VPN site-to-site ASA-AWS

rponte — Tue, 12 Mar 2019 12:20:59 GMT

Hello Folks,

I am trying to do a VPN connection between my asa and AWS VPC and it is not working. Could you please check it and help me ?

There you have my configuration:

Publics IPs changed:

crypto ikev1 policy 9
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800

object-group network DST_VPN_L2L_AWS-ACID_Labs_stagging
network-object 171.0.10.0 255.255.255.0
network-object 171.0.11.0 255.255.255.0

object-group network SRC_VPN_L2L_AWS-ACID_Labs_stagging
network-object host 10.1.3.16
network-object host 10.1.3.23
network-object host 10.1.3.58
network-object host 10.1.3.55
network-object host 10.1.3.15
network-object host 10.1.3.22
network-object host 10.1.2.102

access-list ACL-L2L-VPN-AWS-ACID_Labs_stagging extended permit ip object-group SRC_VPN_L2L_AWS-ACID_Labs_stagging object-group DST_VPN_L2L_AWS-ACID_Labs_stagging

nat (Interna,outside) source static SRC_VPN_L2L_AWS-ACID_Labs_stagging SRC_VPN_L2L_AWS-ACID_Labs_stagging destination static DST_VPN_L2L_AWS-ACID_Labs_stagging DST_VPN_L2L_AWS-ACID_Labs_stagging

crypto ipsec ikev1 transform-set VPN-COPEC_AWS-ACID_Labs_stagging esp-aes-256 esp-sha-hmac

crypto map segurovpn 15 match address ACL-L2L-VPN-AWS-ACID_Labs_stagging
crypto map segurovpn 15 set pfs
crypto map segurovpn 15 set peer 1.1.1.1 2.2.2.2
crypto map segurovpn 15 set ikev1 transform-set VPN-COPEC_AWS-ACID_Labs_stagging
crypto map segurovpn 15 set security-association lifetime seconds 3600

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key abc
isakmp keepalive threshold 10 retry 10

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key cde
isakmp keepalive threshold 10 retry 10

I have an IP SLA on my core:

ip sla 20
icmp-echo 171.0.10.131 source-interface Vlan41
frequency 5
ip sla schedule 20 life forever start-time now
ip sla 30
icmp-echo 171.0.11.212 source-interface Vlan41
frequency 5
ip sla schedule 30 life forever start-time now

I did the debug and it shows:

packet-tracer input interna icmp 10.1.3.16 8 0 171.0.10.131 de

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.2.0 255.255.254.0 Interna

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Interna in interface Interna
access-list Interna extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x73a0f890, priority=13, domain=permit, deny=false
hits=64111047, user_data=0x6f59ec80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7378d138, priority=0, domain=inspect-ip-options, deny=true
hits=2793297518, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x747d4960, priority=70, domain=inspect-icmp, deny=false
hits=28975364, user_data=0x747d3940, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7378cd10, priority=66, domain=inspect-icmp-error, deny=false
hits=28977323, user_data=0x7378c328, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 7
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x75d57938, priority=13, domain=debug-icmp-trace, deny=false
hits=383796209, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=Interna, output_ifc=any

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Interna,outside) source static SRC_VPN_L2L_AWS-ACID_Labs_stagging SRC_VPN_L2L_AWS-ACID_Labs_stagging destination static DST_VPN_L2L_AWS-ACID_Labs_stagging DST_VPN_L2L_AWS-ACID_Labs_stagging
Additional Information:
Static translate 10.1.3.16/0 to 10.1.3.16/0
Forward Flow based lookup yields rule:
in id=0x774d52c0, priority=6, domain=nat, deny=false
hits=10, user_data=0x76b60a00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.3.16, mask=255.255.255.255, port=0
dst ip/id=171.0.10.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=Interna, output_ifc=outside

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x74ed1578, priority=70, domain=encrypt, deny=false
hits=3127, user_data=0x2bb320bc, cs_id=0x7700da58, reverse, flags=0x0, protocol=0
src ip/id=10.1.3.16, mask=255.255.255.255, port=0
dst ip/id=171.0.10.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x747d5ea0, priority=0, domain=user-statistics, deny=false
hits=2944520092, user_data=0x746a7cb0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x74ef6d98, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=3127, user_data=0x2c247f14, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=171.0.10.0, mask=255.255.255.0, port=0
dst ip/id=10.1.3.16, mask=255.255.255.255, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 12
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x76e27a38, priority=13, domain=debug-icmp-trace, deny=false
hits=400754464, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x737671b0, priority=0, domain=inspect-ip-options, deny=true
hits=2873324028, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 14
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x747d66e8, priority=0, domain=user-statistics, deny=false
hits=2860347337, user_data=0x746a7cb0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=Interna

