R3
crypto isakmp policy 9
hash md5
authentication pre-share
group 2
!
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set IKEV1_TSET_DES_MD5 esp-des esp-md5-hmac
mode tunnel
!
crypto map CMAP 30 ipsec-isakmp
set peer 111.0.0.11
set transform-set IKEV1_TSET_DES_MD5
match address VPN_TO_SW3
!
ip access-list extended VPN_TO_SW3
permit ip 10.1.0.0 0.0.255.255 10.3.11.0 0.0.0.255
FTD relevant configuration - must be configured via GUI and not CLI
crypto ikev1 enable outside
!
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
!
crypto ipsec ikev1 transform-set CSM_TS_1 esp-des esp-md5-hmac
!
access-list SW4_TO_VPN extended permit object-group ProxySG_ExtendedACL_4294971437 object SW3_NETWORK object HQ_SUBNETS log
!
object network SW3_NETWORK
subnet 10.3.11.0 255.255.255.0
object network HQ_SUBNETS
subnet 10.1.0.0 255.255.0.0
!
crypto map CSM_outside_map 1 match address SW4_TO_VPN
crypto map CSM_outside_map 1 set peer 103.0.0.3
crypto map CSM_outside_map 1 set ikev1 transform-set CSM_TS_1
crypto map CSM_outside_map 1 set reverse-route
crypto map CSM_outside_map interface outside
Navigate to Devices > VPN > Site to Site then click the + and add FTD VPN
Name it appropriately, define the topology and choose the IKE version to use.
The endpoints need to be added.
Name it appropriately, define the topology and choose the IKE version to use.
The endpoints need to be added.
Add the first endpoint, the local device.
Add the second endpoint, the remote device.
On the IKE tab, you'll have to define the PSK and the phase 1 policy.
The evaluation license only seems to allow older and weaker algorithms, so I created a policy. The parameters used are listed in the CLI section, less screen shots..... do you blame me?
The evaluation license only seems to allow older and weaker algorithms, so I created a policy. The parameters used are listed in the CLI section, less screen shots..... do you blame me?
The same logic applies for the Phase 2 portion, the attributes used are listed above.
The finished configuration looks like this, all you need to do is deploy it.
IOSv14#ping 10.3.11.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.11.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 33/47/69 ms
> show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 103.0.0.3
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
> show crypto ipsec sa
interface: outside
Crypto map tag: CSM_outside_map, seq num: 1, local addr: 111.0.0.11
access-list SW4_TO_VPN extended permit ip 10.3.11.0 255.255.255.0 10.1.0.0 255.255.0.0 log
local ident (addr/mask/prot/port): (10.3.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: 103.0.0.3
#pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79
#pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 79, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.0.0.11/0, remote crypto endpt.: 103.0.0.3/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A1B4FA25
current inbound spi : DA749927
inbound esp sas:
spi: 0xDA749927 (3665074471)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 2, crypto-map: CSM_outside_map
sa timing: remaining key lifetime (kB/sec): (4373997/627)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x0000003F 0xFFFFFFFF
outbound esp sas:
spi: 0xA1B4FA25 (2712992293)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 2, crypto-map: CSM_outside_map
sa timing: remaining key lifetime (kB/sec): (4373997/627)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
R3#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
111.0.0.11 103.0.0.3 QM_IDLE 1070 ACTIVE
103.0.0.3 110.0.0.10 QM_IDLE 1071 ACTIVE
108.0.0.8 103.0.0.3 QM_IDLE 1032 ACTIVE
102.0.0.2 103.0.0.3 QM_IDLE 1069 ACTIVE
R3#show crypto ipsec sa peer 111.0.0.11
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.3.11.0/255.255.255.0/0/0)
current_peer 111.0.0.11 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100
#pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 111.0.0.11
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xA677B6B9(2792863417)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x94C7BFCB(2496118731)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 125, flow_id: SW:125, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4238283/3478)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA677B6B9(2792863417)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 126, flow_id: SW:126, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4238283/3478)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
IOSv14#ping 10.3.11.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.11.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 33/47/69 ms
> show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 103.0.0.3
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
> show crypto ipsec sa
interface: outside
Crypto map tag: CSM_outside_map, seq num: 1, local addr: 111.0.0.11
access-list SW4_TO_VPN extended permit ip 10.3.11.0 255.255.255.0 10.1.0.0 255.255.0.0 log
local ident (addr/mask/prot/port): (10.3.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: 103.0.0.3
#pkts encaps: 79, #pkts encrypt: 79, #pkts digest: 79
#pkts decaps: 79, #pkts decrypt: 79, #pkts verify: 79
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 79, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.0.0.11/0, remote crypto endpt.: 103.0.0.3/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A1B4FA25
current inbound spi : DA749927
inbound esp sas:
spi: 0xDA749927 (3665074471)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 2, crypto-map: CSM_outside_map
sa timing: remaining key lifetime (kB/sec): (4373997/627)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x0000003F 0xFFFFFFFF
outbound esp sas:
spi: 0xA1B4FA25 (2712992293)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 2, crypto-map: CSM_outside_map
sa timing: remaining key lifetime (kB/sec): (4373997/627)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
R3#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
111.0.0.11 103.0.0.3 QM_IDLE 1070 ACTIVE
103.0.0.3 110.0.0.10 QM_IDLE 1071 ACTIVE
108.0.0.8 103.0.0.3 QM_IDLE 1032 ACTIVE
102.0.0.2 103.0.0.3 QM_IDLE 1069 ACTIVE
R3#show crypto ipsec sa peer 111.0.0.11
interface: GigabitEthernet0/0
Crypto map tag: CMAP, local addr 103.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.3.11.0/255.255.255.0/0/0)
current_peer 111.0.0.11 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 100, #pkts encrypt: 100, #pkts digest: 100
#pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 103.0.0.3, remote crypto endpt.: 111.0.0.11
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xA677B6B9(2792863417)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x94C7BFCB(2496118731)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 125, flow_id: SW:125, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4238283/3478)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA677B6B9(2792863417)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 126, flow_id: SW:126, sibling_flags 80000040, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4238283/3478)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
