To enable SmartNode to connect using ISAKMP VPN to a Cisco ASA here is a template.
The goal of this configuration was to create a secure tunnel ( now only for voice ) via VPN.
Topology:
<SBC> - <Cisco ASA> - =VPN= -<SmartNode>
The network 10.100.1.1/32 is defined as a loopback because it is used only as an interface for Voice, however a small change ( having /24 and assign it to the LAN interface ) can make this setup useful also to provide secured network connectivity to the network.
SmartNode Configuration, please find the explanation after the important configuration lines, the network which is used: 10.100.1.1/24 ( in this config /32, as we use it only for VoIP ):
=======================================================================================================================
profile acl VPNOut
permit 1 ah any any
permit 2 esp any any
permit 3 ip host 10.100.1.1 10.0.0.0 0.0.0.255 ipsec-policy VPN-IKE
permit 4 ip any any
profile acl VPNIn
permit 1 esp any any
permit 2 ah any any
permit 3 ip 10.0.0.0 0.0.0.31 host 10.100.1.1
permit 4 ip any any
profile ipsec-transform AES-256
esp-encryption 3des-cbc 192
esp-authentication hmac-md5-96
key-lifetime-seconds 86400
key-lifetime-kilobyte 4608000
# Usage of these lifetime parameters are recommended some Cisco webpage
profile isakmp-transform AES-256
encryption aes-cbc 256
authentication-algorithm md5
key-lifetime-seconds 7200
# Usage of these lifetime parameters are recommended some Cisco webpage
profile ipsec-policy-isakmp VPN-IKE
authentication-method pre-shared-key <PRE_SHARED_SECRET>
peer <CISCO_ASA_IP> interface <IP_INTERFACE_ON_SMARTNODE_TO_BE_USED>
# Specification of the local inetrface can be omitted, however can be recommended in some installations
mode tunnel
diffie-hellman-group group2
protected-network host 10.100.1.1 subnet 10.0.0.0 255.255.255.0 permanent-tunnel
# Usage of protected network is mandatory as this is going to be verified in the crypto access list
use profile ipsec-transform 1 AES-256
use profile isakmp-transform 1 AES-256
context ip
interface WAN
ipaddress <IP_ADDRESS> <NETMASK>
use profile acl VPNIn in
use profile acl VPNOut out
use profile napt NAPT_WAN
tcp adjust-mss rx mtu
tcp adjust-mss tx mtu
rtp-encryption
# Without enabling RTP encryption the RTP is not going to be transmitted, so there is no audio
interface IF_VPN
ipaddress 10.100.1.1 255.255.255.255
loopback
# Having a loopback ensures not to allow an external usage of the interface
tcp adjust-mss rx mtu
tcp adjust-mss tx mtu
context ip router
source-address-map 10.0.0.0 255.0.0.0 IF_VPN
# This is mandatory. Without this the SmartNode will use the IP address of the WAN port to generate local packets ( like ping, to test the connection )
context sip-gateway SIP_VPN
interface VVN
bind interface IF_VPN context router port 5060
context sip-gateway SIP_VPN
bind location-service LS_VVN
no shutdown
Cisco ASA Configuration:
=======================================================================================================================
access-list test1 extended permit ip 10.0.0.0 255.255.255.0 host 10.100.1.1
access-list remote_test1 extended permit ip host 10.100.1.1 10.0.0.0 255.255.255.0
crypto isakmp enable outside
crypto isakmp identity address
crypto map outside_map interface outside
crypto ipsec transform-set TestRule esp-3des esp-md5-hmac
crypto map outside_map 10 match address test1
crypto map outside_map 10 set peer <IP_ADDRESS_OF_THE_SMARTNODE>
crypto map outside_map 10 set transform-set Rule
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 3600
tunnel-group <IP_ADDRESS_OF_THE_SMARTNODE> type ipsec-l2l
tunnel-group <IP_ADDRESS_OF_THE_SMARTNODE> general-attributes
default-group-policy l2l_TestRule
tunnel-group <IP_ADDRESS_OF_THE_SMARTNODE> ipsec-attributes
pre-shared-key <PRE_SHARED_KEY>
group-policy l2l_TestRule internal
group-policy l2l_TestRule attributes
vpn-filter value remote_test1
vpn-tunnel-protocol IPSec
This answer was helpful
This answer was not helpful
