Create a Site-to-Site VPN Tunnel Between ASAs

Use the following procedure to create a site-to-site VPN tunnel between two ASAs or an ASA with an Extranet device:

Procedure


Step 1

In the navigation pane, choose VPN > ASA/FDM Site-to-Site VPN.

Step 2

Click the blue plus on the top right corner and click Site-to-Site VPN with ASA label.

Step 3

In the Configuration Name field, enter a name for the site-to-site VPN configuration you create.

Step 4

Select one of the options to create a new Policy Based or Route Based site-to-site VPN.

Step 5

In the Peer Devices section, do the following:

  1. Peer 1: Select an ASA device and then click Select.

  2. Peer 2: Select the other ASA device and then click Select.

    Extranet: If you want to choose an extranet device in Peer 2, click the Extranet slider to enable it.

    Select Static, and specify an IP address or select Dynamic for extranet devices with DHCP assigned IP. The IP Address displays the IP address for the static interface or DHCP Assigned for the dynamic interface.

  3. Click Next.

  4. Choose the VPN Access Interface for the endpoint devices.

  5. (Applicable to Route Based VPN) Choose the LAN Interfaces that controls the LAN subnet. You can select multiple interfaces.

    The networks attached to the selected LAN interfaces will be added to the routing policy access list. The traffic matching the routing policy access list will be encrypted/decrypted by the VPN tunnel.

  6. Click Add Network to add the Protected Networks for the participating devices. A protected network defines the networks that are protected by this VPN endpoint.

  7. (Optional and applicable to Policy Based) Select NAT Exempt to exempt the VPN traffic from NAT policies on the local VPN access interface. It must be configured manually for individual peers. If you do not want NAT rules to apply to the local network, select the interface that hosts the local network. This option works only if the local network resides behind a single routed interface (not a bridge group member). If the local network is behind more than one routed interface or one or more bridge group members, you must manually create the NAT exempt rules. For information on manually creating the required rules, see Exempt ASA Site-to-Site VPN Traffic from NAT.

  8. Click Next.

Step 6

(Applicable to Route Based) In the Tunnel Details, the VTI Address fields are automatically filled once the peer devices are configured in the previous step. If necessary, you can manually enter an IP address that will be used as the new VTI.

Step 7

In the IKE Settings section, choose the IKE versions to use during Internet Key Exchange (IKE) negotiations and specify the privacy configurations: For more information on the IKE policies, see Configuring the Global IKE Policy.

Based on the configuration made by the user, CDO suggests the IKE settings. You can either continue with the recommended IKE configuration settings or define a new one.

Note

IKE policies are global to a device and apply to all VPN tunnels associated with it. Therefore, adding or deleting policies affect all VPN tunnels in which this device is participating.

  1. Select either or both IKE versions as appropriate.

    By default, IKEV Version 2 is enabled.

    Note

    Enabling both IKE versions is not allowed for route-based VPN.

  2. Click Add IKEv2 Policy and select the IKEv2 policies

    Note

    Click Create New IKEv2 Policy to create new IKEv2 policies. For more information about creating new IKEv2 policies, see Configuring IKEv2 Policies. To delete an existing IKEv2 Policy, hover-over the selected policy and click the x icon.

  3. Enter the Pre-Shared Key for the participating devices. Preshared keys are secret key strings configured on each peer in the connection. IKE uses these keys during the authentication phase.

    (IKEv2) Peer 1 Pre-shared Key, Peer 2 Pre-shared Key: For IKEv2, you can configure unique keys on each peer. Enter the Pre-shared Key. You can click the show button and enter the appropriate pre-shared for the peer. The key can be 1-127, alphanumeric characters. The following table describes the purpose of the pre-shared key for both peers.

    Local Pre-shared Key

    Remote Peer Pre-shared Key

    Peer 1 Peer 1 Pre-shared Key Peer 2 Pre-shared Key
    Peer 2 Peer 2 Pre-shared Key Peer 1 Pre-shared Key
  4. Click IKE Version 1 to enable it.

  5. Click Add IKEv1 Policy and select the IKEv1 policies. Click Create New IKEv1 Policy to create new IKEv1 policies. For more information about creating new IKEv1 policies, see the Configuring IKEv1 Policies. To delete an existing IKEv1 Policy, hover-over the selected policy and click the x icon.

  6. (IKEv1) Pre-shared Key: For IKEv1, you must configure the same preshared key on each peer. The key can be 1-127, alphanumeric characters. In this scenario, Peer 1 and Peer 2 use the same pre-shared key to encrypt and decrypt data.

  7. Click Next.

Step 8

In the IPSec Settings section, based on the configuration made by the user, CDO suggests the IKEv2 proposals. You can either continue with the recommended IKE configuration settings or define a new one. For more information on the IPSec settings, see the Configuring IPsec Proposals.

  1. Click + IKEv2 Proposals to select the IPSec configuration. The corresponding IKEV proposals are available depending on the selection that is made in the IKE Settings step. To delete an existing IKEv2 Proposal, hover-over the selected proposal and click the x icon.

    Note

    Click Create New IKEv2 Proposals to create new IKEv2 proposals. For more information about creating new IKEv2 policies, see the Configuring IPSec Proposals for IKEv2.

  2. Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Encryption and Hash Algorithms Used in VPN

  3. Click Next.

Step 9

In the Finish section, read the configuration and continue further only if you’re satisfied with your configuration, click Submit.


You are directed to the VPN Tunnels page that shows the newly configured site-to-site VPN tunnel. The changes are staged and must be deployed manually. A routing policy is created to route the VTI traffic automatically between the devices over the VTI tunnel. To see this policy, select the device from the Inventory page and choose Configuration > Diff.

See the Deploy Configuration Changes section to deploy site-to-site VPN configuration on the devices associated with the new tunnel.