Evolution of Site-to-Site IPSec VPN Using PKI: From Pre-ASA 9.7 to Modern Configurations

In networking, secure communication between two sites often relies on IPSec VPNs. Traditionally, pre-shared keys (PSKs) have been the go-to for authentication. However, PKI (Public Key Infrastructure) offers a more scalable and secure approach, especially for large environments. This blog explores how to configure site-to-site IPSec VPNs using PKI between Cisco IOS routers and ASA firewalls, comparing the old approach (pre-ASA 9.7) to the new and improved methods post-ASA 9.7.

---

### **Understanding the Basics: Why PKI?**

PKI eliminates the need to manage and exchange static pre-shared keys manually. Instead, certificates issued by a trusted Certificate Authority (CA) authenticate devices. This not only enhances security but also simplifies the management of large-scale VPN deployments.  

---

### **Old Way (Pre-ASA 9.7)**

Before ASA 9.7, configuring a PKI-based site-to-site VPN was functional but cumbersome. Some limitations included:  

- **Rigid Crypto Map Structure:** Crypto maps were tied to specific interfaces, which lacked flexibility.

- **Manual Certificate Handling:** Limited integration with automated certificate renewal.

- **Complicated Configuration Syntax:** The process was error-prone due to its verbosity.  

#### **Steps to Configure the VPN (Old Way)**

1. **Set Up PKI on Both Devices:**

   - Define the trustpoints and enroll with the CA on both the IOS router and ASA.  

   - Example (ASA):  

     

     crypto ca trustpoint MyCA

        enrollment url http://CA-Server

        subject-name CN=ASA

        crl configure

     crypto ca authenticate MyCA

     crypto ca enroll MyCA

     

2. **Define Crypto Maps (ASA):**  

   - Static crypto maps were configured with the specific ACL, peer address, and transform set.  

     

     crypto map outside_map 10 match address VPN_ACL

     crypto map outside_map 10 set peer 203.0.113.1

     crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA

     

3. **Match on the IOS Router:**  

   - Configure ISAKMP policy and crypto map similar to the ASA.

4. **Tunnel Verification:**  

   - Manual certificate inspection and CRL (Certificate Revocation List) were often required.

**Challenges:**  

- Static configurations lacked adaptability.  

- Troubleshooting issues like certificate revocation or renewals required additional effort.  

---

### **New Way (Post-ASA 9.7)**

Cisco ASA 9.7 introduced major improvements with the support for **IKEv2 FlexVPN** and an overhauled certificate handling system. These enhancements streamlined VPN configuration, making it more intuitive and robust.

#### **Key Improvements:**

1. **Support for IKEv2:**

   - IKEv2 simplifies negotiation and offers better performance.

   - Dynamic configuration via Virtual Tunnel Interfaces (VTIs).  

2. **Simplified Certificate Management:**

   - Integration with SCEP (Simple Certificate Enrollment Protocol) for automatic enrollment and renewal.

   - Enhanced CRL handling.

3. **Route-Based VPNs:**  

   - VTIs replaced static crypto maps, enabling dynamic routing over VPNs.  

#### **Steps to Configure the VPN (New Way)**

1. **Set Up PKI:**

   - Similar to the old way, define trustpoints, but now SCEP automates enrollment.

     

     crypto ca trustpoint MyCA

        enrollment url http://CA-Server/scep

        fqdn asa.example.com

        subject-name CN=ASA

     crypto ca authenticate MyCA

     crypto ca enroll MyCA

     

2. **Define IKEv2 Policies:**

   - Modern ASAs default to IKEv2.

     

     crypto ikev2 policy 1

        encryption aes-256

        integrity sha256

        group 14

     

3. **Configure VTIs on Both Devices:**

   - Replace crypto maps with VTIs for simplicity and flexibility.

     

     interface Tunnel0

        ip address 192.168.10.1 255.255.255.252

        tunnel source GigabitEthernet0/0

        tunnel mode ipsec ipv4

        tunnel destination 203.0.113.2

     

4. **Define IKEv2 Profiles and Policies:**

   - Simplify VPN negotiation with profiles.  

     

     crypto ikev2 profile IKEv2-Profile

        match identity remote fqdn router.example.com

        authentication remote rsa-sig

        authentication local rsa-sig

        pki trustpoint MyCA

     

5. **Route VPN Traffic Dynamically:**

   - Leverage routing protocols over VTIs.

**Benefits:**  

- **Scalability:** Adding new sites is easier with dynamic configurations.  

- **Efficiency:** Automated certificate handling saves time.  

- **Flexibility:** VTIs allow dynamic routing and multipoint connectivity.  

---

### **Conclusion**

The evolution from pre-ASA 9.7 configurations to the modern IKEv2-based approach has significantly simplified PKI-based IPSec VPNs. With Cisco's new tools and methods, organizations can deploy scalable, secure, and manageable site-to-site VPNs with confidence.  

By adopting these best practices, you can future-proof your VPN infrastructure while ensuring top-notch security and performance.  

**Which configuration method do you prefer? Let us know in the comments!**