Cisco AnyConnect VPN client
can be used for both IKEv1 and IKEv2. But Cisco legacy VPN client doesn't
support with IKEv2.
You can also configure the ASA to use IKEv2 and IKEv2 VPN
simultaneously. Though they use the same UDP port they are not interoperable
but they work independently without any conflicts.
Make sure that the Firewall is reachable from the VPN client user.
For the basic setup of the firewall please look into the below article.
http://arshad-it.blogspot.com/2017/07/how-to-set-up-basic-cisco-asa-firewall.html
http://arshad-it.blogspot.com/2017/07/how-to-set-up-basic-cisco-asa-firewall.html
VPN Configurations on ASA
ASA(config)#
crypto ikev1 policy 65535
ASA(config-ikev1-policy)# authentication
pre-share
ASA(config-ikev1-policy)#
encryption 3des
ASA(config-ikev1-policy)#
hash sha
ASA(config-ikev1-policy)#
group 2
ASA(config-ikev1-policy)#
lifetime 86400
ASA(config-ikev1-policy)# crypto ipsec ikev1 transform-set
set1 esp-3des esp-sha-hmac
ASA(config)# ip local pool VPNPOOL
192.168.10.1-192.168.10.5 mask 255.255.255.248
ASA(config)# access-list REMOTE standard permit
172.21.1.0 255.255.255.0
ASA(config)# group-policy clientgroup internal
ASA(config)# group-policy clientgroup attributes
ASA(config-group-policy)# split-tunnel-policy
tunnelspecified
ASA(config-group-policy)# split-tunnel-network-list value
REMOTE
ASA(config-group-policy)# tunnel-group RAtunnel type remote-access
ASA(config-group-policy)# tunnel-group RAtunnel general-attributes
ASA(config-tunnel-general)# address-pool VPNPOOL
ASA(config-tunnel-general)# default-group-policy clientgroup
ASA(config-tunnel-general)# authentication-server-group
LOCAL
ASA(config-tunnel-general)# tunnel-group RAtunnel
ipsec-attributes
ASA(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123
ASA(config-tunnel-ipsec)# crypto dynamic-map dyn_map 65535 set
ikev1 transform-set set1
ASA(config)# crypto map outside_map 65535 ipsec-isakmp
dynamic dyn_map
ASA(config)# crypto map outside_map interface outside
ASA(config)# crypto ikev1 enable outside
ASA(config)# username Babar password cisco
ASA(config)# object-group network
obj_192.168.10.1_248
ASA(config-network-object-group)# network-object 192.168.10.0
255.255.255.248
ASA(config-network-object-group)# object-group network obj_172.21.1.0_24
ASA(config-network-object-group)# network-object 172.21.1.0 255.255.255.0
ASA(config)# nat
(inside,outside) source static obj_172.21.1.0_24 obj_172.21.1.0_24
destination static obj_192.168.10.1_248 obj_192.168.10.1_248
VPN client configurations
Verification
To check if the packet encryption or decryption issue command " show crypto ipsec sa "
Tip
· Make sure to not copy the commands directly from the webpage
to firewall. First copy the commands on the notepad read the command and type
manually on the Firewall
Note: I personally configured and tested this lab and its working and the ASA version is 8.4.
--------------------------------The END-------------------------------
This is a Good Article.
ReplyDelete