Site-to-Site IPSec VPN with EasyVPN NEM: Old vs New Router (Post-Cisco IOS 15.9(3)M10)

Cisco's IOS 15.9(3)M10 introduces improvements and potential changes to VPN configurations, especially when implementing site-to-site IPSec VPN using **EasyVPN Network Extension Mode (NEM)**. Below is a comparison of configuring an **old router** versus a **new router** post-15.9(3)M10 for this type of VPN:

---

### **Old Router (Pre-IOS 15.9(3)M10)**

1. **EasyVPN NEM Basics**:

   - EasyVPN Network Extension Mode (NEM) extends the corporate network to the branch, treating the remote site as part of the main network.

   - Commonly used commands:

     - `crypto ipsec client ezvpn`

     - NEM mode set with `mode network-extension`.

2. **Configuration Example**:

   crypto ipsec client ezvpn CLIENT

      connect auto

      group GROUP_NAME key GROUP_KEY

      mode network-extension

      peer 203.0.113.1

      xauth userid local

      username USERNAME password PASSWORD

   interface Tunnel0

      ip address negotiated

      tunnel source GigabitEthernet0/0

      tunnel mode ipsec ipv4

      crypto ipsec client ezvpn CLIENT

3. **Limitations**:

   - No support for modern algorithms (e.g., AES-GCM or SHA-2).

   - Legacy encryption profiles (DES, 3DES).

   - Static negotiation and legacy group settings.

---

### **New Router (Post-IOS 15.9(3)M10)**

1. **Key Enhancements in IOS 15.9(3)M10**:

   - Improved support for modern cryptographic standards:

     - AES-GCM, AES-256.

     - SHA-2 for integrity.

   - Streamlined configuration for enhanced security and efficiency.

   - Easier integration with modern IKEv2 standards.

2. **Configuration Changes**:

   - Replace `crypto ipsec client ezvpn` with IKEv2-based configurations.

   - Use Virtual Tunnel Interface (VTI) for scalability and better flexibility.

   - Include modern security proposals (AES, DH groups, SHA-2).

   - Improved XAUTH and user-based authentication.

3. **Configuration Example**:

   crypto ikev2 proposal VPN-PROPOSAL

      encryption aes-cbc-256

      integrity sha256

      group 14

   crypto ikev2 policy VPN-POLICY

      proposal VPN-PROPOSAL

   crypto ikev2 keyring VPN-KEYRING

      peer PEER1

         address 203.0.113.1

         pre-shared-key GROUP_KEY

   crypto ikev2 profile VPN-PROFILE

      match identity remote address 203.0.113.1 255.255.255.255

      authentication remote pre-share

      authentication local pre-share

      keyring local VPN-KEYRING

   crypto ipsec transform-set TRANSFORM esp-aes 256 esp-sha256-hmac

   crypto ipsec profile IPSEC-PROFILE

      set transform-set TRANSFORM

      set ikev2-profile VPN-PROFILE

   interface Tunnel0

      ip address negotiated

      tunnel source GigabitEthernet0/0

      tunnel mode ipsec ipv4

      tunnel protection ipsec profile IPSEC-PROFILE

4. **Benefits**:

   - Enhanced security with modern encryption and hashing.

   - Scalability with VTI instead of EasyVPN NEM.

   - Improved interoperability with other vendors and newer Cisco devices.

---

**Migration Note**: If you are migrating from an older EasyVPN NEM setup to a new router with IOS 15.9(3)M10, it is advisable to redesign using IKEv2 and VTIs to leverage modern capabilities while maintaining compatibility with legacy configurations if required.

Site-to-Site IPSec VPN Hairpinning Between Cisco IOS and ASA Made Simple

In the realm of networking, establishing secure communication between two sites using a Site-to-Site IPSec VPN is a common requirement. When dealing with Cisco devices, specifically an IOS router connecting to an ASA firewall, the configuration can differ depending on the ASA software version. Since ASA version 9.7, significant changes have been introduced, particularly concerning the handling of VPN traffic hairpinning.

This blog dives into the old way (pre-ASA 9.7) and the new way (post-ASA 9.7) to configure Site-to-Site IPSec VPN between an IOS router and an ASA firewall with hairpinning.

