CISCO ASA IKEv2 hub and spoke

Configuration

The difference between site-to-site and hub-and-spoke topologies on a Cisco ASA is that you need to add some extra commands:

  • Static routes
  • Access-list entries
  • Crypto map change on ASA1 (hub).
  • One new command on ASA1 (hub).

ASA1

The following command is important:

same-security-traffic permit intra-interface

This permits the ASA to receive and transmit packets out of the same interface (OUTSIDE).

This is the full config:

hostname ASA1
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.123.1 255.255.255.0 
!
same-security-traffic permit intra-interface
!
access-list ASA1_ASA2 extended permit ip host 192.168.1.1 host 192.168.2.2 
access-list ASA1_ASA2 extended permit ip host 192.168.3.3 host 192.168.2.2 
access-list ASA1_ASA3 extended permit ip host 192.168.1.1 host 192.168.3.3 
access-list ASA1_ASA3 extended permit ip host 192.168.2.2 host 192.168.3.3 
!
route OUTSIDE 192.168.2.0 255.255.255.0 192.168.123.2 1
route OUTSIDE 192.168.3.0 255.255.255.0 192.168.123.3 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes
 protocol esp integrity sha-256
!
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 10 match address ASA1_ASA2
crypto map MY_CRYPTO_MAP 10 set peer 192.168.123.2 192.168.123.3 
crypto map MY_CRYPTO_MAP 10 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP 20 match address ASA1_ASA3
crypto map MY_CRYPTO_MAP 20 set peer 192.168.123.3 
crypto map MY_CRYPTO_MAP 20 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.2 type ipsec-l2l
tunnel-group 192.168.123.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key CISCO
 ikev2 local-authentication pre-shared-key CISCO
tunnel-group 192.168.123.3 type ipsec-l2l
tunnel-group 192.168.123.3 ipsec-attributes
 ikev2 remote-authentication pre-shared-key CISCO
 ikev2 local-authentication pre-shared-key CISCO
!
: end

ASA2

hostname ASA2
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.123.2 255.255.255.0 
!
access-list ASA2_ASA1 extended permit ip host 192.168.2.2 host 192.168.1.1 
access-list ASA2_ASA1 extended permit ip host 192.168.2.2 host 192.168.3.3 
!
route OUTSIDE 192.168.1.0 255.255.255.0 192.168.123.1 1
route OUTSIDE 192.168.3.0 255.255.255.0 192.168.123.1 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes
 protocol esp integrity sha-256
!
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 10 match address ASA2_ASA1
crypto map MY_CRYPTO_MAP 10 set peer 192.168.123.1 
crypto map MY_CRYPTO_MAP 10 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.1 type ipsec-l2l
tunnel-group 192.168.123.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key CISCO
 ikev2 local-authentication pre-shared-key CISCO
!
: end

ASA3

hostname ASA3
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.3.254 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 192.168.123.3 255.255.255.0 
!
access-list ASA3_ASA1 extended permit ip host 192.168.3.3 host 192.168.1.1 
access-list ASA3_ASA1 extended permit ip host 192.168.3.3 host 192.168.2.2 
!
route OUTSIDE 192.168.1.0 255.255.255.0 192.168.123.1 1
route OUTSIDE 192.168.2.0 255.255.255.0 192.168.123.1 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes
 protocol esp integrity sha-256
!
crypto map MY_CRYPTO_MAP 10 match address ASA3_ASA1
crypto map MY_CRYPTO_MAP 10 set peer 192.168.123.1 
crypto map MY_CRYPTO_MAP 10 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.1 type ipsec-l2l
tunnel-group 192.168.123.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key CISCO
 ikev2 local-authentication pre-shared-key CISCO
!
: end