www.westermo.com LAN to LAN IPsec MRD-3xx to ASA5500 www.westermo.com Application Note LAN to LAN IPsec VPN Between MRD-3xx 3G routers and Cisco ASA 5500 series AN-0006-01 Page 1 Proudly Distributed by Gross Automation | (877) 268-3700 www.westermosales.com | [email protected]
11
Embed
LAN to LAN IPsec VPN - Amazon S3...LAN to LAN IPsec MRD-3xx to ASA5500 Application Note LAN to LAN IPsec VPN Between MRD-3xx 3G routers and Cisco ASA 5500 series AN-0006-01 Page 1
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
www.westermo.comLAN to LAN IPsec MRD-3xx to ASA5500 www.westermo.com
Application Note
LAN to LAN IPsec VPNBetween MRD-3xx 3G routers and Cisco ASA 5500 series
www.westermo.comLAN to LAN IPsec MRD-3xx to ASA5500 www.westermo.com
Application Note
IPsec VPNA virtual private network (VPN) is a private data network that makes use of thepublic telecommunication infrastructure, maintaining privacy through the use of atunnelling protocol and security procedures. A virtual private network can becontrasted with a system of owned or leased lines that can only be used by onecompany. The main purpose of a VPN is to give the company the samecapabilities as private leased lines at much lower cost by using the shared publicinfrastructure. Phone companies have provided private shared resources for voicemessages for over a decade. A virtual private network makes it possible to havethe same protected sharing of public resources for data.
IPsec is a suite of protocols for providing peer authentication without transmittingthe actual keys. Confidentiality using encryption and integrity ensuring that thereceived data can only come from the authenticated peer and has not beenaltered in any way.
IPsec Encrypting Security Payload tunnels also provide transparency for all nodesand applications using IP and only the VPN gateways needs to be configured tosecurely connect geographically separated networks.
Firstly we will describe and determine all the parameters necessary for thisconfiguration. These values will be written into the “IPsec Network setup table”
The numbers and parameter values from the “IPsec Network setup table” will beused throughout this guide while first configuring the responder and secondly theinitiator.
www.westermo.comLAN to LAN IPsec MRD-3xx to ASA5500 www.westermo.com
Application Note
Network setup description
This application note describes how to implement a LAN to LAN IPsec VPN tunnelbetween a Westermo MRD-310 3G Router and a Cisco 5500 series AdaptiveSecurity Appliance.
It is important to decide which of the two routers will be the initiator and which will bethe responder. In nearly all cases, the responder will be a VPN gateway, which islocated at a central location, such as company headquarters. In all cases theresponder must have a publicly accessible IP address to connect across internet.
In this example the MRD-310 has a 3G subscription that dynamically assigns aprivate IP address and is hidden behind a Network Address Translation (NAT)device. As such it can only be the initiator.
The ASA 5505 has a fixed public IP address. The ASA 5505 will be the responder.
For authentication we will be using Pre-Shared Key (PSK). Simple and practical forinitial and small-scale VPN configurations it is however very susceptible to socialengineering. Large scale or long-term deployment should use certificates forauthentication.This IPsec configuration uses Internet Key Exchange (IKEv1). If the IP addresses ofboth gateways are fixed or certificates are used it is recommended to use IKE mainmode which takes longer to establish connection but provides a higher level ofsecurity than aggressive mode.In this example the combination of dynamic IP address and preshared key requiresus to use IKE aggressive mode.
IKE supports many different types of identifiers (ID) for this example we have chosentype 2 FQDN.Please review RFC 2407 for further details.
Encapsulated Security Payload (ESP) is the final encrypted tunnel joining the twoLAN together. A ESP tunnel is unidirectional so two tunnels are used for full duplexcommunication. Advanced Encryption Standard (AES) is the recommendedencryption standard to use since it is more secure and more efficient than the older3DES encryption.
This configuration is valid for:Westermo MRD-310 firmware version 1.11Cisco ASA 5500 series 8.0(2)
First configure access-lists to exempt the protected networks from network addresstranslation.Create a access-list to be used by for the tunnel networks (inside_cryptomap_65535.11)
Add the access-list to the NAT of the outside interface
Configure the crypto parameters
Configure the IKE phase 1
Configure a group policy to use in the following tunnel-group
www.westermo.comLAN to LAN IPsec MRD-3xx to ASA5500 www.westermo.com
Application Note
MRD-310 Initiator VPN configurationMake sure you have configured your MRD-3xx 3G router as described in the User Guide.Access the routers web interface and select VPN in the top menu followed by ”IPsec VPN” in the sub menu.
to start configuring a new VPN tunnel.The local interface should be WLS for the wireless 3G/GPRS interface.Press
Next we configure the authentication and proposal for Internet Key Exchange (IKE)The ID must be preceeded with a @ sign to indicate a type 2 or 3 ID (RFC2407) string.
