IPSec VPN encrypted tunnel Based on ASA firewall

IPSec VPN encrypted tunnel Based on ASA firewall

As shown in the experiment environment, you can plan the IP address by yourself, and the ISP operator simulates the external internet. The procedure of configuration is as follows.

First, configure the IP addresses planned on each interface (the process is omitted). The ISP only needs to configure two IP addresses. In addition to IP addresses, R2 also needs to configure a default route. The next hop address points to the egress gateway, as shown below.

In addition to IP addresses, you also need to configure a default route for R3. The next hop address also points to the egress gateway, as shown below.

Then configure the IP address of the ASA1 firewall, as shown below, and specify two route entries, one is the default route pointing to the gateway, and the other is the static route pointing to the internal LAN.

The IP address of ASA2 firewall is as follows. You also need to specify two route entries. In this case, you can test the environment and ping the IP address of the VPN peer.

You can use VPCS to configure the IP addresses of the two PCs. The IP Address Configuration is as follows. Of course, communication is not allowed (no VPN channel is available ).

The following figure shows IPSec VPN. The IKE function of the ASA firewall is disabled by default, so you need to enable it manually.
Then configure the Security Policy on ASA1 (which is the same as the configuration process on the router ). Then configure the pre-shared key (the difference between the pre-shared key and the vro is that you do not need to specify encryption or plaintext ). Next, define the data encryption mode and the transmission set.
Define the traffic of interest, configure the static crypto map ing, apply the transport set and the traffic of interest, specify the peer IP address, and finally apply it to the region (the router is applied on the interface ).

The following is the configuration of ASA2. The principles and procedures are the same as those of ASA1, but you must pay attention to the IP Address Configuration.

After the preceding configuration is complete, enable the VPCS test connectivity again. Use C1 to test the ping peer LAN C2, which indicates that the communication is normal.

Experiment conclusion: This is done. If you need to view the detailed configuration information again, you can use show running-config or show run crypto.
The above is prone to errors. ① the IP address of the peer. ② The encryption algorithm does not match and the policy is not accepted. ③ Pre-shared KEY keys are different. ④ IKE of ASA is not enabled. ⑤ NAT control is enabled, but NAT exemption is not performed.
The "debug crypto isakmp" command is used to diagnose and troubleshoot problems with the management connection.