 2
ciscoasa(config)# interface vlan 2
ciscoasa(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ciscoasa(config-if)# ip address 66.80.3.1 255.255.255.248
ciscoasa(config-if)# exit
//IPsec phase 1 configuration (IKEv1)
ciscoasa(config)# crypto ikev1 policy 1
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes-256
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 5
ciscoasa(config-ikev1-policy)# lifetime 3600
ciscoasa(config-ikev1-policy)# exit
ciscoasa(config)# crypto ikev1 enable outside
//Define transform-set using AES-256 and SHA-1
ciscoasa(config)# crypto ipsec ikev1 transform-set aesset esp-aes-256 esp-sha-hmac
//Define access-list for local and remote network
ciscoasa(config)# access-list ipsec_access_list extended permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.0
//Define tunnel-group for LAN to LAN IPsec VPN connection
ciscoasa(config)# tunnel-group 210.211.10.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 210.211.10.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key password123
ciscoasa(config-tunnel-ipsec)# exit
//IPsec phase 2 configuration
ciscoasa(config)# crypto map ipsecmap 1 match address ipsec_access_list
ciscoasa(config)# crypto map ipsecmap 1 set peer 210.211.10.1
ciscoasa(config)# crypto map ipsecmap 1 set ikev1 transform-set aesset
ciscoasa(config)# crypto map ipsecmap 1 set pfs group5
ciscoasa(config)# crypto map ipsecmap 1 set security-association lifetime seconds 28800
ciscoasa(config)# crypto map ipsecmap interface outside
//Save config
ciscoasa(config)# write memory
Building configuration…
Cryptochecksum: 29fbce0d 2e1cbc86 b0805086 5b7be06c
4070 bytes copied in 1.260 secs (4070 bytes/sec)
[OK]
ciscoasa(config)# exit

Peplink Router Configuration


IPSEC VPN with Local