3. VPN IPSEc Site To Site Hub Spoke, Dynamic IP address example
So in this lecture we will talk about how to deal with VPN tunnels behind dynamic IP addresses. So let’s say this Palo Alto firewall is behind dynamic IP address. It’s a 4G behind a 4G router and it gets different IP addresses. And you cannot afford to have a static IP address. So how are you going to deal with that? That’s where where aggressive mode comes into the rescue. So aggressive mode does not require the two sites to know each other’s IP addresses in advance. It requires the one behind the dynamic IP address to know the tunnel, the IP address of the Hub. So that’s typically a Hub in spoke where you can have multiple hundreds of scopes, they get dynamic IP addresses, they all point to the IP address of the main Hub. And that’s all what needs to be done.
So you can create the tunnel based on different criteria, set up the tunnel based on different criteria on the Hub firewall. And basically what happens is the spoke firewall would send an IP address, dummy IP address or dummy host name, and the Hub would land that tunnel on an interface, on the tunnel interface. So let’s see how that happens here. In this example, we’re going to basically configure this IP to be one behind the dynamic IP address. We’re going to go to network and we’re going to create an go to the Icgate way. And then we’re going to specify that this is using dynamic.
So it’s using dynamic IP address. It doesn’t have to get an IP address, it doesn’t have to use the same IP address. And then local identification, we can specify FQDN IP address, key ID, or user FQDN, it could be any of those things. And this is how the main site, the Hub site, would identify the spoke site. So in our case we use Fkdn, we call this site B and the peer identification, it has to be the IP address because one side has to establish the tunnel and that IP address of the other side of the Hub is typically known. So we’re going to put the IP address of one one and under advanced option, specify aggressive mode, same phase one policy we used and basically commit.
And then on the main site we will change the IPsec tunnel, the I gateway to be using aggressive mode using dynamic and the local identification is the IP address of one one and the peer identification is FPDN, which is site B. So when the site behind its main mode is not going to work, if I try to commit that, it’s not going to let me do that, it’s going to give you an error. It has to be aggressive mode. So it’s not going to allow this because main mode, both sides have to know the IP address in advance. So we have to go under advanced and specify aggressive and then click okay. So what happens is the hop site cannot establish connection to the spoke side. The reason why is it doesn’t know its IP address ahead of time. So in the case of a hop to spoke, the spoke has to be the one that initiate the connection to the hub, not the other way around.
So in order for me to create that tunnel, I’m going to have to initiate traffic from site B to the Hub or the spoke to the Hub. So I’m going to go to Site B and then ping an IP address on the other side on the main site. And let’s see if that establish the tunnel. Not yet. Okay, so there’s some debugging that we need to do. So to debug VPN, you can do some show commands. Show VPN, SA will show you phase one. If there’s any established phase one show VPN IPsec. SA will show you if there is any phase two to run a debug, we can debug IC Manager debug IC global, set the global to on. Set the global to on and debug to debug it. And then we can basically tail that log follow and MP log I’m on the hub site. Follow.
Yes. MP Log IC Manager so now I’m going to be following that debugging that session to figure out what’s going on. So I’m going to try to do site B, connect to side B. There is no traffic coming in here at all. So I must have done something not right here in my configuration. So let’s validate the I gateway. So this is for the FPDN. I’m going to send the site B. The mode is aggressive mode. The peer IP is one one. And the IC version one is used and it’s more digressive. So that looks good. Do I have anything to commit? Let’s check this. The hub site. The IP address of the interface is one one. Peer IP type is dynamic. My local identification is one one. The FQDN is site B. So everything looks good. Aggressive mode and that’s fine.
I probably need to debug it on the spoke side and then debug global debug I global on debug and then tail follow. Yes. MP Log IC Manager let’s see what happens when I ping now. Okay, so we see here. IC should initiate negotiation to dynamic peer from Ikeaway. Site A is not allowed. Okay, so the mistake that I did is this site B has to have the IP address of site A. It has to be static on site A for Site A. It cannot be dynamic. Right? Because the hub doesn’t change. The Hub will always stay having the same IP address. So that was the mistake I did. We’ll go ahead and commit. Commit and should be able to establish a tunnel. Now let’s run and debug right now. Let me go ahead and ping side B. Okay, now I have the connection established. If we look at the debug, we see the algorithm and HMAC and everything connected.
If I do show VPN ICSA, I see the Security Association. The mode is aggressive. The algorithm is PSK defeatment group 19 encryption AAS 128, shaw on. So we saw some example of troubleshooting commands, which is good. So this is an example of how to deal with dynamic IP addresses for spokes. Basically what happens is you give them local identification. Let’s refresh. Tunnel is up now you give them a local identification based on FQDN or IP address. It could be specified. I prefer to use FQDN. So the FQDN of site B, side B, you can have site Bcdefh.
