Policy-Based IPsec VPN to Cisco ASA
Policy-Based IPsec VPN to Cisco ASA
Policy-Based IPsec VPN позволяет установить Site-to-Site туннель между VyOS и Cisco ASA firewall, обеспечивая secure connectivity между удаленными локациями или hybrid cloud deployments.
Сценарий использования
Применимость
- Hybrid Cloud: Yandex Cloud / VK Cloud ↔ On-premises Cisco ASA
- Branch Office: Headquarters (Cisco ASA) ↔ Remote branches (VyOS)
- Multi-Cloud: Yandex Cloud (VyOS) ↔ другой cloud provider
- Legacy Integration: Интеграция с существующей Cisco infrastructure
Преимущества Policy-Based VPN
- Wide Compatibility: Поддержка legacy Cisco устройств
- Granular Control: Traffic selection по subnet pairs
- Simple Configuration: Проще чем Route-Based для simple scenarios
- NAT Traversal: Работает за NAT
Топология сети
Базовая топология
┌────────────────────────────────────────────────┐
│ On-Premises Datacenter │
│ │
│ ┌──────────────────┐ │
│ │ Cisco ASA 5516 │ │
│ │ Outside: 203.0.113.1/30 │
│ │ Inside: 192.168.1.1/24 │
│ └──────────┬───────┘ │
│ │ │
│ LAN │ 192.168.1.0/24 │
│ ┌─────────┴──────────┐ │
│ │ Servers, Workstations│ │
│ └────────────────────┘ │
└────────────────────────────────────────────────┘
│
│ Internet
│ IPsec Tunnel
│
┌────────────────────────────────────────────────┐
│ Yandex Cloud / VK Cloud │
│ │
│ ┌──────────────────┐ │
│ │ VyOS Gateway │ │
│ │ eth0: 198.51.100.1/30 (public) │
│ │ eth1: 10.10.1.1/24 (private) │
│ └──────────┬───────┘ │
│ │ │
│ VPC │ 10.10.1.0/24 │
│ ┌─────────┴──────────┐ │
│ │ Cloud VMs │ │
│ └────────────────────┘ │
└────────────────────────────────────────────────┘VPN Parameters
| Parameter | Value |
|---|---|
| VPN Type | Policy-Based IPsec |
| IKE Version | IKEv2 |
| Phase 1 Encryption | AES-256 |
| Phase 1 Hash | SHA-256 |
| Phase 1 DH Group | 14 (2048-bit) |
| Phase 2 Encryption | AES-256 |
| Phase 2 Hash | SHA-256 |
| Phase 2 PFS | DH Group 14 |
| Authentication | Pre-Shared Key |
Требования
VyOS Requirements
- VyOS 1.4 (Sagitta) или новее
- Public IP address (elastic IP в cloud)
- IPsec support (strongSwan)
Cisco ASA Requirements
- Cisco ASA 5500-X, ASA 5506-X или newer
- ASA Software 9.x или newer
- Public IP address
- IKEv2 support
Network Requirements
- UDP 500 (IKE) открыт на обоих firewall
- UDP 4500 (NAT-T) если за NAT
- ESP (IP protocol 50) разрешен
- MTU awareness (рекомендуется 1400 для tunnel)
Конфигурация VyOS
IKE Group (Phase 1)
configure
# IKE Group
set vpn ipsec ike-group IKE-CISCO lifetime '28800'
set vpn ipsec ike-group IKE-CISCO key-exchange 'ikev2'
set vpn ipsec ike-group IKE-CISCO proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-CISCO proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-CISCO proposal 1 dh-group '14'
commitESP Group (Phase 2)
configure
# ESP Group
set vpn ipsec esp-group ESP-CISCO lifetime '3600'
set vpn ipsec esp-group ESP-CISCO mode 'tunnel'
set vpn ipsec esp-group ESP-CISCO pfs 'dh-group14'
set vpn ipsec esp-group ESP-CISCO proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-CISCO proposal 1 hash 'sha256'
set vpn ipsec esp-group ESP-CISCO compression 'disable'
commitSite-to-Site Peer
configure
# Peer (Cisco ASA public IP)
set vpn ipsec site-to-site peer 203.0.113.1 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 203.0.113.1 authentication pre-shared-secret 'YourStrongPreSharedKey123!'
