topic Re: Unable to send packet from PC to Server via IPSec Tunnel in Switching

Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 01:17:30 GMT

I am trying to create a network comprising of two routers, one ASA 5505 firewall, one computer and one web server.

I have created a VPN tunnel in between Router4 and ASA5505 firewall. I have also configured both the routers and the ASA5505 firewall.

Also i read on the internet that i have to initiate interesting traffic for VPN to initialize. But I don't really understand what it means.

Below are the configuration of the router4:

Router(config)#exit

Router#

%SYS-5-CONFIG_I: Configured from console by console

show run

Building configuration...

Current configuration : 1226 bytes

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname Router

ip cef

no ipv6 cef

license udi pid CISCO1941/K9 sn FTX15247V2V-

license boot module c1900 technology-package securityk9

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

lifetime 28800

crypto isakmp key 12345 address 192.168.2.1

crypto ipsec transform-set R1->ASA esp-aes esp-sha-hmac

crypto map IPSEC-MAP 10 ipsec-isakmp

! Incomplete

set peer 192.168.2.1

set transform-set R1->ASA

match address VPN-TRAFFIC

spanning-tree mode pvst

interface GigabitEthernet0/0

ip address 192.168.4.1 255.255.255.0

duplex auto

speed auto

interface GigabitEthernet0/1

ip address 192.168.3.2 255.255.255.0

duplex auto

speed auto

crypto map IPSEC-MAP

interface Vlan1

no ip address

shutdown

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.3.1

ip flow-export version 9

ip access-list extended VPN-TRAFFIC

access-list 100 permit ip host 192.168.4.2 host 192.168.1.2

access-list 100 permit ip host 192.168.1.2 host 192.168.4.2

line con 0

line aux 0

line vty 0 4

end

Router#

And ASA5505 firewall configuration are as follows:

ciscoasa#show run

: Saved

ASA Version 8.4(2)

hostname ciscoasa

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.2.1 255.255.255.0

object network local-network

route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

access-list VPN-TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list VPN-TRAFFIC extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

telnet timeout 5

ssh timeout 5

dhcpd auto_config outside

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

crypto ipsec ikev1 transform-set ASA->R1 esp-aes esp-sha-hmac

crypto map IPSEC-MAP 10 match address VPN-TRAFFIC

crypto map IPSEC-MAP 10 set peer 192.168.3.2

crypto map IPSEC-MAP 10 set ikev1 transform-set ASA->R1

crypto map IPSEC-MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 5

lifetime 28800

tunnel-group 192.168.3.2 type ipsec-l2l

tunnel-group 192.168.3.2 ipsec-attributes

ikev1 pre-shared-key 12345

ciscoasa#

Re: Unable to send packet from PC to Server via IPSec Tunnel

M02@rt37 — Thu, 19 Oct 2023 05:40:42 GMT

Hello @heymastreo,

The interesting traffic for the VPN tunnel is defined by the "VPN-TRAFFIC" access lists on both devices, allowing traffic between the specified subnets (192.168.1.0/24 and 192.168.4.0/24) to trigger the VPN connection. To initiate the VPN tunnel, you need to send traffic between these subnets (for example, by pinging a device in the remote network from the local network). Once the devices detect the interesting traffic, the VPN tunnel should establish automatically.

Re: Unable to send packet from PC to Server via IPSec Tunnel

MHM Cisco World — Thu, 19 Oct 2023 06:02:19 GMT

Router

Re: Unable to send packet from PC to Server via IPSec Tunnel

balaji.bandi — Thu, 19 Oct 2023 07:06:00 GMT

1. bare in mind the ACL not match same both the side you have only host entry 1 router side and other side subnet

ip access-list extended VPN-TRAFFIC

access-list 100 permit ip host 192.168.4.2 host 192.168.1.2

access-list 100 permit ip host 192.168.1.2 host 192.168.4.2

2. is the Trunnel up and running- check with show crypto commands.