---

### **What is VPN Hairpinning?**

VPN hairpinning, also called VPN intra-interface, allows VPN traffic to ingress and egress the same ASA interface. This is especially useful in scenarios where a remote site connects to the ASA, and the traffic needs to be redirected to another VPN tunnel.

---

### **Pre-ASA 9.7 (Old Way)**

Before ASA 9.7, VPN configuration was more rigid, and additional manual steps were required to support features like hairpinning. Here’s how it was typically handled:

#### **1. Enable Intra-Interface Traffic**

To allow hairpinning, you needed to explicitly enable `same-security-traffic permit intra-interface`:

ciscoasa(config)# same-security-traffic permit intra-interface

#### **2. Define Crypto ACLs**

The crypto ACLs on both the IOS router and the ASA specified the traffic permitted to pass through the tunnel. On the ASA, these ACLs were used to match interesting traffic.

**ASA Configuration:**

access-list CRYPTO_ACL extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

**IOS Router Configuration:**

ip access-list extended VPN_ACL

 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

#### **3. Configure NAT Exemption**

To prevent VPN traffic from being translated, manual NAT exemption was configured.

**ASA Configuration:**

nat (inside,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp route-lookup

#### **4. Configure Tunnel Groups and Group Policies**

The tunnel group and group policies were configured with pre-shared keys (PSK).

**ASA Configuration:**

tunnel-group 203.0.113.1 type ipsec-l2l

tunnel-group 203.0.113.1 ipsec-attributes

 pre-shared-key mysecurekey

#### **5. Enable Hairpinning Rules**

Traffic flow required ACL rules permitting hairpinned traffic on the ASA:

access-list OUTSIDE_IN extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

---

### **Post-ASA 9.7 (New Way)**

Starting with ASA 9.7, Cisco introduced simplified VPN configurations by replacing the old crypto map structure with the more flexible Virtual Tunnel Interface (VTI). VTIs streamline the configuration of IPSec tunnels and inherently support advanced features like hairpinning.

#### **1. VTI-Based Configuration**

In the new method, a Virtual Tunnel Interface (VTI) is used instead of manually defining crypto maps. This eliminates the need for ACL-based crypto maps.

**ASA Configuration:**

interface Tunnel1

 nameif VPN_TUNNEL

 ip address 192.168.10.1 255.255.255.0

 tunnel source interface outside

 tunnel destination 203.0.113.1

 ipsec profile VPN_PROFILE

**IOS Router Configuration:**

interface Tunnel0

 ip address 192.168.10.2 255.255.255.0

 tunnel source 192.0.2.1

 tunnel destination 198.51.100.1

 tunnel protection ipsec profile VPN_PROFILE

#### **2. Simplified NAT Configuration**

With ASA 9.7 and VTIs, NAT exemption is automatically handled within the VTI framework. Manual NAT exemption rules are no longer required.

#### **3. Hairpinning with Route-Based VPN**

Traffic hairpinning is natively supported when using VTIs, as the ASA handles routing decisions dynamically.

**ASA Configuration:**

route inside 192.168.2.0 255.255.255.0 192.168.10.2

---

### **Key Advantages of the New Way**

- **Simplified Configuration**: VTIs reduce the complexity of defining crypto maps and ACLs.

- **Dynamic Routing Support**: VTIs work seamlessly with dynamic routing protocols like OSPF and BGP.

- **Enhanced Flexibility**: Features like hairpinning and NAT exemption are integrated into the VTI framework, reducing manual configurations.

- **Scalability**: The VTI approach is more scalable, making it ideal for large-scale deployments.

---

### **Conclusion**

The introduction of VTIs in ASA 9.7 marked a significant improvement in how Site-to-Site IPSec VPNs are configured and managed. By transitioning from the older crypto map method to the newer VTI-based approach, Cisco has simplified the process, making it more efficient and scalable while reducing configuration errors. For network engineers, embracing the new method ensures smoother deployments and easier management, especially in scenarios requiring advanced features like hairpinning. 

If you're still using the old method, now is the time to upgrade and experience the benefits of VTIs!