ASA VPN into AWS

Introduction #

This document describes how to configure an Adaptive Security Appliance (ASA) IPsec Virtual Tunnel Interface (VTI) connection. In ASA 9.7.1, IPsec VTI has been introduced.  It is limited to sVTI IPv4 over IPv4 using IKEv1 in this release.  This is an example configuration for the ASA to connect to Amazon Web Services (AWS).

Note: Currently VTI is only supported in single-context, routed mode.

Configure AWS #

Step 1.

Log in to the AWS console and navigate to the VPC panel.

Navigate to the VPC Dashboard

Step 2.

Confirm that a Virtual Private Cloud (VPC) is already created.  By default, a VPC with 172.31.0.0/16 is created. This is where Virtual Machines (VMs) will be attached.

Step 3.

Create a “Customer Gateway”.  This is a an endpoint that represents the ASA.

FieldValue
Name TagThis is just a human readable name to recognize the ASA.
RoutingDynamic – This means that Border Gateway Protocol (BGP) will be used in order to exchange routing information.
IP AddressThis is the Public IP address of the ASA’s outside interface.
BGP ASNThe Autonomous System (AS) number of the BGP process than runs on the ASA. Use 65000 unless your organization has a public AS number.

Step 4.

Create a  Virtual Private Gateway (VPG).  This is a simulated router that is hosted with AWS that terminates the IPsec tunnel.

FieldValue
Name TagA human readable name to recognize the VPG.

Step 5.

Attach the VPG to the VPC.

Choose the Virtual Private Gateway, click Attach to VPC, choose the VPC from the VPC drop-down list, and click Yes, Attach.

Step 6.

Create a VPN connection.

FieldValue
Name TagA human readable tag of the VPN connection between AWS and the ASA.
Virtual Private GatewayChoose the VPG just created.
Customer GatewayClick the Existing radio button and choose the gateway of the ASA.
Routing OptionsClick the Dynamic (requires BGP) radio button.

Step 7.

Configure the Route Table to propagate the routes learned from the VPG (via BGP) into the VPC.

Step 8.

Download the suggested configuration.  Choose the values below in order to generate a configuration that is a VTI style configuration.

FieldValue
VendorCisco Systems, Inc.
PlatformISR Series Routers
SoftwareIOS 12.4+

Configure the ASA #

Once you download the configuration there is some conversion necessary.

Step 1.

crypto isakmp policy to crypto ikev1 policy.  Only one policy is needed since policy 200 and policy 201 are identical.

Suggested ConfigurationTo
crypto isakmp policy 200
 encryption aes 128
 authentication pre-share
 group 2
 lifetime 28800
 hash sha
exitcrypto isakmp policy 201
 encryption aes 128
 authentication pre-share
 group 2
 lifetime 28800
 hash sha
exit
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800

Step 2.

crypto ipsec transform-set to crypto ipsec ikev1 transform-set.  Only one transform-set is needed since the two transform-sets are identical.

Suggested ConfigurationTo
crypto ipsec transform-set ipsec-prop-vpn-7c79606e-0 esp-aes 128 esp-sha-hmac
  mode tunnel
exitcrypto ipsec transform-set ipsec-prop-vpn-7c79606e-1 esp-aes 128 esp-sha-hmac
  mode tunnel
exit
crypto ipsec ikev1 transform-set AWS esp-aes esp-sha-hmac

Step 3.

crypto ipsec profile to crypto ipsec profile.  Only one profile is needed since the two profiles are identical.

 Suggested ConfigurationTo
crypto ipsec profile ipsec-vpn-7c79606e-0
 set pfs group2
 set security-association lifetime seconds 3600
 set transform-set ipsec-prop-vpn-7c79606e-0
exitcrypto ipsec profile ipsec-vpn-7c79606e-1
 set pfs group2
 set security-association lifetime seconds 3600
 set transform-set ipsec-prop-vpn-7c79606e-1
exit
crypto ipsec profile AWS
 set ikev1 transform-set AWS
 set pfs group2
 set security-association lifetime seconds 3600

Step 4.

crypto keyring and crypto isakmp profile need to be converted to a tunnel-group one for each tunnel.