One will be identified by its host name and that would land it and create a tunnel. The only caveat for the dynamic type of IP addressing the only caveat for dynamic type of IP addressing is you cannot really initiate the tunnel from the hub. It has to be initiated from the spoke. So typically what happens is you would have something on the spoke that pings the remote side the hub and always would trigger the tunnel. If there is a connection, you can do tunnel monitor and the tunnel monitor would always trigger that connection to make sure that that connection stays up all the time. So that’s basically dynamic aggressive mode because Palo Alto and Palo Alto.
4. VPN IPSEC L2L Paloalto to Cisco ASA configuration example
In this lecture we will see how to configure a tunnel between a Cisco ASA and the Palo Alto firewall. So in our hypothetical scenario here we have a Cisco as a behind network. In the land side, you have one in 268. Want to establish tunnel to the site A file firewall or hubsight to 168. IP address of the public interface is 1212 one and the traffic is getting routed through that internet router. So we’ll go ahead and connect to the site A. We can take a look at the actual configuration of the ASA firewall. It’s pretty straightforward, it’s not in the scope of this class. But if we look at the ASA configuration, we have a crypto map that sends the traffic to the site firewall access list.
That this is where the proxy IDs are going to match show access list. And then in the access list we have the tunnel allows the traffic between 192 and 68 three dot zero and one eight, two and 68 10. This is the proxy ID. So that’s where we need to match this on the other side on the hop site and using pre shared keys, I need to set up the preshired key here. So we’re going to go ahead and create the crypto, the phase one policy. In my phase one here I’m using triple des, Shaw and group two. So we’re going to specify this here, phase one, group two encryption, triple des authentication cha one. Okay, so and that’s phase one, phase two of using ESP, triple des and Shaw with no PFS.
So we’re going to go ahead here and figure phase two. Phase two, site C, triple does in Shaw and no DFS. Then we’re going to set up an IC gateway. The IC gateway is for site C, art version one interface with the outside interface. The IP address of that is one we can use static because the IP address is static on the other side. IP address of the pier is 1212 one Cisco under advanced option we cannot specify main mode and then the site C, phase one policy. And then click OK. And then we’re going to create a tunnel interface. We can create it when we’re doing this. And then we’re going to specify tunnel to site C, the tunnel interface. We’re going to create a new one, tunnel three. We don’t have to specify an IP address because we’re going to see a scenario later on when why we would need an IP address. If we connect to an ESA, we’ll see that and the zone is VPN and the IP address leave it empty because it’s an ESA for now. And then gateway.We created site C.
The phase two policy is going to be phase two policy for site C. The proxy IDs is where you need to specify the network that’s going to be encrypted. So local is 192-168-1024, remote is 192-168-3024 and we’re going to click OK. And now we need to create a route under routing table that says if you’re trying to reach 191 68 30, then you need to use the tunnel three that we just created. So here site C, 268, 324 and interface is tunnel three. And the next hop is none because we don’t have any IP address on the other side. And then we’re going to click. Okay, so what happens here, it’s going to forward the traffic over the tunnel and the tunnel will initiate the IPsec.
You don’t need to have a next hop because the ASA doesn’t have the tunnel interfaces concept. And then we’re going to click commit and then on site C I’m going to ping 182-1681. Let’s look at the IPsec tunnel didn’t come up again. We’re going to troubleshoot that. Show debug. Debug till we set up. Debug already till follow. Yes. MP log and MP log is management plane log and then I manager log and we’ll try and do that. I just needed to reboot it. So let’s try to ping again. Ping 192 and 68. One, one. See if there is a tunnel established. Phase one and phase two are up. However, we don’t see the traffic. So show crypto. Isaacampasa, we have a session that’s established. Oh, I’m trying to ping the interface of the firewall. I need to ping the router. Okay, I’m able to ping now.
So the key here when you configure tunnel with the Cisco ASA is you have to specify the proxy IDs. You still have to do the routing like you did with the Palo Alto to Palo Alto, and there’s ways around that. We’re going to talk about this, the dynamic routing. You don’t have to create a route, but now that this is established that you’re talking to a proxy based firewall or policy based firewall like the ASA, you have to specify the proxy ID, the local and the remote. And this has to match on the other side. If it doesn’t match, it’s not going to work. So here the phase two. You see the negotiation. If I do show crypto VPN, we have the ICSA and we see here that’s using main modes, pre, shared key, triple, des, shao one and so on.
5. VPN IPSEC L2L Paloalto to Cisco ASA with Dynamic IP address
In this lecture, we will see how to configure Cisco ASA using then that uses the dynamic IP address same like we did with the Palo Alto. Palo Alto. We’re going to put a Cisco as a behind the dynamic IP address and see how exactly it’s going to get configured. So first thing we have to do is is configure on the SA crypto, isaacamp identity and identity will be hostname or a key that you can use to specify to the other side and let the other side know which tunnel. Okay, we’re going to specify hostname. So hostname here is ESA site C. Next thing we have to do is under crypto map. We have to specify outside map one. Set phase one mode ikev one phase one mode to aggressive. And that’s all you have to do. On the essay on Apollo Alto, you need to go to the I gateway on the side C. Now we’re going to change it to be dynamic because the IP address is behind dynamic IP address.