set vpn ipsec site-to-site peer 203.0.113.1 ike-group 'IKE-CISCO'
set vpn ipsec site-to-site peer 203.0.113.1 local-address '198.51.100.1'
# Tunnel definition (Policy-Based)
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 esp-group 'ESP-CISCO'
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 local prefix '10.10.1.0/24'
set vpn ipsec site-to-site peer 203.0.113.1 tunnel 1 remote prefix '192.168.1.0/24'
commit
saveNAT Exclusion
configure
# Exclude VPN traffic from NAT (если используется Source NAT)
set nat source rule 100 description 'Exclude VPN traffic from NAT'
set nat source rule 100 destination address '192.168.1.0/24'
set nat source rule 100 source address '10.10.1.0/24'
set nat source rule 100 exclude
# Source NAT для остального интернет трафика
set nat source rule 200 description 'NAT for Internet'
set nat source rule 200 outbound-interface name 'eth0'
set nat source rule 200 source address '10.10.1.0/24'
set nat source rule 200 translation address 'masquerade'
commit
saveFirewall Rules
configure
# Firewall для WAN интерфейса (allow IPsec)
set firewall ipv4-name WAN_LOCAL default-action 'drop'
# Allow established/related
set firewall ipv4-name WAN_LOCAL rule 1 action 'accept'
set firewall ipv4-name WAN_LOCAL rule 1 state established 'enable'
set firewall ipv4-name WAN_LOCAL rule 1 state related 'enable'
# Allow IKE (UDP 500)
set firewall ipv4-name WAN_LOCAL rule 10 action 'accept'
set firewall ipv4-name WAN_LOCAL rule 10 protocol 'udp'
set firewall ipv4-name WAN_LOCAL rule 10 destination port '500'
set firewall ipv4-name WAN_LOCAL rule 10 description 'Allow IKE'
# Allow NAT-T (UDP 4500)
set firewall ipv4-name WAN_LOCAL rule 20 action 'accept'
set firewall ipv4-name WAN_LOCAL rule 20 protocol 'udp'
set firewall ipv4-name WAN_LOCAL rule 20 destination port '4500'
set firewall ipv4-name WAN_LOCAL rule 20 description 'Allow NAT-T'
# Allow ESP (protocol 50)
set firewall ipv4-name WAN_LOCAL rule 30 action 'accept'
set firewall ipv4-name WAN_LOCAL rule 30 protocol 'esp'
set firewall ipv4-name WAN_LOCAL rule 30 description 'Allow ESP'
# Apply to interface
set firewall interface eth0 in name 'WAN_LOCAL'
commit
saveКонфигурация Cisco ASA
IKEv2 Policy
! IKEv2 Policy
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 28800
!IKEv2 Proposal
! IPsec (ESP) Proposal
crypto ipsec ikev2 ipsec-proposal ESP-VYOS
protocol esp encryption aes-256
protocol esp integrity sha-256
!Tunnel Group
! Tunnel Group (VyOS peer)
tunnel-group 198.51.100.1 type ipsec-l2l
tunnel-group 198.51.100.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key YourStrongPreSharedKey123!
ikev2 local-authentication pre-shared-key YourStrongPreSharedKey123!
!Crypto Map
! Access-list для interesting traffic
access-list VPN-TO-VYOS extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0
! Crypto Map
crypto map OUTSIDE-MAP 10 match address VPN-TO-VYOS
crypto map OUTSIDE-MAP 10 set peer 198.51.100.1
crypto map OUTSIDE-MAP 10 set ikev2 ipsec-proposal ESP-VYOS
crypto map OUTSIDE-MAP 10 set pfs group14
crypto map OUTSIDE-MAP 10 set security-association lifetime seconds 3600
! Apply to outside interface
crypto map OUTSIDE-MAP interface outside
!NAT Exemption (Cisco ASA)
! NAT exemption для VPN traffic
nat (inside,outside) source static OBJ-LAN-192.168.1.0 OBJ-LAN-192.168.1.0 destination static OBJ-VYOS-10.10.1.0 OBJ-VYOS-10.10.1.0 no-proxy-arp route-lookup
! Network Objects
object network OBJ-LAN-192.168.1.0
subnet 192.168.1.0 255.255.255.0
object network OBJ-VYOS-10.10.1.0
subnet 10.10.1.0 255.255.255.0
!Routes
! Static route для VyOS subnet (optional, если не используется dynamic routing)
route outside 10.10.1.0 255.255.255.0 198.51.100.1
!Интеграция с Yandex Cloud
Сценарий: VyOS в Yandex Cloud как VPN Gateway
configure