Suggested ConfigurationTo
crypto keyring keyring-vpn-7c79606e-0
 local-address 64.100.251.37
 pre-shared-key address 52.34.205.227 key QZhh90Bjf
exit
!
crypto isakmp profile isakmp-vpn-7c79606e-0
 local-address 64.100.251.37
 match identity address 52.34.205.227
 keyring keyring-vpn-7c79606e-0
 exit!crypto keyring keyring-vpn-7c79606e-1
 local-address 64.100.251.37
 pre-shared-key address 52.37.194.219 key JjxCWy4Ae
 exit!
crypto isakmp profile isakmp-vpn-7c79606e-1
 local-address 64.100.251.37
 match identity address 52.37.194.219
 keyring keyring-vpn-7c79606e-1
 exit
tunnel-group 52.34.205.227 type ipsec-l2l
tunnel-group 52.34.205.227 ipsec-attributes
 ikev1 pre-shared-key QZhh90Bjf isakmp keepalive threshold 10 retry 10tunnel-group 52.37.194.219 type ipsec-l2ltunnel-group 52.37.194.219 ipsec-attributes ikev1 pre-shared-key JjxCWy4Ae isakmp keepalive threshold 10 retry 10

Step 5.

The tunnel configuration is almost identical. The ASA does not support the ip tcp adjust-mss or the ip virtual-reassembly command.

Suggested ConfigurationTo
interface Tunnel1
 ip address 169.254.13.190 255.255.255.252
 ip virtual-reassembly
 tunnel source 64.100.251.37
 tunnel destination 52.34.205.227
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-vpn-7c79606e-0
 ip tcp adjust-mss 1387
 no shutdown
 exit!interface Tunnel2
 ip address 169.254.12.86 255.255.255.252
 ip virtual-reassembly
 tunnel source 64.100.251.37
 tunnel destination 52.37.194.219
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-vpn-7c79606e-1
 ip tcp adjust-mss 1387
 no shutdown
 exit
interface Tunnel1
 nameif AWS1
 ip address 169.254.13.190 255.255.255.252
 tunnel source interface outside
 tunnel destination 52.34.205.227
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AWS!interface Tunnel2
 nameif AWS2
 ip address 169.254.12.86 255.255.255.252
 tunnel source interface outside
 tunnel destination 52.37.194.219
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AWS

Step 6.

In this example, the ASA will only advertise up the inside subnet (192.168.1.0/24) and receive the subnet within AWS (172.31.0.0/16).

Suggested ConfigurationTo
router bgp 65000
 neighbor 169.254.13.189 remote-as 7224
 neighbor 169.254.13.189 activate
 neighbor 169.254.13.189 timers 10 30 30
 address-family ipv4 unicast
  neighbor 169.254.13.189 remote-as 7224
  neighbor 169.254.13.189 timers 10 30 30
  neighbor 169.254.13.189 default-originate
  neighbor 169.254.13.189 activate
  neighbor 169.254.13.189 soft-reconfiguration inbound
  network 0.0.0.0
  exit
 exitrouter bgp 65000
 neighbor 169.254.12.85 remote-as 7224
 neighbor 169.254.12.85 activate
 neighbor 169.254.12.85 timers 10 30 30
 address-family ipv4 unicast
  neighbor 169.254.12.85 remote-as 7224
  neighbor 169.254.12.85 timers 10 30 30
  neighbor 169.254.12.85 default-originate
  neighbor 169.254.12.85 activate
  neighbor 169.254.12.85 soft-reconfiguration inbound
  network 0.0.0.0
  exit
 exit
router bgp 65000
 bgp log-neighbor-changes
 timers bgp 10 30 0
 address-family ipv4 unicast
  neighbor 169.254.12.85 remote-as 7224
  neighbor 169.254.12.85 activate
  neighbor 169.254.13.189 remote-as 7224
  neighbor 169.254.13.189 activate  network 192.168.1.0
  no auto-summary
  no synchronization
 exit-address-family

Verify and Optimize #

Step 1.

Confirm the ASA establishes the IKEv1 security associations with the two endpoints at AWS. The state of the SA should be MM_ACTIVE.

ASA# show crypto ikev1 sa

IKEv1 SAs:

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 52.37.194.219
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 
2   IKE Peer: 52.34.205.227
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 
ASA# 

Step 2.

Confirm the IPsec SAs are installed on ASA. There should be an inbound and outbound SPI installed for each peer and there should be some encaps and decaps counters incrementing.

ASA# show crypto ipsec sa
interface: AWS1
    Crypto map tag: __vti-crypto-map-5-0-1, seq num: 65280, local addr: 64.100.251.37

      access-list __vti-def-acl-0 extended permit ip any any 
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 52.34.205.227


      #pkts encaps: 2234, #pkts encrypt: 2234, #pkts digest: 2234
      #pkts decaps: 1234, #pkts decrypt: 1234, #pkts verify: 1234
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2234, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.100.251.37/4500, remote crypto endpt.: 52.34.205.227/4500
      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 874FCCF3
      current inbound spi : 5E653906
              
    inbound esp sas:
      spi: 0x5E653906 (1583692038)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, VTI, }
         slot: 0, conn_id: 73728, crypto-map: __vti-crypto-map-5-0-1
         sa timing: remaining key lifetime (kB/sec): (4373986/2384)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x874FCCF3 (2270153971)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, VTI, }
         slot: 0, conn_id: 73728, crypto-map: __vti-crypto-map-5-0-1
         sa timing: remaining key lifetime (kB/sec): (4373986/2384)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

interface: AWS2
    Crypto map tag: __vti-crypto-map-6-0-2, seq num: 65280, local addr: 64.100.251.37
              
      access-list __vti-def-acl-0 extended permit ip any any 
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 52.37.194.219


