VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide



Similar documents
Microsoft Azure Configuration

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

How To Set Up A Vns3 Controller On An Ipad Or Ipad (For Ahem) On A Network With A Vlan (For An Ipa) On An Uniden Vns 3 Instance On A Vn3 Instance On

Scenario: Remote-Access VPN Configuration

CenturyLink Cloud Configuration

VPN. VPN For BIPAC 741/743GE

This topic discusses Cisco Easy VPN, its two components, and its modes of operation. Cisco VPN Client > 3.x

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

VPN SECURITY POLICIES

Scenario: IPsec Remote-Access VPN Configuration

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

VPN L2TP Application. Installation Guide

IPSec Pass through via Gateway to Gateway VPN Connection

Google Compute Engine Configuration

Configuring IPsec VPN between a FortiGate and Microsoft Azure

ISG50 Application Note Version 1.0 June, 2011

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Configuring a VPN between a Sidewinder G2 and a NetScreen

Configuration Procedure

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Interoperability Guide

Windows XP VPN Client Example

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

HP Helion Configuration

Cloud Security Best Practices

Gateway to Gateway VPN Connection

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

VPN Configuration Guide. Cisco ASA 5500 Series

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

Configuring IPsec between a Microsoft Windows XP Professional (1 NIC) and the VPN router

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

IPsec VPN Application Guide REV:

Chapter 4 Virtual Private Networking

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

TechNote. Configuring SonicOS for MS Windows Azure

Virtual Private Network and Remote Access Setup

Chapter 8 Virtual Private Networking

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

DI-804HV with Windows 2000/XP IPsec VPN Client Configuration Guide

Configure VPN between ProSafe VPN Client Software and FVG318

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

Case Study for Layer 3 Authentication and Encryption

REMOTE ACCESS VPN NETWORK DIAGRAM

What information will you find in this document?

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

axsguard Gatekeeper IPsec XAUTH How To v1.6

How to access peers with different VPN through IPSec. Tunnel

Virtual Private Network (VPN)

How to configure VPN function on TP-LINK Routers

How To Industrial Networking

TechNote. Configuring SonicOS for Amazon VPC

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

CCNA Security 1.1 Instructional Resource

How To Configure An Ipsec Tunnel On A Network With A Network Gateways (Dfl-800) On A Pnet 2.5V2.5 (Dlf-600) On An Ipse Vpn

Virtual Private Network and Remote Access

VPN Tracker for Mac OS X

Interconnection between the Windows Azure

Configure IPSec VPN Tunnels With the Wizard

How to configure VPN function on TP-LINK Routers

VPN Wizard Default Settings and General Information

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

SMS PASSCODE CONFIGURATION FOR CISCO ASA / RADIUS AUTHENTICATION SMS PASSCODE 2011

Nokia Mobile VPN How to configure Nokia Mobile VPN for Cisco ASA with PSK/xAuth authentication

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

How To Set Up Checkpoint Vpn For A Home Office Worker

IP Office Technical Tip

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

LAN-Cell to Cisco Tunneling

IP Office Technical Tip

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Asheville-Buncombe Technical Community College Department of Networking Technology. Course Outline

This chapter describes how to set up and manage VPN service in Mac OS X Server.

VPN Configuration Guide. Cisco Small Business (Linksys) WRV210

Understanding the Cisco VPN Client

Connecting Remote Offices by Setting Up VPN Tunnels

VPN Configuration Guide DrayTek Vigor / VigorPro

Chapter 5 Virtual Private Networking Using IPsec

VPN Configuration Guide WatchGuard Fireware XTM

Lab Configure a PIX Firewall VPN

VPNC Interoperability Profile

The VPNaaS Plugin for Fuel Documentation

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD CCNA SECURITY. VERSION 1.0

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Transcription:

