topic Unable to establish VPN tunnel (ASA <> CSR1000) in Network Security

Unable to establish VPN tunnel (ASA <> CSR1000)

InTheJuniverse — Tue, 24 Dec 2019 15:45:19 GMT

On EVE-NG, I am trying to establish an IKEv1 Site to Site VPN tunnel between CSR1 and ASA.

CSR version : CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.6(1)S3,

ASA Version: ASA5520 Version 9.1(5)16

I have attached the configs and debug message, ASA always complains 'no matching SA found', this is not correct AFAIK.

If I configure exact same config using two CSRs, everything is working.

What am I doing wrong?

EDIT: Even if I remove everything and just connect ASA to CSR1, the exact same error occurs.

Re: Unable to establish VPN tunnel (ASA <> CSR1000)

Rob Ingram — Tue, 24 Dec 2019 16:01:34 GMT

Hi,
I don't see anything obviously wrong in the configuration.
Can you confirm are you just observing errors in the debug logs or is the IKEv1 SA and IPSec SAs not being established?
The timestamps are not the same, were the debugs logs generated on the ASA and CSR at the sametime?

Re: Unable to establish VPN tunnel (ASA <> CSR1000)

Firepowered — Tue, 24 Dec 2019 16:51:35 GMT

Thank you for your response.

Phase 1 establishes just fine, Phase 2 moans about "Received encrypted packet with no matching SA, dropping" error if i debug.

I could have taken logs differently, but they are similar all the time.

Re: Unable to establish VPN tunnel (ASA <> CSR1000)

Rob Ingram — Tue, 24 Dec 2019 17:30:04 GMT

Try using a different transform set, use aes and sha and try again. Provide a full ipsec sa debug - "debug crypto ipsec sa" and upload for review.

Re: Unable to establish VPN tunnel (ASA <> CSR1000)

Sheraz.Salim — Thu, 26 Dec 2019 21:35:19 GMT

I lab this up only difference did is i used a this nat uses

nat (inside,outside) source static NETWORK_OBJ_10.10.9.0_24 NETWORK_OBJ_10.10.9.0_24 destination static NETWORK_OBJ_10.11.11.0_24 NETWORK_OBJ_10.11.11.0_24 no-proxy-arp route-lookup

change into this

nat (inside,outside) source static LAN09 LAN09 destin static LAN11 LAN11 no-proxy-arp route-lookup

Re: Unable to establish VPN tunnel (ASA <> CSR1000)

InTheJuniverse — Fri, 27 Dec 2019 11:08:37 GMT

Thank you.

I did and I have exact same output.

I removed that asa and used another one (ASAv) and everything is working. So, I am assuming this is some sort of but in EVE or the image.

Alsa, when I do a destination NAT (identity) from CLI, it does not show on ASDM, I have to explicitly click 'NAT Exempt' from connection profile, and it ends up creating two NATs, something that Shiraz also suggested,

So I am definitely doubting the ASA image.

Re: Unable to establish VPN tunnel (ASA <> CSR1000)

InTheJuniverse — Fri, 27 Dec 2019 11:10:08 GMT

Thanks Shiraz

Good catch. I noticed that even after creating Destination NAT (identity) from CLI, ASDM still does not show it, I have to explicitly click 'Nat Exempt' under connection profile.

BTW, I changed NAT and it still did not work.

I used another ASA image and it worked, so I am doubting ASA / EVE here

Re: Unable to establish VPN tunnel (ASA <> CSR1000)

Sheraz.Salim — Fri, 27 Dec 2019 12:28:27 GMT

Hi mate.

I just double check my ASA version is 9.12. just realize your was on 9.1. I have seen this site-to-site vpn issue with identity nat in production network too. Glad it work out for you. happy labbing 🙂