      #pkts encaps: 1230, #pkts encrypt: 1230, #pkts digest: 1230
      #pkts decaps: 1230, #pkts decrypt: 1230, #pkts verify: 1230
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1230, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.100.251.37/4500, remote crypto endpt.: 52.37.194.219/4500
      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: DC5E3CA8
      current inbound spi : CB6647F6

    inbound esp sas:
      spi: 0xCB6647F6 (3412477942)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, VTI, }
         slot: 0, conn_id: 77824, crypto-map: __vti-crypto-map-6-0-2
         sa timing: remaining key lifetime (kB/sec): (4373971/1044)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xDC5E3CA8 (3697163432)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, VTI, }
         slot: 0, conn_id: 77824, crypto-map: __vti-crypto-map-6-0-2
         sa timing: remaining key lifetime (kB/sec): (4373971/1044)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Step 3.

On the ASA, confirm that BGP connections are established with AWS.  The State/PfxRcd counter should be 1 as AWS advertises the 172.31.0.0/16 subnet towards the ASA.

ASA# show bgp summary 
BGP router identifier 192.168.1.55, local AS number 65000
BGP table version is 5, main routing table version 5
2 network entries using 400 bytes of memory
3 path entries using 240 bytes of memory
3/2 BGP path/bestpath attribute entries using 624 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 1288 total bytes of memory
BGP activity 3/1 prefixes, 4/1 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
169.254.12.85   4         7224 1332    1161           5    0    0 03:41:31  1       
169.254.13.189  4         7224 1335    1164           5    0    0 03:42:02  1       

Step 4.

On the ASA, verify that the route to 172.31.0.0/16 has been learned via the tunnel interfaces.  This output shows that there are two paths to 172.31.0.0 from peer 169.254.12.85 and 169.254.13.189. The path towards 169.254.13.189 out Tunnel 2 (AWS2) is preferred because of the lower metric.

ASA# show bgp

BGP table version is 5, local router ID is 192.168.1.55
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*  172.31.0.0       169.254.12.85      200             0  7224 i
*>                  169.254.13.189     100             0  7224 i
*> 192.168.1.0      0.0.0.0              0         32768  i

ASA# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 64.100.251.33 to network 0.0.0.0

S*       0.0.0.0 0.0.0.0 [1/0] via 64.100.251.33, outside
C        64.100.251.32 255.255.255.224 is directly connected, outside
L        64.100.251.37 255.255.255.255 is directly connected, outside
C        169.254.12.84 255.255.255.252 is directly connected, AWS2
L        169.254.12.86 255.255.255.255 is directly connected, AWS2
C        169.254.13.188 255.255.255.252 is directly connected, AWS1
L        169.254.13.190 255.255.255.255 is directly connected, AWS1
B        172.31.0.0 255.255.0.0 [20/100] via 169.254.13.189, 03:52:55
C        192.168.1.0 255.255.255.0 is directly connected, inside
L        192.168.1.55 255.255.255.255 is directly connected, inside


Step 5.

In order to ensure that traffic which returns from AWS follows a symmetric path, configure a route-map to match the preferred path and adjust BGP to alter the advertised routes.

route-map toAWS1 permit 10
 set metric 100
 exit
!
route-map toAWS2 permit 10
 set metric 200
 exit
!
router bgp 65000
 address-family ipv4 unicast
  neighbor 169.254.12.85 route-map toAWS2 out
  neighbor 169.254.13.189 route-map toAWS1 out

Step 6.

On the ASA, confirm that 192.168.1.0/24 is advertised to AWS.

ASA# show bgp neighbors 169.254.12.85 advertised-routes 

BGP table version is 5, local router ID is 192.168.1.55
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*> 172.31.0.0       169.254.13.189     100             0  7224 i
*> 192.168.1.0      0.0.0.0              0         32768  i

Total number of prefixes 2 
ASA# show bgp neighbors 169.254.13.189 advertised-routes 

BGP table version is 5, local router ID is 192.168.1.55
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale, m multipath
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop        Metric LocPrf Weight  Path
*> 192.168.1.0      0.0.0.0              0         32768  i

Total number of prefixes 1 

Step 7.

In AWS, confirm that the tunnels for the VPN connection are UP and routes are learned from the peer.  Also check that the route has been propagated into the routing table.

Powered by BetterDocs

Leave a Reply