VNS3 to Cisco ASA Instructions ASDM 9.2 IPsec Configuration Guide 2016

Site-to-Site IPsec Tunnel IPsec protocol allows you to securely connect two sites together over the public internet using cryptographically secured services. IPsec ensure private and secure communication between two devices. This type of VPN has many use-cases. We will focus on the Site-to-Site or LAN-to-LAN setup most often used with VNS3 to build Hybrid Clouds. Public Cloud Overlay Network Subnet: 172.31.1.0/24 Many network hardware devices support IPsec tunneling functionality. Check your device's data sheet to see if it is compatible with VNS3. The requirements are: IKE1 or IKE2 AES256 or AES128 or 3DES SHA1 or MD5 NAT-Traversal capability (some clouds require NAT-Traversal encapsulation - AWS Generic EC2, Microsoft Azure, etc.) A diagram of the typical secure hybrid cloud setup using VNS3 is provided on the right. The IPsec tunnel provides secure and encrypted connectivity between the office subnet (192.169.3.0/24) and the VNS3 Overlay Network (172.31.1.0/24). Firewall / IPsec Cisco ASA Cloud Server Overlay IP: 172.31.1.1 VNS3 public IP: 184.73.174.250 overlay IP: 172.31.1.250 Active IPsec tunnel 192.168.3.0/24-172.31.1.0/24 This guide will provide steps to setup the Cisco ASA side of the IPsec configuration. The most important thing in any IPsec configuration is to make sure all settings match on both devices that are going to connect to each other. Mismatches are the primary cause for tunnel failure or instability. Server A LAN IP: 192.168.3.50 Server B LAN IP: 192.168.3.100 Customer Remote Office Remote subnet: 192.168.3.0/24 2

Use the Cisco VPN Wizard - Site-to-Site Unless you are familiar with the Cisco ASA CLI or ASDM, the configuration wizards are the easiest way to configure an IPsec tunnel. From the Cisco ASDM menu click Wizards>VPN Wizards>Site-to-site VPN Wizard. 3

IPsec VPN Wizard: 1. Introduction The first page of the Site-to-site VPN Connection Setup Wizard provides a diagram (similar to the one on page 2 of this document) and a link to a video that explains the configuration process. Click Next. 4

IPsec VPN Wizard: 2. Peer Device Identification The first step in setting up an IPsec tunnel is to let the Cisco ASA know where it will be negotiating the tunnel via Public IP address. Enter the VNS3 Manager's Public IP address in the Peer IP Address field. Choose outside as the VPN Access Interface as this tunnel will be negotiated out via the public Internet. Click Next. 5

IPsec VPN Wizard: 3. Traffic to protect Once the ASA knows where the other device is located that it will be building the IPsec to with, the next step is to configure what traffic will be allowed to pass over the tunnel. This is done by entering in network ranges: one range for the local (what is available "behind" the Cisco ASA) and one range for the remote (what is available "behind" the VNS3 instance). NOTE: Use CIDR notation (CIDR Subnet Calculator) here and avoid using the network group objects (see page 13). If you need to advertise more than one subnet range simply enter them in a comma separated list (e.g 172.31.1.0/25, 172.31.1.128/25). Enter your Local Subnet in the Local Network field. Enter the VNS3 Overlay Subnet/Unencrypted VLAN* in the Remote Network field. Click Next. *If you are unsure which network to use for the remote network, contact our support team. 6

IPsec VPN Wizard: 3. Security - PSK and IKE Version VNS3 supports IPsec tunnel authentication using a pre-shared key (PSK). A PSK is a shared secret between the two connecting parties (in this case owner of the Cisco and the owner of the ASA). Even if a VPN IPsec connection is encrypted, the PSK confirms the peer or device you are establishing connection with is the one you intend to use. Encryption provides confidentiality in the connection and PSK ensures that only you and the other party can provide the required authentication. VNS3 does not currently support certificate based authentication. If this is a requirement for your deployment contact our support team. Enter a PSK that will be used for both sides of the connection in the Pre-shared Key field. In our VNS3 Configuration PDF we use test. NOTE: There may be more fields than displayed to the left for IKEv2. Enter in the same PSK for each field. Click IKE Version and select IKE Version 1*. *IKE Version 2 is supported in 3.5+ versions of VNS3. To ensure the highest interop, use IKE v1. 7

IPsec VPN Wizard: 3. Security - Encryption Algorithms and PFS The next step in setting up the security profile for an IPsec configuration is to choose the encryption algorithms that will be used to encapsulate the traffic moving through the tunnel. The settings must match on both sides of the tunnel configuration. Policies are made of of an algorithm, hashing and potentially Diffie-Hellman Group. Click Encryption Algorithms from the Custom Configuration pane menu. Select the IKE (Phase1) policy and enter it into the IKE Policy field. NOTE: the IKE Policy is a ASA global setting and is shared will all connections. If you change this, you may experience problems with other existing connections. Select the IPsec SA (Phase2) policy and enter it into the IPsec Proposal field PFS ensures you never regenerate the same key that will be used in encapsulating IPsec VPN traffic. Enabling PFS significantly limits the what a malicious third party can do/see if they compromise a key. Cohesive recommends enabling PFS as best practice. Click Perfect Forward Secrecy from the Custom Configuration pane menu. Click the PFS check box and choose a PFS Diffie-Hellman Group from the drop down menu. Click Next. 8