Phase: 15
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2906792974, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_dbg_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Interna
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

show crypto ipsec sa peer 1.1.1.1
peer address: 1.1.1.1
Crypto map tag: segurovpn, seq num: 15, local addr: 3.3.3.3

access-list ACL-L2L-VPN-AWS-ACID_Labs_stagging extended permit ip host 10.1.3.22 171.0.11.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.3.22/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (171.0.11.0/255.255.255.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 54536, #pkts encrypt: 54536, #pkts digest: 54536
#pkts decaps: 163624, #pkts decrypt: 163624, #pkts verify: 163624
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 54536, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 109090

local crypto endpt.: 3.3.3.3/4500, remote crypto endpt.: 1.1.1.1/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 9C8BFD41
current inbound spi : D0C785FD

inbound esp sas:
spi: 0xD0C785FD (3502736893)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 86343680, crypto-map: segurovpn
sa timing: remaining key lifetime (kB/sec): (4373963/3434)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x9C8BFD41 (2626420033)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, }
slot: 0, conn_id: 86343680, crypto-map: segurovpn
sa timing: remaining key lifetime (kB/sec): (4373990/3434)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

in ASDM:

IPSEC: Received an ESP packet (SPI=0xB3D438FD, sequence number = 0x7E3) from 1.1.1.1 (user=1.1.1.1) to 3.3.3.3.
The decapsulated inner packet doesn't match the negotiated policy in the SA.
The packet specifies its destination as 10.1.3.16, its source as 171.0.10.131, and its protocol as icmp. The SA specifies its local proxy as 10.1.3.22/255.255.255.255/ip/0 and its remote_proxy as 171.0.11.0/255.255.255.0/ip/0.

Re: VPN site-to-site ASA-AWS

Bogdan Nita — Wed, 06 Jun 2018 14:53:01 GMT

Based on the packet tracer the traffic is encrypted and sent out the outside interface, but in the show crypto sa I can't see the sa that should be created by the packet tracer.

I believe you have a couple more crypto map entries, any chance one of those has the same ips in configured the crypto acl ?

HTH

Bogdan

Re: VPN site-to-site ASA-AWS

rponte — Wed, 06 Jun 2018 15:24:40 GMT

I have another VPN working and it have the following:

nat (Interna,outside) source static SRC_VPN_L2L_AWS-ACID_Labs SRC_VPN_L2L_AWS-ACID_Labs destination static DST_VPN_L2L_AWS-ACID_Labs DST_VPN_L2L_AWS-ACID_Labs
access-list ACL-L2L-VPN-AWS-ACID_Labs extended permit ip object-group SRC_VPN_L2L_AWS-ACID_Labs object-group DST_VPN_L2L_AWS-ACID_Labs

object-group network SRC_VPN_L2L_AWS-ACID_Labs
network-object host 10.1.3.16

network-object host 10.1.3.23
network-object host 10.1.3.58
network-object host 10.1.3.55
network-object host 10.1.3.15
network-object host 10.1.3.22
network-object host 10.1.2.102

As you can see the Source is the same. Is that the problem?

The crypto entries:
sh run | i 1.1.1.1
crypto map segurovpn 15 set peer 1.1.1.1 2.2.2.2
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes

Re: VPN site-to-site ASA-AWS

rponte — Wed, 06 Jun 2018 16:21:31 GMT

I saw again my configuration and i looked that i had a problem on the transform-set

crypto ipsec ikev1 transform-set VPN-COPEC_AWS-ACID_Labs_stagging esp-aes esp-sha-hmac

I correct it and its working now.

Thanks for your help.

Re: VPN site-to-site ASA-AWS

GioGonza — Wed, 06 Jun 2018 16:34:59 GMT

Hello @rponte,

I was checking your configuration and you need to keep in mind a detail with VPNs with AWS VPC, based on this link https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html, the ASA needs to have an ACL only with one entry so you need to change your source as ANY since if you don´t configure it like that, you can experience problems with the VPN.

Probably that´s why it´s not working.

HTH

Gio

Re: VPN site-to-site ASA-AWS

subrun.jamil — Thu, 11 Jun 2020 02:24:28 GMT

Hello

Can you advise , is it possible to configure ASA Policy Based VPN and ASA site Still Route Based VPN ?

So far I know AWS does support only ROUTE based VPN

Re: VPN site-to-site ASA-AWS

AndrewAllwein9842 — Fri, 11 Sep 2020 01:24:22 GMT

The Site-to-Site VPN service is a route-based solution. If you are using a policy-based configuration, you must limit your configuration to a single security association (SA).

https://docs.aws.amazon.com/vpn/latest/s2svpn/s2s-vpn-user-guide.pdf

tema Re: VPN site-to-site ASA-AWS en VPN

VPN site-to-site ASA-AWS

Re: VPN site-to-site ASA-AWS

Re: VPN site-to-site ASA-AWS

Re: VPN site-to-site ASA-AWS

Re: VPN site-to-site ASA-AWS

Re: VPN site-to-site ASA-AWS

Re: VPN site-to-site ASA-AWS