Configuring IPSec Tunnels Between ASAs and Ubiquity USGs

Description:

This document describes the process of creating an IPSEC tunnel between a Ubiquity USG and a Cisco ASA via an on premises Unifi controller.

Unifi Configuration:

This setup was done bare-bones. The Unifi Controller, USG and switch were reset to default configuration and then just the single Corp network added.

1. 1. Go into ‘Settings’->’Create New Network’ on the Unifi controller.

1. 1. Select ‘Create New Network’, which will bring you to a settings screen. Specify the following general parameters:
      1. Name: Descriptive name for the network
      2. Purpose: Site-to-Site VPN
      3. Enabled: Enable this Site-to-Site VPN
      4. Remote Subnets: Private subnet of the far end (this will be used for the encrypt-ACL
      5. Peer IP: External Gateway IP (Far End)
      6. Local WAN IP: External IP of the USG
      7. IPSec Profile: Customized
   2. Now expand Advanced Options and select your IPsec options. I used the following:
      1. Key Exchange: IKEv1
      2. Encryption: AES-256
      3. Hash: SHA1
      4. DH Group: 1
      5. No PFS
      6. No Dynamic routing

ASA Configuration:

ASA Configuration is a bit more complex. Specific IPs have been changed ‘x.x.x.x’ indicates the far-end internal network (Behind the USG), ‘y.y.y.y’ indicates the near-end private network (behind the ASA) and ‘z.z.z.z’ indicates the public IP of the USG.

1. For NAT, we actually take all 1918 space to any interface and NAT0 it. Without breaking down the object groups here is the general rule.nat (any,any) source static RFC1918 RFC1918 destination static RFC1918 RFC1918 no-proxy-arp
2. Create an object group with our internal source network

   object-group network MF-NETWORK
   network-object x.x.x.x x.x.x.x
   

3. If necessary create an object group for your far end internal network

   object-group network PEI-NETWORK
   network-object y.y.y.y y.y.y.y
   

4. Create your encrypt ACL, allowing traffic from the ASA’s internal network to the ubiquity internal network:

   access-list PEI-2-MF extended permit ip object-group PEI-NETWORK object-group MF-NETWORK
   

5. Setup the cryptomap, matching encrypt ACL, set the peer address to the USG’s external IP and the transform-set to match settings on the USG:

   crypto map VPN-MAP 30 match address PEI-2-MF-TEST
   crypto map VPN-MAP 30 set peer z.z.z.z
   crypto map VPN-MAP 30 set ikev1 transform-set ESP-AES-256-SHA
   

6. Now setup the tunnel-group configuration with the same pre-shared key you specified on the USG. (Note: For the name, use the peer IP

   tunnel-group z.z.z.z type ipsec-l2l
   tunnel-group z.z.z.z ipsec-attributes
   ikev1 pre-shared-key *******
   

7. Now clear the isakmp to refresh the configuration

   clear crypto isakmp sa
   

8. Finally, generate some traffic from a desktop and then check the ASA to make sure the tunnel came up:

   pei-hq-vpn01# sh crypto isakmp sa | b z.z.z.z
   15  IKE Peer: z.z.z.z
       Type    : L2L             Role    : initiator
       Rekey   : no              State   : MM_ACTIVE
   
   There are no IKEv2 SAs
   

And we are done!

Max Fuller, PEI