IPsec VPN Wizard: 4. NAT Exempt The NAT Exempt setting simply tells the ASA not to translate the traffic associated with the tunnel. Source and destination traffic retain the untranslated version of their subnets. In a standard/traditional configuration, NAT Exempt should be checked. NOTE: If the local subnet (address range "behind" the ASA) is not the actual range and you are using Network Address Translation, this box will need to be left uncheck. For this example we will assume the Traffic configuration on page 6 is using the actual subnet ranges. Check the NAT Exempt Box. Click Next. 9

IPsec VPN Wizard: Summary Review the IPsec tunnel configuration parameters to make sure everything is entered as expected and matches the VNS3 configuration. Click Finish. 10

IPsec VPN Wizard: Summary Once the tunnel has been established, you can monitor the tunnel session information for any issues. Click Monitoring on the ASDM top menu. Click VPN from the bottom left menu. Click VPN Statistics>Sessions from the VPN left column menu pane. Select the Connection Profile and click Details. 11

Troubleshooting 12

Cisco Network Group Object 13

Cisco Network Group Object Cisco Network Group Objects allow more than one tunnel/subnet/sa be included in a single ACL line. Cisco Network Group Objects create interoperability problems with VNS3 (and other manufactures) and are NOT SUPPORTED. access-list VPN_ACL extended permit ip object-group REMOTE object-group LOCAL object-group network REMOTE network-object 172.31.0.0 255.255.255.0 network-object 172.21.1.0 255.255.255.0 object-group network LOCAL network-object 192.168.0.0 255.255.255.0 It is recommend that you use the non-grouped ACL syntax with specific address statements. access-list VPN_ACL-1 line 1 extended permit ip 192.168.0.0 255.255.255.0 172.31.0.0 255.255.255.0 access-list VPN_ACL-1 line 1 extended permit ip 192.168.0.0 255.255.255.0 172.31.1.0 255.255.255.0 14

Interesting Traffic The first step in initiating the IPsec negotiation process with a Cisco device is sending Interesting Traffic. Interesting traffic as defined by Cisco: Determining what type of traffic is deemed interesting is part of formulating a security policy for use of a VPN. The policy is then implemented in the configuration interface for each particular IPSec peer. For example, in Cisco routers and PIX Firewalls, access lists are used to determine the traffic to encrypt. The access lists are assigned to a crypto policy such that permit statements indicate that the selected traffic must be encrypted, and deny statements can be used to indicate that the selected traffic must be sent unencrypted. With the Cisco Secure VPN Client, you use menu windows to select connections to be secured by IPSec. When interesting traffic is generated or transits the IPSec client, the client initiates the next step in the process, negotiating an IKE phase one exchange. Interesting traffic is tunnel traffic that has a source/destination that fits with the tunnel definition/ ACLs that were created as part of the IPsec configuration. It is recommended that a continuous ping is setup on both sides of the tunnel during configuration to ensure interesting traffic is present to begin the IPsec negotiation process. 15

VPN Idle Timeout VPN Idle Timeout is a Cisco setting that will terminate an IPsec connection if there is no communication activity on the connection in the period defined. Terminated IPsec connections can alarm operations teams and require a specific direction of interesting traffic to re-build/re-negotiate the tunnel. This can be at best a nuisance for production systems. It is recommended this setting is turned off or setting the idle timeout to Unlimited. To turn off the vpn-idle-timeout via ASDM, click Configuration>Site-to-Site VPN>Group Policies then on the Group Policy created for your tunnel. The resulting page will have a Idle Timeout checkbox, make sure it is set to Unlimited. To turn vpn-idle-timeout off via the CLI use the following under the Group Policy associated with the tunnel: vpn-idle-timeout none OR no vpn-idle-timeout group-policy DfltGrpPolicy attributes vpn-idle-timeout none NOTE: when setting up your IPsec configuration via the Site-to-site VPN Wizard, the setting for vpn-idle-timeout will be inherited from your Default Group Policy as configured out your ASA. Double check to make sure it is disabled after tunnel configuration. 16

VNS3 Document Links VNS3 Product Resources - Documentation Add-ons VNS3 Configuration Document Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network. VNS3 Docker Instructions Explains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers. VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3. 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information