ERL to Cisco ASA Site-to-Site VPN Guide

Hello all - 

I was setting this up recently and had some trouble finding all of the required information in one post. Most of waht i could find were posts on why it wasnt working but not really one to set it up from the start.

The only thing i am not showing here is setting up the WAN_LOCAL firewall rules.

if you cant figure that one out - maybe dont try this yet..

Here are the commands i ran to get mine ERL connected to an asa 5506x.

Use this config as is if you have you WAN port on eth0 

Update your SECRET

Update the Descrption

Update X.X.X.X with the remote WAN ip of the ASA

Update L.L.L.L with your local subnet - example being 192.168.1.0/24

Update RL.RL.RL.RL with the Remote Local subnet of the ASA - example - 192.168.2.0/24

Edge router side:

configure

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec ipsec-interface interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn ipsec esp-group STS1 proposal 1 encryption aes256
set vpn ipsec esp-group STS1 proposal 1 hash sha1
set vpn ipsec esp-group STS1 lifetime 86400
set vpn ipsec esp-group STS1 pfs enable
set vpn ipsec esp-group STS1 compression disable
set vpn ipsec esp-group STS1 mode tunnel

set vpn ipsec ike-group STS1 proposal 1 dh-group 2
set vpn ipsec ike-group STS1 proposal 1 encryption aes256
set vpn ipsec ike-group STS1 proposal 1 hash sha1
set vpn ipsec ike-group STS1 key-exchange ikev1
set vpn ipsec ike-group STS1 lifetime 86400

set vpn ipsec site-to-site peer X.X.X.X authentication mode pre-shared-secret
set vpn ipsec site-to-site peer X.X.X.X authentication pre-shared-secret SECRET
set vpn ipsec site-to-site peer X.X.X.X connection-type initiate
set vpn ipsec site-to-site peer X.X.X.X description "VPN NAME"
set vpn ipsec site-to-site peer X.X.X.X ike-group STS1
set vpn ipsec site-to-site peer X.X.X.X local-address any
set vpn ipsec site-to-site peer X.X.X.X tunnel 1 esp-group STS1
set vpn ipsec site-to-site peer X.X.X.X tunnel 1 local prefix L.L.L.L
set vpn ipsec site-to-site peer X.X.X.X tunnel 1 remote prefix RL.RL.RL.RL

commit

save

Here are the commands for the Cisco Side

You will update the following

I assume your WAN interface is the default name "outside" - update accordingly if not.

Update XX.XX.XX.XX to the WAN IP of the ERL

Update LS.LS.LS.LS to the Local subnet ID of the ASA - example 192.168.2.0

Update RS.RS.RS.RS to the Remote subnet ID of the ERL - example 192.168.1.0

Update SECRET to the same secret you configured on your ERL above

conf t

crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac

crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group XX.XX.XX.XX type ipsec-l2l
tunnel-group XX.XX.XX.XX ipsec-attributes
ikev1 pre-shared-key SECRET
isakmp keepalive threshold 10 retry 2

object network obj-LS.LS.LS.LS
subnet LS.LS.LS.LS 255.255.255.0
object network obj-RS.RS.RS.RS
subnet RS.RS.RS.RS 255.255.255.0

access-list ERL_CRYPTO extended permit ip LS.LS.LS.LS 255.255.255.0 RS.RS.RS.RS 255.255.255.0

crypto map OUTSIDE_MAP 10 match address ERL_CRYPTO
crypto map OUTSIDE_MAP 10 set pfs
crypto map OUTSIDE_MAP 10 set peer XX.XX.XX.XX
crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-AES256-SHA

crypto map OUTSIDE_MAP interface outside

nat (inside,outside) source static obj-LS.LS.LS.LSobj-LS.LS.LS.LS destination static obj-RS.RS.RS.RSobj-RS.RS.RS.RS no-proxy-arp

wr mem

Verify the tunnel is up with the following commands:

check on cisco side
show isakmp sa
show isakmp stats
show ipsec stats

these commands show show an active tunnel

check on erl side (not from configure)
show vpn ipsec
show vpn ipsec status

these should show an established connection

below is a complete config where the ERL has a wan ip of 1.1.1.1 and a local subnet of 192.168.1.0/24

and the ASA has a wan ip of 2.2.2.2 and local subnet of 192.168.2.0/24

set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec ipsec-interface interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec esp-group STS1 proposal 1 encryption aes256
set vpn ipsec esp-group STS1 proposal 1 hash sha1
set vpn ipsec esp-group STS1 lifetime 86400
set vpn ipsec esp-group STS1 pfs enable
set vpn ipsec esp-group STS1 compression disable
set vpn ipsec esp-group STS1 mode tunnel

set vpn ipsec ike-group STS1 proposal 1 dh-group 2 
set vpn ipsec ike-group STS1 proposal 1 encryption aes256
set vpn ipsec ike-group STS1 proposal 1 hash sha1
set vpn ipsec ike-group STS1 key-exchange ikev1
set vpn ipsec ike-group STS1 lifetime 86400

set vpn ipsec site-to-site peer 2.2.2.2 authentication mode pre-shared-secret 
set vpn ipsec site-to-site peer 2.2.2.2 authentication pre-shared-secret SECRET
set vpn ipsec site-to-site peer 2.2.2.2 connection-type initiate
set vpn ipsec site-to-site peer 2.2.2.2 description "VPN NAME"
set vpn ipsec site-to-site peer 2.2.2.2 ike-group STS1
set vpn ipsec site-to-site peer 2.2.2.2 local-address any
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 esp-group STS1
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer 2.2.2.2 tunnel 1 remote prefix 192.168.2.0/24





crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac


crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key SECRET
isakmp keepalive threshold 10 retry 2

object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0

access-list ERL_CRYPTO extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0


crypto map OUTSIDE_MAP 10 match address ERL_CRYPTO
crypto map OUTSIDE_MAP 10 set pfs
crypto map OUTSIDE_MAP 10 set peer 1.1.1.1
crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-AES256-SHA
crypto map OUTSIDE_MAP interface outside
 

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-RS.RS.RS.RS obj-RS.RS.RS.RS no-proxy-arp

I hope this helps anyone that is interested in setting that up.

Let me know if you have any issues or if i messed up somewhere 

Thanks