The ASA only performed Policy Based VPNs prior to 9.7 code which can cause a lot of issues when connecting to other vendors. If you are running 9.7+, you will now be able to create a proper Route Based VPN which will allow you to connect to all other vendors with a lot less headache and overhead.

Route Based VPN

Route Based VPNs differ from Policy Based in the fact that you will only have one IPSec Security Association for each peer. In Policy Based, you would have multiple SAs (Phase 2s) as each tunnel had a Identifier using each Network combination of your Encryption Domain. You can force multiple SAs for the Route Based VPN but all in all, it is generally just the one SA for  the entire Encryption Domain.

Basic VPN Configuration Start:

We will start by creating the basics of the Site to Site. This first part will be true whether this is a Route Based or Policy Based.

Here is our requirements for the VPN:
Remote Peer IP:    2.2.2.2
Remote Network: 10.10.0.0/16
Local Peer IP:        1.1.1.1
Local Network:      172.24.0.0/16
Phase 1 Parameters:
     Encryption:   AES -128
     Hash Alg.:     SHA1
     Lifetime(S):   86400
     DH Group:     Group2
Phase 2 Parameters:
     Encryption:   AES -256
     Hash Alg.:     SHA1
     Lifetime(S):   28800
     PFS DH:        Group5
Pre-Shared-Key: Th1nkN3t$Ec

To configure this on the ASA, the commands would look like the following. Please note that I am simulating as if this is my first VPN on my ASA so some commands you may not need: (Note: If you already have VPNs configured, make sure you are not overwriting your ikev1 policy.)

crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
encryption aes
hash sha
authentication pre-share
group 2
lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key Th1nkN3t$Ec

crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

New Configuration for Route Based

This next bit of configuration is new and is what is needed to get the Route Based VPN completed. We will be creating an IPSec Profile to reference the settings we created prior. We will bind this to a new VTI (Virtual Tunnel Interface) on the ASA which will be used to specify the Phase 2 configuration. Notice though that we have not used the Remote Network anywhere in this configuration yet. We will configure this next after we create the VTI.

crypto ipsec profile ROUTE-BASED-PROFILE
  set ikev1 transform-set ESP-AES128-SHA
  set security-association lifetime seconds 28800
  set pfs group5

interface Tunnel0
   nameif ROUTE-BASED
   ip address 169.254.224.253 255.255.255.252
   tunnel source interface OUTSIDE
   tunnel destination 2.2.2.2
   tunnel mode ipsec ipv4
   tunnel protection ipsec profile ROUTE-BASED-PROFILE

Routing Traffic over the Route Based VPN

In my use case, we will not be doing dynamic routing, but rather, static routing. The Routes will be what defines the encryption domain for the Route Based VPN. Since the ASA can not reference a interface for Routing and needs a Next-Hop, I will use an APIPA IP to simulate the Next-Hop. This APIPA does not have to be configured on the other side of the VPN. This will only be needed to trick the Local ASA and to allow for a static route to be created for the new VTI.

route ROUTE-BASED 10.10.0.0 255.255.0.0 169.254.224.254

If you would like to know more or see more articles on VPNs, please let me know. You can contact me and I will do what I can to help.

The post ASA Route Based VPN appeared first on Think Netsec.