You are hereNetworking / Creating a VPN between Linksys RV042 and ASA 5505

Creating a VPN between Linksys RV042 and ASA 5505

By maho - Posted on 22 July 2008

This requires some basic knowledge of IPSEC and the ASA5505 this also requires modifying the DefaultL2LGroup on the ASA so if thats not an option stop reading now.

Network settings:
Office LAN: 192.168.1.0
Remote office LAN: 192.168.200.0
 

First of all lets prepare the ASA for the connection from the RV042.
Log on to your favorite ASA console and issue the following commands.

Create a new policy
      group-policy rv042conn internal
      group-policy rv042conn attributes
        vpn-tunnel-protocol IPSec
        pfs enable
        ip-comp enable
     
Edit the DefaultL2LGroup
      tunnel-group DefaultL2LGroup general-attributes
        default-group-policy rv042conn 
      tunnel-group DefaultL2LGroup ipsec-attributes
        peer-id-validate nocheck
        pre-shared-key hemlig
        isakmp ikev1-user-authentication  none

Add an IPSec rule
      access-list outside_cryptomap_20 line 1 extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
      crypto map outside_map 20 match address outside_cryptomap_20
      crypto map outside_map 20 set  pfs group2
      crypto map outside_map 20 set  peer  0.0.0.0
      crypto map outside_map 20 set  transform-set  ESP-3DES-MD5

Add access list
access-list inside_nat0_outbound line 4 extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0 
configure terminal

Moving on to the RV042
Click VPN and the  Add New Tunnel button chose gateway to gateway
Give the tunnel a creative name

Local Group Setup
As Local Security Gateway Type select Dynamic IP + Domain Name(FQDN) Authentication
Type your fully qualified domain name, this is not really used for the connection but it appears in the logs on the ASA so it's quite useful for debugging.

Remote Group Setup
Set Local security group type to subnet and make sure that it is the subnet of the remote office that is shown in the fields below.
Set Remote Secutiry Gateway Type to IP Only and type your ASAs external IP address in the fields below.

IPSec Setup
This is where you need to remember how your ASA is configured, these were the settings I had in my playground when I wrote this.
Set
  Keying Mode to IKE with Preshared key
  Phase1 DH Group to Group2
  Phase1 Encryption to 3DES
  Phase1 Authentication to MD5
  Phase1 SA Life Time to 86400
  Select Perfect Forward Secrecy 
  Phase2 DH Group to Group2
  Phase2 Encryption to 3DES
  Phase2 Authentication to MD5
  Phase2 SA Life Time to 3600
  Preshared Key  to the key used with the DefaultL2LGroup on the ASA

Advanced
Make sure that Aggressive mode is not selected.
 

Site to site tunnel + remote access vpn
Submitted by Sebastien (not verified) on Thu, 01/29/2009 - 16:00.

If Aggressive mode is not enabled, it is not possible to use the cisco vpn client using pre-shared key for remote access (You have to use certificate for phase1).

Is it possible to check Aggressive mode on the linksys and do a "no isakmp ikev1-user-authentication none" on the asa? Unfortunately, I don't have a RV042 available to test.

That is a good question and I
Submitted by maho on Wed, 02/04/2009 - 14:53.

That is a good question and I have managed to misplace the RV042 so I can't play around with it to find out..

does your remote office have
Submitted by Anonymous (not verified) on Thu, 01/22/2009 - 02:09.

does your remote office have a static ip?

In this case it had not, that
Submitted by maho on Mon, 01/26/2009 - 10:30.

In this case it had not, that why I was forced to use the DefaultL2LGroup on the ASA. If the remote office does have a static IP address you could use the IP address to match a group insted of using the DefaultL2LGroup.

Post new comment

The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.