IPsec Site-to-Site VPN
Scenario: HQ(Public IP address: 192.168.1.141/24) wants to access to a branch office(Public IP address: 192.168.1.146/24). with secured connection.
Requirements: Two ASA 5520, ASDM, knowledge of cryptography.
1. Configure Encryption variables such as des or aes(256,192,128), and hash variables such as MD5 or SHA to IKE Policies and IPsec Proposals.
2. Begin Site-to-Site VPN Wizard
2. Set peer ip address(192.168.1.141/24)
3. Choose IKE Version
4. Choose network address for local(192.168.100.0/24) and remote(192.168.0.0/24)
5. Configure Authentication methods: I didn't set certificate on ASA2(branch office), so I am going to use PSK(Pre-shared Key).
The major difference between IKE versions 1 and 2 lies in terms of the authentication method they allow. IKEv1 allows only one type of authentication at both VPN ends (that is, either pre-shared key or certificate). However, IKEv2 allows asymmetric authentication methods to be configured (that is, pre-shared-key authentication for the originator, but certificate authentication for the responder) using separate local and remote authentication CLIs.
Further, you can have different pre-shared keys at both ends. The Local Pre-shared key at the HQ-ASA end becomes the Remote Pre-shared key at the BQ-ASA end. Likewise, the Remote Pre-shared key at the HQ-ASA end becomes the Local Pre-shared key at the BQ-ASA end.
6. choose IKE encryption methods: of cource, higher encryption method is better.(aes-256 - sha)
7. Choose NAT-T: 192.168.0.0/24 and 192.168.100.0/24 networks have to use internet. This NAT exemption will work for only the traffics that access remote network with VPN.
8. Varify what you have done.
Informative post on IPsec site-to-site VPN. Glad that you shared it here. I am also in need of the best vpn 2017 for personal use. Have limited monthly budget so if you know about a good VPN with important protocols then please let me know.
ReplyDelete