3. Initiate the traffic mean, ping one side to other side allowed traffic subnet. (so you see encryption and decryption take place).

below guide help you :

https://www.networkstraining.com/site-to-site-vpn-between-cisco-asa-and-router/

Re: Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 09:37:58 GMT

Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.2.1 192.168.3.2 QM_IDLE 1087 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

Router#

Re: Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 09:23:29 GMT

I tried pinging from server to pc using `ping -t 192.168.4.2` but it doesn't work

Re: Unable to send packet from PC to Server via IPSec Tunnel

MHM Cisco World — Thu, 19 Oct 2023 09:24:32 GMT

Can yoh ping from R to ASA outside interface?

I.e. ping from vpn endpoint to endpoint

Re: Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 09:39:06 GMT

This is what i see when i run `show crpto isakmp sa` on router

Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.2.1 192.168.3.2 QM_IDLE 1087 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

Router#

and this is what i see when i run `show crypto isakmp sa` on ASA5505 firewall

ciscoasa#show crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 192.168.3.2

Type : L2L Role : Initiator

Rekey : no State : QM_IDLE

There are no IKEv2 SAs

ciscoasa#

Re: Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 09:41:03 GMT

I think I can

Re: Unable to send packet from PC to Server via IPSec Tunnel

MHM Cisco World — Thu, 19 Oct 2023 09:41:56 GMT

That great

Meaning phase1 is OK

Phase2 now need to check

Show crypto ipsec

Share this output of router

Re: Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 09:42:50 GMT

output of `show crypto ipsec sa` on router

Router#show crypto ipsec sa

interface: GigabitEthernet0/1

Crypto map tag: IPSEC-MAP, local addr 192.168.3.2

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer 192.168.2.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 0

#pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 192.168.3.2, remote crypto endpt.:192.168.2.1

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

current outbound spi: 0x55C37018(1438871576)

inbound esp sas:

spi: 0xD5C1765B(3586225755)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2005, flow_id: FPGA:1, crypto map: IPSEC-MAP

sa timing: remaining key lifetime (k/sec): (4525504/3078)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x55C37018(1438871576)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2006, flow_id: FPGA:1, crypto map: IPSEC-MAP

sa timing: remaining key lifetime (k/sec): (4525504/3078)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Router#

Re: Unable to send packet from PC to Server via IPSec Tunnel

MHM Cisco World — Thu, 19 Oct 2023 09:47:42 GMT

#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 0

#pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 0

There packet encrypt decrypt so vpn is OK

Check gw in Server and PC.

Also since there is asa you need to allow ping via

inspect icmp under global policy of asa.

I think this is issue here

Re: Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 09:52:02 GMT

These are the access-lists I have on my asa for now

ciscoasa#show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300

access-list VPN-TRAFFIC; 2 elements; name hash: 0x2679b677

access-list VPN-TRAFFIC line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0(hitcnt=11) 0xd9419465

access-list VPN-TRAFFIC line 2 extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0(hitcnt=0) 0x478a1876

ciscoasa#

Re: Unable to send packet from PC to Server via IPSec Tunnel

MHM Cisco World — Thu, 19 Oct 2023 09:56:16 GMT

This acl for vpn remove second line

access-list VPN-TRAFFIC line 2 extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0(hitcnt=0)

And Add inspect icmp

Re: Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 10:02:51 GMT

`inspect icmp` does not seem to be working. It gives invalid input detected error

Re: Unable to send packet from PC to Server via IPSec Tunnel

MHM Cisco World — Thu, 19 Oct 2023 10:06:41 GMT

https://m.youtube.com/watch?v=YY5zr22Pp94

Re: Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 10:27:47 GMT

I was able to add inspect icmp in asa but i have no idea what to do after this.

Edit:

This is what i got after i ping from one end point of vpn to another

Re: Unable to send packet from PC to Server via IPSec Tunnel

MHM Cisco World — Thu, 19 Oct 2023 10:30:03 GMT

Sorry you can ping now from pc to server?

Re: Unable to send packet from PC to Server via IPSec Tunnel

heymastreo — Thu, 19 Oct 2023 10:34:33 GMT

I still can't it says request timed out.

Do I have to do the NAT translation for this on the ASA? And Do i have to add access-list for icmp to allow traffic beyond asa to the firewall?

Re: Unable to send packet from PC to Server via IPSec Tunnel

MHM Cisco World — Thu, 19 Oct 2023 10:38:08 GMT

Can you share last config of asa and router