Site-to-Site VPN Configuration

Site-to-Site Overview

Site-to-site IPsec VPNs create secure tunnels between fixed locations, allowing entire networks to communicate securely over the Internet.

Configuration Components

Phase 1: IKE Policy

  • Authentication Method: Pre-shared key or certificates
  • Encryption Algorithm: AES-256, AES-128
  • Hash Algorithm: SHA-256, SHA-1
  • DH Group: Group 14, 19, 20
  • Lifetime: 86400 seconds (24 hours)

Phase 2: IPsec Policy

  • Protocol: ESP (recommended)
  • Encryption Algorithm: AES-256, AES-128
  • Authentication: SHA-256, SHA-1
  • PFS Group: Same as Phase 1 or higher
  • Lifetime: 3600 seconds (1 hour)

Cisco ASA Site-to-Site Configuration

# Phase 1: IKE Policy
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14
 prf sha256
 lifetime seconds 86400

# Phase 1: Keyring
crypto ikev2 keyring SITE-TO-SITE-KEYRING
 peer REMOTE-PEER
  address 203.0.113.1
  pre-shared-key MySecretKey123

# Phase 2: IPsec Proposal
crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA256
 protocol esp encryption aes-256
 protocol esp integrity sha-256

# Phase 2: IPsec Profile
crypto ipsec profile SITE-TO-SITE-PROFILE
 set ikev2 ipsec-proposal ESP-AES256-SHA256
 set pfs group14

# Access Control List
access-list SITE-TO-SITE-ACL extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

# Crypto Map
crypto map OUTSIDE-MAP 10 ipsec-ikev2
 set peer 203.0.113.1
 set ikev2 ipsec-proposal ESP-AES256-SHA256
 match address SITE-TO-SITE-ACL
 set pfs group14

# Apply to Interface
crypto map OUTSIDE-MAP interface outside

Configuration Verification

Command Purpose
show crypto ikev2 sa Display IKE Phase 1 security associations
show crypto ipsec sa Display IPsec Phase 2 security associations
show crypto map Display crypto map configuration
debug crypto ikev2 Debug IKE negotiations
Next: Road Warrior Config

Road Warrior Configuration

Remote Access VPN

Road warrior configurations allow remote users to connect securely from any location using dynamic IP addresses.

Key Differences from Site-to-Site

Aspect Site-to-Site Road Warrior
Peer Identity Fixed IP address Dynamic IP (any)
Authentication PSK or certificates Username/password + certificates
IP Assignment Pre-configured subnets Dynamic IP pool
Scalability Limited connections Many concurrent users

Cisco ASA AnyConnect Configuration

# SSL VPN License
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.10.4-webdeploy-k9.pkg
 anyconnect enable
 tunnel-group-list enable

# Group Policy for Road Warriors
group-policy ROAD_WARRIOR_POLICY internal
group-policy ROAD_WARRIOR_POLICY attributes
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL_ACL
 address-pools value VPN_POOL
 dns-server value 8.8.8.8 8.8.4.4
 wins-server none
 vpn-simultaneous-logins 1
 client-bypass-protocol disable

# IP Pool for VPN Clients
ip local pool VPN_POOL 192.168.100.1-192.168.100.100 mask 255.255.255.0

# Split Tunnel ACL
access-list SPLIT_TUNNEL_ACL standard permit 192.168.1.0 255.255.255.0
access-list SPLIT_TUNNEL_ACL standard permit 10.0.0.0 255.0.0.0

# User Authentication
username johndoe password Password123
username johndoe attributes
 vpn-group-policy ROAD_WARRIOR_POLICY

# IKEv2 Remote Access Configuration
crypto ikev2 remote-access trustpoint LOCAL_CA
crypto ikev2 remote-access ikev2-proposal ESP-AES256-SHA256

Certificate-Based Authentication

# Certificate Authority Configuration
crypto ca trustpoint LOCAL_CA
 enrollment url http://ca.company.com/certsrv
 subject-name CN=VPN-Gateway,OU=IT,O=Company
 keypair-name VPN_KEYPAIR
 auto-enroll regenerate

# Client Certificate Profile
crypto ikev2 client-profile CERT_PROFILE
 keyring LOCAL_KEYRING
 trustpoint LOCAL_CA
 virtual-template 1

# EAP Authentication
crypto ikev2 profile EAP_PROFILE
 match identity remote any
 identity local dn
 authentication remote eap query-identity
 authentication local rsa-sig
 pki trustpoint LOCAL_CA
 aaa authentication eap EAP_PROFILE
 aaa authorization group eap list default ROAD_WARRIOR_POLICY
 virtual-template 1
Previous: Site-to-Site VPN Next: Advanced Policies

Advanced IPsec Policies

Policy Considerations

Advanced IPsec policies provide fine-grained control over VPN behavior, security parameters, and traffic handling.

