Solved: Re: FTD - IPSec failed - Page 2

angelito_mas · ‎03-13-2023

Hi everybody,

I have an FTD with FMC that must have a VPN tunnel IPSec with a router.

I have configured the FTD following all the instructions but I receive the message log error "Failed to authenticate the IKE SA".

Reading the debug messages I found this:

Both endpoints use the same PSK, maybe is something about the algorithms.

This is the remote peer config:

I've uploaded the debug logs too, please help me to find a solution.

Thanks for your help!!

Rob Ingram · ‎03-29-2023

@angelito_mas ok so the IPSec SA are established, but the encap|decaps counters have not increased.

Is this Firewall the default gateway for all traffic or a dedicated VPN concentrator? Is traffic for those remote VPN networks even routed to this Firewall?

Are you generating traffic as defined in the crypto ACL?

What about the NAT question asked previously?

angelito_mas · ‎03-29-2023

The 3 protected subnets are configured on 3 different routers that have a static route with the FW as next-hop to the protected network on the other side.

On the FW there is a static route for the 10.0.0.0/8 to the WAN interface (the same which I configured the tunnel vpn) and there is a NAT rule that translate the whole net to the public IP.
I cannot verify if there is a NAT exeempion.

Rob Ingram · ‎03-29-2023

@angelito_mas

@angelito_mas wrote:

and there is a NAT rule that translate the whole net to the public IP.
I cannot verify if there is a NAT exeempion.

well if you are translating the whole network to the public IP address, then the source IP address will be the public IP address and not the real IP of the networks defined as interesting traffic, so the traffic would not match the crypto ACL and therefore not encrypted.

You either need to define change the crypto ACL to use the public IP address as the source network or define a NAT exemption rule to ensure the traffic is not translated and is routed. This ensures the real IP address is sent over the tunnel and would therefore match the crypto ACL.

angelito_mas · ‎03-29-2023

With nat exeemption enabled these 3 subnet will have access to internet?

Rob Ingram · ‎03-29-2023

@angelito_mas YES

The purpose of a NAT exemption rule when used with a VPN is to ensure traffic over the VPN is not translated. The original source and translated source are the same network and the original destination and translated destination are the same network.

In you scenario create an object for 10.86.170.0/24, this is the source network and another object for the destination network as 10.38.220.192/26. Repeat for the other internal networks. Then create the NAT exemption rules.

Only traffic from 10.86.170.0/24 to 10.38.220.192/26 will match this NAT exemption rule, traffic over the VPN will be routed using the real IP address. Traffic to the internet from these internal networks, which has a destination IP address of something other than 10.38.220.192/26 will not match this rule and match the existing Auto NAT and be translated behind the Firewall outside interface IP address.

Example:

angelito_mas · ‎03-29-2023

I've configured the 3 nat rules but i am not able to create the exeemption rule? I have to do it via cli?

Rob Ingram · ‎03-29-2023

@angelito_mas No you cannot configure NAT using the CLI on the FTD, you configure everything via the FMC GUI.

What NAT configuration have you applied? If you created the rule as per the example above then that is a NAT exemption rule.

Provide a screenshot of what you configured.

Did you retest after applying the configuration?

angelito_mas · ‎03-29-2023

I made it!!! Thank you Rob!

MHM Cisco World · ‎03-29-2023

You can access internet if the destination is not remote-LAN.
just want to add this info,

MHM Cisco World · ‎03-29-2023

check below comment.

MHM Cisco World · ‎03-29-2023

thanks a lot for update us.
Yes, it not PSK it the policy or proposal can make this happened.
thanks again.
sorry, you use RRI ?

angelito_mas · ‎03-29-2023

Yes, I enable RRI.