And then we’re going to go to exchange mode. We’re going to specify aggressive. And then in the local identification is the IP address one one. And then on the peer identification, it’s going to be the host name. And that’s SATC advanced option aggressive. And then click commit, commit. And now I’m not I’m going to initiate the tunnel for from behind side C. Pinging 1921-6812. And we see here under IPsec tunnel it established and it was established the IPsec tunnel under aggressive mode. And you were able to achieve that same solution. If you have any SA on the other side, but behind the four router or using an ISP that provides only dynamic IP addresses, you can achieve the same thing with the Cisco SA firewall. All you have to do is configure phase one mode to be aggressive and specify the identity. To use the identity of the SA, we specify to use hostname or key.
6. IPsec Quick mode negotiation understanding
So in this lecture, we want to see what the quick mode looks like. We have two firewalls, two Palo Alto firewalls, and they have a IPsec tunnel. And I have two networks here, 109, 2168-1024 and 192. On the other side, 168. Here 192, 168, eleven 00:24 and 192, 168, twelve 00:24. So if I want the two networks, this network and this network talk to each other and vice versa, I need to create proxy IDs from 192, 168 on this side, 192 and 68, one dot zero. I’m going to abbreviate the first two, slash 24 to 200:24. So I need to create all the combinations of the two networks. The two networks on both, on both sides talk to each other. Eleven 00:24 to twelve 00:24. So this is the proxy IDs that I’m going to create and be creating. And on the other side is to flip the opposite 24.
If you’re going to be using proxy IDs, you can have the two part of firewall talk with proxy IDs based, but you’re going to have to remove the IP address on the tunnel interface. And when you do that, you can have to specify the proxy IDs. Here there’s like four proxy IDs, and here’s four proxy IDs and quick mode. We’re going to have four quick mode, okay? And I want to show you this in the lab, in the case you create Palo Alto firewalls, two firewalls talking to each other using route based. There is a proxy ID, but it’s all zeros. And it’s automatically created for you. So you don’t have to specify it. But I want to show you the legacy one so I can show you the quick mode negotiation.
So on Firewalls here, I’m going to go to the IPsec tunnel, the tunnel proxy IDs. Proxy ad one 10 to 200:24, proxyid 211, 00:12 00:24 Proxy. And you can have to have on the virtual router, you’re going to have to have this pointing to the tunnel interface. So I have those routes pointing to the tunnel interface, 20 points to turn, 2120 points to. And I removed the IP addresses on the tunnel interface. So there was an IP address, I removed it. And then I’m going to do the same on the other side. I’m going to commit here, I’m going to do the same on the other side. Virtual router, I have the static route. 10 goes to tunnel 2110, goes to tunnel two. And I’m going to go to the IPsec tunnel and create the proxy IDs. So here I have 20 to proxy three quick mode only triggers when traffic matching that network pair gets created. That’s when the two sides would negotiate the tunnel.
Are we going to see this? Once we do a ping, then the quick mode is going to get negotiated. So I’m going to capture the interface. I’m going to initiate traffic from one to zero to 20. So we can see here the negotiation on 68 two two. So you should see here the six messages and then phase one, six messages followed by the quick mode. And because we mentioned here that it’s hash hashed an encryption, it basically cannot read it, right? So we have the three cook mode messages. And then just if I do show VPN IPsec SA, see here, the proxies are great, so I can do tunnel to site B, proxy one, that’s proxy one. And we see here, and the quick mode was established, but I have only one quick mode, so I don’t have any other quick mode.
So now if I try to ping from one to twelve, I should get a different quick mode ping 1812 one. So you should see here another quick mode. So that quick mode is the second proxy. If I do show VPN IPsec essay, I should have two essays, one for the first proxy and one is for the other proxy. Now if I paint one eight two and 68 to the two source, I should have another quick mode for that third proxy. Because here there’s another quick mode, proxy four. And if I ping from twelve one to source Lopez zero, that’s the fourth proxy. So I should see here another quick mode. There’s an informational message coming back. She might indicate that there is a negotiation problem I probably didn’t save.
Let’s look at the tele info I have here, the remote IP and the 120. So I see the proxies here. The purpose of this lecture was to show you the quick mode. So each pair of networks is going to be another quick mode that gets established, and that creates page two quick mode negotiation. And you’re going to have as many phases, as many quick modes as pairs you have. And that’s the method to use proxy IDs. If you don’t use proxy ID, then it’s going to be quad zero to quad zero. It’s going to be one Quick mode. Everything is going to get routed over the tongue interface to the other side.
