Re: easy vpn ipsec issues

SOL10 · ‎05-26-2011

EazyVPN issues - IPSEC

Hi guys

ive recently setup a EazyVPN on a cisco 3g router with a ASA5520. the tunnel comes up ok and the remote users can browse the net.

The problem is accessing the lan behind the ASA. when you do a show cry ipsec sa at the ASA you get the following: (ive replaced IP's with the names of the LAN/IP

Crypto map tag: DYN_MAP, seq num: 100, local addr: ASA IP ADD

      local ident (addr/mask/prot/port): (LAN BEHIND ASA/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (LAN BEHIND 3G router/255.255.255.0/0/0)
      current_peer: 3G Router IP, username: xxxxxx
      dynamic allocated peer ip: 0.0.0.0

   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 249, #pkts decrypt: 249, #pkts verify: 249
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: ASA IP ADD/4500, remote crypto endpt.: 3G Router IP/40592
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 79BBD3C3

    inbound esp sas:
      spi: 0x483ABBD4 (1211808724)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 13179, crypto-map: DYN_MAP
         sa timing: remaining key lifetime (sec): 27555
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x79BBD3C3 (2042352579)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 13179, crypto-map: DYN_MAP
         sa timing: remaining key lifetime (sec): 27555
         IV size: 16 bytes
         replay detection support: Y

as you can see the packets are not encapsulating for some reason. On the 3G router its the opposite where the packets arent decapsulating. On a site to site VPN this is normally when the interesting traffic ACL is incorrect - but im baffled with this on an EazyVPN setup.

I have allowed the no nat statements on the router and the ASA -

any pointers?

thanks

Yudong Wu · ‎05-26-2011

can you provide config from both router and asa?

SOL10 · ‎05-31-2011

hi here is the config from the ASA

access-list 3GSplitTunnel extended permit ip 10.100.1.0 255.255.255.0 any
access-list 3Gtraffic extended permit ip 10.100.1.0 255.255.255.0 10.3.0.0 255.255.255.0

crypto ipsec transform-set TUNN_ESP_AES_SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map DYN_MAP 100 set transform-set TUNN_ESP_AES_SHA
crypto dynamic-map DYN_MAP 100 set reverse-route

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 2147483

crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000

group-policy 3GPolicy internal
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 3GSplitTunnel
default-domain value xxx.com
nem enable

username cisco test password ciscotest

tunnel-group Sol3GRAGroup type ipsec-ra
tunnel-group Sol3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group Sol3GRAGroup ipsec-attributes
pre-shared-key *

and here is the config from the 3G router

crypto ipsec transform-set ezvpn-profile-0 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ezvpn-profile-1 esp-aes 256 esp-sha-hmac

username ciscotest password ciscotest

crypto ipsec profile EZVPN
set transform-set ezvpn-profile-0

crypto ipsec client ezvpn ASA
connect auto
group 3GRAGroup key 3gvpn
mode network-extension
ipsec-profile EZVPN
nat acl 102
username cisco test password ciscotest
xauth userid mode local

interface Cellular 0
no ip address
no shut
ip nat outside
encapsulation ppp
dialer in-band
dialer pool-member 2
dialer-group 2
async mode interactive

interface Vlan1
ip address 10.3.0.1 255.255.255.0
ip access-group 100 out
ip nat inside
crypto ipsec client ezvpn ASA inside

interface Dialer 1
ip address negotiated
ip nat outside
dialer pool 2
dialer string 3g
dialer persistent
dialer-group 2
!output omitted----
crypto ipsec client ezvpn ASA outside

ip nat inside source route-map EzVPN interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 deny ip 10.3.0.0 0.0.0.255 10.100.1.0 0.0.0.255
access-list 102 permit ip any any

route-map EzVPN permit 1
match address 102

Yudong Wu · ‎06-01-2011

did you enable nat-control on ASA?

If yes, did you configure NAT 0 to bypass vpn traffic from NAT?

You did not provide NAT confguration on ASA.

SOL10 · ‎06-01-2011

hi

i have managed to sort this - well kind of.

the problem seems to be with the routing of 10.0.0.0/8 subnet (which we use within our network and MPLS cloud)

when i change the the remote subnet to 192.168.166.0/24 or 172.16.166.0/24 it all works ok

Yudong Wu · ‎06-01-2011

Thanks. glad that you fixed it already.

Yeah, that could be an issue. In general, if you don't see encrypted count incrementing, you should check NAT and routing. Here, since you use overlapped IP range for remote vpn, so the traffic to vpn client might not be able to reach this ASA.