# Yandex Cloud специфика
# eth0 = внешний интерфейс (публичный IP через 1:1 NAT)
# eth1 = внутренний интерфейс (VPC subnet)
# Интерфейсы
set interfaces ethernet eth0 address '10.128.0.5/24'
set interfaces ethernet eth0 description 'Yandex Cloud external (NAT to public IP)'
set interfaces ethernet eth1 address '10.10.1.1/24'
set interfaces ethernet eth1 description 'Yandex Cloud VPC subnet'
# IPsec конфигурация
# local-address = внутренний IP (Yandex Cloud сделает NAT к публичному)
set vpn ipsec site-to-site peer 203.0.113.1 local-address '10.128.0.5'
# NAT exclusion (важно для Yandex Cloud)
set nat source rule 100 destination address '192.168.1.0/24'
set nat source rule 100 source address '10.10.1.0/24'
set nat source rule 100 exclude
# Routes (optional)
set protocols static route 192.168.1.0/24 next-hop '203.0.113.1' distance '10'
commit
saveYandex Cloud Security Group
В Yandex Cloud Console создать Security Group для VyOS:
Ingress Rules:
- UDP 500 from Cisco ASA IP (203.0.113.1)
- UDP 4500 from Cisco ASA IP (203.0.113.1)
- ESP (protocol 50) from Cisco ASA IP (203.0.113.1)
Egress Rules:
- UDP 500 to Cisco ASA IP
- UDP 4500 to Cisco ASA IP
- ESP (protocol 50) to Cisco ASA IP
Интеграция с VK Cloud
Конфигурация для VK Cloud
configure
# VK Cloud аналогично Yandex Cloud
# eth0 = управление (internal IP, NAT к Floating IP)
# eth1 = VPC subnet
set interfaces ethernet eth0 address '10.0.1.5/24'
set interfaces ethernet eth0 description 'VK Cloud external (NAT to Floating IP)'
set interfaces ethernet eth1 address '10.10.1.1/24'
set interfaces ethernet eth1 description 'VK Cloud VPC subnet'
# IPsec local-address = internal IP
set vpn ipsec site-to-site peer 203.0.113.1 local-address '10.0.1.5'
# MTU для VK Cloud overlay
set interfaces ethernet eth0 mtu '1450'
set interfaces ethernet eth1 mtu '1450'
# MSS clamping для TCP
set firewall interface eth0 in ipv4-adjust-mss '1360'
set firewall interface eth0 out ipv4-adjust-mss '1360'
commit
saveVK Cloud Security Groups
Аналогично Yandex Cloud, создать Security Group:
- Allow UDP 500, 4500 и ESP от Cisco ASA IP
Проверка конфигурации
VyOS - Проверка IPsec
# IPsec status
show vpn ipsec status
# Ожидаемый вывод:
# IPsec Process Running: yes
# IKE SAs: 1 established
# IPsec SAs: 1 established
# IPsec SA details
show vpn ipsec sa
# Должно показать:
# Peer: 203.0.113.1
# State: up
# Tunnels: 1 active
# Local subnet: 10.10.1.0/24
# Remote subnet: 192.168.1.0/24
# IKE SA
show vpn ike sa
# Security Associations
show vpn ipsec sa detailVyOS - Проверка трафика
# Ping через туннель (от VyOS к Cisco ASA inside)
ping 192.168.1.1 count 4
# Traceroute
traceroute 192.168.1.1
# IPsec statistics
show vpn ipsec sa statistics
# Bytes in/out должны увеличиватьсяCisco ASA - Проверка
! IPsec status
show crypto ikev2 sa
! Output:
! IKEv2 SAs:
! Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
! IPsec SA
show crypto ipsec sa peer 198.51.100.1
! Output:
! interface: outside
! Crypto map tag: OUTSIDE-MAP, seq num: 10, local addr: 203.0.113.1
! access-list VPN-TO-VYOS extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0
! local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
! remote ident (addr/mask/prot/port): (10.10.1.0/255.255.255.0/0/0)
! current_peer: 198.51.100.1
! #pkts encaps: 150, #pkts encrypt: 150, #pkts digest: 150
! #pkts decaps: 140, #pkts decrypt: 140, #pkts verify: 140
! Ping from ASA to VyOS inside
ping 10.10.1.1Debugging
VyOS:
# Enable IPsec debugging
sudo swanctl --log
# Live IPsec logs
sudo journalctl -u strongswan -f
# IKE negotiation details
sudo ipsec statusallCisco ASA:
! Debug IKEv2
debug crypto ikev2 platform 127
debug crypto ikev2 protocol 127
! Debug IPsec
debug crypto ipsec 127
! Clear и re-establish tunnel (для тестирования)
clear crypto ikev2 sa
clear crypto ipsec sa peer 198.51.100.1Troubleshooting
Проблема 1: IKE Phase 1 не устанавливается
