IPSec (IKEv1) on ASA 8.2

The default configuration on ASA 8.2 for phase 1 is as follows:

  • Authentication: Pre-shared key
  • Encryption : 3des
  • Hash: sha
  • Group: DH group 2
  • Lifetime: 86400

The default configuration for ASA 8.2 for phase 2 is:

  • Encryption: esp-3des
  • Hashing: esp-sha-hmac
  • Tunnel mode
  • Lifetime is 28800 seconds,46008000 kilo bytes


ISAKMP configuration:

ASA(config)# crypto isakmp policy 1
ASA(config-isakmp-policy)# authentication pre-share
ASA(config-isakmp-policy)# encryption des
ASA(config-isakmp-policy)# hash md5
ASA(config-isakmp-policy)# group 1
ASA(config-isakmp-policy)# lifetime 120

Enable ISAKMP on interface:

ASA(config)# crypto isakmp enable outside

Defining pre shared key:

On ASA we specify pre-shared key with the help of tunnel-group.

In tunnel-group <>  we have to give IP address not name.Name are only given when authentication mode is certificates or aggressive mode is used for negotiation.

There are two default tunnel group which will be used if specific tunnel group is not specified:

  • DefaultRAGroup : For remote access vpn
  • DefaultL2Lgroup: For IPsec site to site.
ASA(config)# tunnel-group type ipsec-l2l 
ASA(config)# tunnel-group ipsec-attributes
ASA(config-tunnel-ipsec)# pre-shared-key cisco123

Configure ACL to select which traffic should go through tunnel:

ASA(config)# access-list ipsec-l2l-acl permit ip

Configure transform set for phase 2:

ASA(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac

Configure lifetime for phase 2:

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Configure crypto map:

ASA(config)# crypto map CMAP 1 ipsec-isakmp
ASA(config)# crypto map CMAP 1 set peer
ASA(config)#crypto map CMAP 1 set pfs group1
ASA(config)#crypto map CMAP 1 set phase1-mode main
ASA(config)# crypto map CMAP 1 match address ipsec-l2l-acl
ASA(config)# crypto map CMAP 1 set transform-set TSET

Enable crypto map on outside interface:

ASA(config)# crypto map CMAP interface outside

You have to create a No NAT rule for traffic going to ipsec tunnel.

Troubleshooting commands:

Check if traffic is being sent to tunnel:

a) We can check if crypto ACL is getting hit or not:

show access-list outside_cryptomap_65

b) Check if packet are getting encrypted and decrypted or not:

show crypto ipsec sa peer x.x.x.x

c) Enable debugs:

debug crypto condition peer x.x.x.x
debug crypto ikev1 128
un all
This entry was posted in ASA and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s