IPSEC VPN IKEv2 Issue ASA to AWS with NAT

anthonykahwati · ‎09-18-2020

Hi

I am trying to configure a VPN to AWS from a Cisco ASA which is doing the VPN termination.

The agreed setting are:

IKEv1 / 2 AES-256

SHA256

DH-24

PSK

Our ASA is running 9.8.4(26). I don't know about AWS as they are a vendor rather than our own instance.

We are getting phase 1 but failing on phase 2.

Our ASA is behind a Checkpoint firewall (vendor not relevant in my view) which is just literally passing traffic and doing NAT.

AWS connect to a dedicated address on the Checkpoint that NAT's to the Internet facing IP address of the ASA. The ASA targets the publicly routable address given to us by our vendor for their AWS VPN Gateway. Interesting traffic is identical on both side but the inverse of each other.

We have NAT-T enabled and all ports are allowed out and back (udp 500 and 4500, IP50). I see no drops.

Assuming NAT-T is the right thing to do here, can anyone think of anything to be checking?

I don't have logs right now, waiting for them to be provided but any insight into whether NAT-T in this situation is the right thing to do, or, anyone who knows of AWS gotchas, would be appreciated!

Thanks in advance.

Marius Gunnerud · ‎09-21-2020

On your ASA are you using routing based VPN (i.e. VTI using routing) or "classic" IPsec site to site VPN (policy based VPN using crypto ACL)?

It could be that you are using crypto ACL while the AWS is using route based.

--
Please remember to select a correct answer and rate helpful posts

anthonykahwati · ‎09-26-2020

Hi

we are using crypto acl based. I’ve been off for a couple of days so hopefully there’s been a development whilst I was away!