Traffic Selectors

Traffic selectors define which traffic should be protected by IPsec. They can be based on:

Layer 3 Selectors

  • Source IP: Single host or subnet
  • Destination IP: Single host or subnet
  • Protocol: TCP, UDP, ICMP, or any

Layer 4 Selectors

  • Source Port: Specific port or range
  • Destination Port: Specific port or range
  • DSCP: Quality of Service marking

Policy-Based vs Route-Based VPNs

Feature Policy-Based Route-Based Best For
Traffic Selection ACL-based Routing table Route-based for flexibility
Multiple Subnets Multiple SAs required Single SA for all Route-based for simplicity
Dynamic Routing Not supported Fully supported Route-based essential
QoS Per-ACL basis Per-interface basis Policy-based for granular QoS
NAT Compatibility Complex Simple Route-based for NAT environments

Hub-and-Spoke vs Mesh Topologies

Hub-and-Spoke

Advantages:

  • Centralized management
  • Lower tunnel count
  • Simplified routing
  • Cost-effective

Disadvantages:

  • Single point of failure
  • Suboptimal routing
  • Hub bandwidth bottleneck

Full Mesh

Advantages:

  • Optimal routing
  • No single point of failure
  • Direct site-to-site communication
  • Better performance

Disadvantages:

  • Complex management
  • High tunnel count (n(n-1)/2)
  • Scaling challenges
  • Higher cost
Previous: Road Warrior Config Next: Vendor Implementation

Vendor-Specific Implementation

Interoperability

While IPsec is standardized, different vendors have unique configuration syntaxes and implementation details. Understanding these differences is crucial for successful deployments.

Major Vendor Comparison

Vendor Primary Products Strengths Considerations
Cisco ASA, ISR, ASR Market leader, extensive features Complex syntax, licensing costs
Juniper SRX, MX Security focus, JUNOS consistency Learning curve for non-Juniper users
Palo Alto PA Series Next-gen features, app awareness Higher cost, newer to market
Fortinet FortiGate Performance, integrated security Limited third-party integration

Juniper SRX Configuration Example

# IKE Policy
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposal-set standard
set security ike policy IKE-POLICY pre-shared-key ascii-text "MySecretKey123"

# IKE Gateway
set security ike gateway IKE-GATEWAY ike-policy IKE-POLICY
set security ike gateway IKE-GATEWAY address 203.0.113.1
set security ike gateway IKE-GATEWAY external-interface ge-0/0/0

# IPsec Policy
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group14
set security ipsec policy IPSEC-POLICY proposal-set standard

# IPsec VPN
set security ipsec vpn VPN-TUNNEL ike gateway IKE-GATEWAY
set security ipsec vpn VPN-TUNNEL ike ipsec-policy IPSEC-POLICY
set security ipsec vpn VPN-TUNNEL bind-interface tunnel.1

# Tunnel Interface
set interfaces tunnel.1 unit 0 tunnel source 10.1.1.1
set interfaces tunnel.1 unit 0 tunnel destination 203.0.113.1
set interfaces tunnel.1 unit 0 family inet address 172.16.1.1/30

# Security Zones
set security zones security-zone vpn interfaces tunnel.1
set security zones security-zone vpn address-book address REMOTE-NET 192.168.2.0/24

# Security Policies
set security policies from-zone trust to-zone vpn policy ALLOW-VPN match source-address any
set security policies from-zone trust to-zone vpn policy ALLOW-VPN match destination-address REMOTE-NET
set security policies from-zone trust to-zone vpn policy ALLOW-VPN then permit

Palo Alto Networks Configuration

# IKE Gateway Configuration
set network ike gateway SITE-B-GW authentication pre-shared-key key MySecretKey123
set network ike gateway SITE-B-GW protocol ikev2 dpd enable yes
set network ike gateway SITE-B-GW protocol ikev2 ike-crypto-profile default
set network ike gateway SITE-B-GW local-address ip 10.1.1.1
set network ike gateway SITE-B-GW protocol-common nat-traversal enable no
set network ike gateway SITE-B-GW protocol-common fragmentation enable no
set network ike gateway SITE-B-GW peer-address ip 203.0.113.1

# IPsec Tunnel Configuration
set network tunnel ipsec SITE-B-TUNNEL auto-key ike-gateway SITE-B-GW
set network tunnel ipsec SITE-B-TUNNEL auto-key ipsec-crypto-profile default
set network tunnel ipsec SITE-B-TUNNEL tunnel-monitor enable no
set network tunnel ipsec SITE-B-TUNNEL auto-key proxy-id PROXY-ID-1 protocol any
set network tunnel ipsec SITE-B-TUNNEL auto-key proxy-id PROXY-ID-1 local 192.168.1.0/24
set network tunnel ipsec SITE-B-TUNNEL auto-key proxy-id PROXY-ID-1 remote 192.168.2.0/24

# Tunnel Interface
set network interface tunnel units tunnel.1 ip 172.16.1.1/30
set network interface tunnel units tunnel.1 comment "Site-B VPN Tunnel"

# Virtual Router
set network virtual-router default interface tunnel.1
set network virtual-router default routing-table ip static-route SITE-B-ROUTE destination 192.168.2.0/24
set network virtual-router default routing-table ip static-route SITE-B-ROUTE interface tunnel.1

Interoperability Best Practices

Do

  • Use standard algorithms (AES, SHA-256)
  • Test with reference implementations
  • Document all parameters clearly
  • Use IKEv2 when possible
  • Implement proper error handling

Don't

  • Rely on vendor-specific extensions
  • Use proprietary algorithms
  • Assume default behaviors match
  • Skip interoperability testing
  • Use deprecated protocols (IKEv1)
Previous: Advanced Policies Next: Chapter 6 - Advanced Features