Hello,
I'm trying to add a new network inside my IPSec tunnel, using the same configuration as the others, but it doesn't work.
Packets comming from the other side are beeing decrypted, but packets from my side are not beeing encrypted.
Configuration and show commands below.
NB : I don't have access to the peer configuration as I don't own it.
Thanks for your help.
! Nouveau réseau admin vmware
object network BM-RX-VMWARE
subnet 192.168.240.0 255.255.255.0
!
object-group network RSX-BM-BDX
network-object object BM-RX-VMWARE <--- This adds the network into the ACL that the crypto-map matches.
!
object network bm-vcloud-frontend
host 192.168.240.223
object network bm-vcloud-cproxy
host 192.168.240.224
object-group network bm-vcloud
network-object object bm-vcloud-frontend
network-object object bm-vcloud-cproxy
! NAT
nat (bm-vmware,outside) source static BM-RX-VMWARE BM-RX-VMWARE destination static BDX-MAIRIE-RX-BACK BDX-MAIRIE-RX-BACK no-proxy-arp route-lookup
! ACLs
!
access-list Outside-in extended permit tcp object BDX-MAIRIE-RX-BACK object-group bm-vcloud eq https
!
access-list ACCESS_BM-RX-VMWARE_IN remark ####### Filtrage BDX-MAIRIE-RX-BACK -> BM-RX-VMWARE ##################
access-list ACCESS_BM-RX-VMWARE_IN extended permit icmp object BM-RX-VMWARE object BDX-MAIRIE-RX-BACK
!
access-group ACCESS_BM-RX-VMWARE_IN in interface bm-vmware
! Permit ping
icmp permit any bm-vmware
!
access-group ACCESS_BM-RX-VMWARE_IN in interface bm-vmware
!
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map outside_dyn_map 10 set pfs
crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 10 match address VPN-LAN2LAN-BM-BDX
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 86.64.30.216
crypto map outside_map 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 20 match address VPN-LAN2LAN-BM-BDX
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 86.64.30.216
crypto map outside_map 20 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 20 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp disconnect-notify
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
tunnel-group 86.64.30.216 type ipsec-l2l
tunnel-group 86.64.30.216 general-attributes
default-group-policy 86.64.30.216
tunnel-group 86.64.30.216 ipsec-attributes
ikev1 pre-shared-key *****
VPN-CUB# show vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed
Connection : 86.64.30.216
Index : 12971 IP Addr : 86.64.30.216
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 0 Bytes Rx : 0
Login Time : 11:05:20 CEST Wed Nov 27 2019
Duration : 0h:00m:01s
IKEv1 Tunnels: 1
IPsec Tunnels: 1
IKEv1:
Tunnel ID : 12971.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 3600 Seconds Rekey Left(T): 3599 Seconds
D/H Group : 2
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 12971.2
Local Addr : 192.168.240.0/255.255.255.0/0/0
Remote Addr : 192.168.51.80/255.255.255.240/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 3600 Seconds Rekey Left(T): 3599 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 0 Bytes Rx : 0
Pkts Tx : 0 Pkts Rx : 0
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 2 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
VPN-CUB# sh ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 195.214.229.252
access-list VPN-LAN2LAN-BM-BDX extended permit ip 192.168.240.0 255.255.255.0 192.168.51.80 255.255.255.240
local ident (addr/mask/prot/port): (192.168.240.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.51.80/255.255.255.240/0/0)
current_peer: 86.64.30.216
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 195.214.229.252/0, remote crypto endpt.: 86.64.30.216/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5300DAD6
current inbound spi : 358CDF05
inbound esp sas:
spi: 0x358CDF05 (898424581)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 53129216, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/3582)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x5300DAD6 (1392564950)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 53129216, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/3582)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