www.westermo.comLAN to LAN IPsec MRD-3xx to ASA5500 www.westermo.com
Application Note
MRD-310 Initiator Phase 2Configures two ESP tunnels for the actual protected traffic.LAN to LAN IPsec must know which IP packets to protect so these must be specified in tunnel networksaddress with subnet address/subnet mask. LAN subnet will apply the subnet and mask configured on theEthernet ports of the MRD-310
Finally we set NAT traversal since our MRD-310 has a private IP address dynamically assigned fromthe 3G provider.Set Enabled, to start the IPsec VPN connection.
www.westermo.comLAN to LAN IPsec MRD-3xx to ASA5500 www.westermo.com
Application Note
Group = mrdasa, IP = 87.253.85.130, Automatic NAT Detection Status: Remote end ISbehind a NAT device This end is NOT behind a NAT deviceGroup = mrdasa, IP = 87.253.85.130, PHASE 1 COMPLETEDIP = 87.253.85.130, Keep-alive type for this connection: DPDGroup = mrdasa, IP = 87.253.85.130, Starting P1 rekey timer: 21600 seconds.IP = 87.253.85.130, IKE Responder starting QM: msg id = 7683c925IP = 87.253.85.130, IKE_DECODE RECEIVED Message (msgid=7683c925) with payloads : HDR +HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 156Group = mrdasa, IP = 87.253.85.130, processing hash payloadGroup = mrdasa, IP = 87.253.85.130, processing SA payloadGroup = mrdasa, IP = 87.253.85.130, processing nonce payloadGroup = mrdasa, IP = 87.253.85.130, processing ID payloadGroup = mrdasa, IP = 87.253.85.130, ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0Group = mrdasa, IP = 87.253.85.130, Received remote IP Proxy Subnet data in ID Payload:Address 192.168.20.0, Mask 255.255.255.0, Protocol 0, Port 0Group = mrdasa, IP = 87.253.85.130, processing ID payloadGroup = mrdasa, IP = 87.253.85.130, ID_IPV4_ADDR_SUBNET ID received--10.255.0.0--255.255.255.0Group = mrdasa, IP = 87.253.85.130, Received local IP Proxy Subnet data in ID Payload:Address 10.208.0.32, Mask 255.255.255.224, Protocol 0, Port 0Group = mrdasa, IP = 87.253.85.130, QM IsRekeyed old sa not found by addrGroup = mrdasa, IP = 87.253.85.130, Static Crypto Map check, checking map = outside_map,seq = 20...Group = mrdasa, IP = 87.253.85.130, Static Crypto Map Check by-passed: Crypto map entryincomplete!Group = mrdasa, IP = 87.253.85.130, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-TraversalGroup = mrdasa, IP = 87.253.85.130, IKE Remote Peer configured for crypto map:SYSTEM_DEFAULT_CRYPTO_MAPGroup = mrdasa, IP = 87.253.85.130, processing IPSec SA payloadGroup = mrdasa, IP = 87.253.85.130, IPSec SA Proposal # 0, Transform # 0 acceptableMatches global IPSec SA entry # 11Group = mrdasa, IP = 87.253.85.130, IKE: requesting SPI!Group = mrdasa, IP = 87.253.85.130, IKE got SPI from key engine: SPI = 0x0c84204cGroup = mrdasa, IP = 87.253.85.130, oakley constucting quick modeGroup = mrdasa, IP = 87.253.85.130, constructing blank hash payloadGroup = mrdasa, IP = 87.253.85.130, constructing IPSec SA payloadGroup = mrdasa, IP = 87.253.85.130, constructing IPSec nonce payloadGroup = mrdasa, IP = 87.253.85.130, constructing proxy IDGroup = mrdasa, IP = 87.253.85.130, Transmitting Proxy Id: Remote subnet: 192.168.20.0 Mask 255.255.255.0 Protocol 0 Port 0 Local subnet: 10.255.0.0 mask 255.255.255.0 Protocol 0 Port 0Group = mrdasa, IP = 87.253.85.130, constructing qm hash payloadGroup = mrdasa, IP = 87.253.85.130, IKE Responder sending 2nd QM pkt: msg id = 7683c925IP = 87.253.85.130, IKE_DECODE SENDING Message (msgid=7683c925) with payloads : HDR +HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 160IP = 87.253.85.130, IKE_DECODE RECEIVED Message (msgid=7683c925) with payloads : HDR +HASH (8) + NONE (0) total length : 52Group = mrdasa, IP = 87.253.85.130, processing hash payloadGroup = mrdasa, IP = 87.253.85.130, loading all IPSEC SAsGroup = mrdasa, IP = 87.253.85.130, Generating Quick Mode Key!Group = mrdasa, IP = 87.253.85.130, Generating Quick Mode Key!Group = mrdasa, IP = 87.253.85.130, Security negotiation complete for LAN-to-LAN Group(mrdasa) Responder, Inbound SPI = 0x0c84204c, Outbound SPI = 0xdc68831e