Симптомы:
show vpn ike sa
# Пусто, нет SAПричины и решения:
Pre-Shared Key mismatch:
# VyOS - проверить PSK show configuration commands | grep pre-shared-secret # Cisco ASA - проверить show running-config tunnel-group 198.51.100.1Firewall блокирует UDP 500:
# VyOS - проверить firewall show firewall ipv4-name WAN_LOCAL # Cisco ASA - check ACL show access-list outside_access_inCrypto parameters mismatch:
# VyOS - показать IKE parameters show vpn ipsec ike-group IKE-CISCO # Cisco ASA show running-config crypto ikev2 policy
Проблема 2: Phase 1 OK, но Phase 2 (IPsec SA) не устанавливается
Симптомы:
show vpn ike sa # Shows SA
show vpn ipsec sa # EmptyПричины:
ESP parameters mismatch:
# VyOS show vpn ipsec esp-group ESP-CISCO # Cisco ASA show running-config crypto ipsec ikev2 ipsec-proposalTraffic selectors mismatch:
# VyOS - проверить local/remote prefix show configuration commands | grep "tunnel 1" # Должно совпадать с Cisco ACL # Cisco ASA show access-list VPN-TO-VYOS
Проблема 3: Tunnel UP, но нет connectivity
Симптомы:
show vpn ipsec sa # State: up
ping 192.168.1.1 # Network unreachableПричины и решения:
NAT не исключен:
# VyOS - проверить NAT rules show nat source rules # Должно быть exclude rule для VPN traffic # Добавить set nat source rule 100 source address '10.10.1.0/24' set nat source rule 100 destination address '192.168.1.0/24' set nat source rule 100 exclude commitНет route:
# VyOS - проверить routing show ip route 192.168.1.0/24 # Должен быть маршрут через VPN # Если нет, policy-based VPN должен автоматически создать # Cisco ASA - проверить routes show routeFirewall блокирует VPN traffic:
# VyOS - создать zone для VPN set firewall zone VPN interface 'eth1' set firewall zone WAN interface 'eth0' set firewall zone VPN from WAN firewall name 'VPN-IN' # Allow traffic from VPN zone set firewall ipv4-name VPN-IN default-action 'accept' commit
Проблема 4: Tunnel flapping (up/down)
Причины:
DPD (Dead Peer Detection) слишком aggressive:
# VyOS - увеличить DPD timeout set vpn ipsec site-to-site peer 203.0.113.1 connection-type 'respond' set vpn ipsec site-to-site peer 203.0.113.1 dpd action 'restart' set vpn ipsec site-to-site peer 203.0.113.1 dpd interval '30' set vpn ipsec site-to-site peer 203.0.113.1 dpd timeout '120' commitKeepalive traffic:
# Периодически отправлять ICMP через туннель # Cron job для keepalive ping set system task-scheduler task vpn-keepalive executable path '/usr/bin/ping' set system task-scheduler task vpn-keepalive executable arguments '-c 1 192.168.1.1' set system task-scheduler task vpn-keepalive interval '60' commit
Best Practices
1. Crypto Parameters
Recommended:
- IKE: AES-256, SHA-256, DH Group 14+
- ESP: AES-256, SHA-256, PFS Group 14+
- Lifetime: IKE 8h, IPsec 1h
2. NAT Considerations
# Всегда exclude VPN traffic от NAT
set nat source rule 100 exclude
# MSS clamping для TCP over VPN
set firewall interface eth0 in ipv4-adjust-mss '1360'3. Firewall Security
# Ограничить IKE только от Cisco peer
set firewall ipv4-name WAN_LOCAL rule 10 source address '203.0.113.1'
# Rate limiting для IKE
set firewall ipv4-name WAN_LOCAL rule 10 recent count '10'
set firewall ipv4-name WAN_LOCAL rule 10 recent time 'minute'4. Monitoring
# Мониторинг VPN status
watch -n 5 'show vpn ipsec sa'
# Log IPsec events
set system syslog global facility all level 'info'
# Alert при падении туннеля (custom script)
set system task-scheduler task check-vpn executable path '/config/scripts/check-vpn.sh'
set system task-scheduler task check-vpn interval '300'5. Redundancy
Для production рекомендуется redundant VPN:
# Secondary peer (second Cisco ASA или второй VyOS)
set vpn ipsec site-to-site peer 203.0.113.2 ...
# Adjust metric для failover
set protocols static route 192.168.1.0/24 next-hop 203.0.113.2 distance '20'