cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1916
Views
0
Helpful
12
Replies

IKEv2 Site-to-Site VPN IOS router to ASA issue

geoffFx
Level 1
Level 1

Hi,

I am struggle with a routing or nat issue from branch IOS router (C927) to ASA (9.5), I am able to successfully establish a IKEv2 connection to ASA from C927 and can successfully route traffic on branch network to datacenter but only to one of many vlans within DC configured on the ASA.

 

Attached is config and sa results plus ASA stuff.

 

I have missed something with either a NAT rules or routes?

 

Also note, that the tunnel is not using IPsecOverNatT, is this the issue?

 

Any assistance would be very much appreciated.

 

Cheers

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Hi All,

 

Many thanks for your kind assistance.

 

I resolved the issue myself, the logs gave me a hit where to look.

 

I removed the "set pfs group5" from the crypto map and now its working.....

 

Cheers

 

View solution in original post

12 Replies 12

Interest traffic is include only one VLAn which is SR-VLANs

you must config object group contain all VLAN and config ipsec interest use this object

for NAT I think it OK no problem  

Both SR-VLANS & DB-VLANS are in network groups on ASA, please see attachment.

 

Do I need to create network group on IOS router, I didn't think it was possible?

Hello,

 

post the running config of the ASA (sh run). The router config looks good.

Hi Georg,

 

Many thanks for your kind assistance, the running config for ASA is large, I will grab snippets from it related to S2S VPN. Is there something specific that we can drill in on for assistance?

 

We have many S2S VPN's running on this ASA with no issues, we have ASA's, Netgear, Ubiquiti, TP-Link, MikroTik and Billion modems/routers successfully running S2S VPN's, we always use Site-to-Site wizard to build clients connections on the ASA. This is the first time we have implemented Cisco Router.

 

We are wishing to standardise with C927's going forward for VDSL2 clients.

 

object-group network DB-VLANS

 network-object object DB-VLAN10

object-group network SR-VLANS

 network-object 172.16.254.0 255.255.255.0

 network-object object VLAN60

 network-object 10.0.100.0 255.255.255.0

 network-object 10.0.12.0 255.255.255.0

 network-object 10.0.13.0 255.255.255.0

 network-object 10.0.14.0 255.255.255.0

 network-object 10.0.15.0 255.255.255.0

 network-object 10.0.11.0 255.255.255.0

 network-object 10.0.10.0 255.255.255.0

 network-object 10.0.17.0 255.255.255.0

 network-object 10.0.18.0 255.255.255.0

 network-object 10.0.19.0 255.255.255.0

 network-object 10.0.20.0 255.255.255.0

 network-object 10.0.21.0 255.255.255.0

 network-object 10.0.16.0 255.255.255.0

 network-object 10.0.22.0 255.255.255.0

 

nat (VMGMT,OUTSIDE) source static VLAN60 VLAN60 destination static DB-VLANS DB-VLANS no-proxy-arp route-lookup

nat (VLAN100,OUTSIDE) source static VLAN100 VLAN100 destination static DB-VLANS DB-VLANS no-proxy-arp route-lookup

nat (MGMT,OUTSIDE) source static MGMT-VLAN MGMT-VLAN destination static DB-VLANS DB-VLANS no-proxy-arp route-lookup

 

nat (VMGMT,OUTSIDE) after-auto source dynamic any interface

nat (MGMT,OUTSIDE) after-auto source dynamic any interface

nat (VLAN100,OUTSIDE) after-auto source dynamic any interface

nat (VLAN110,OUTSIDE) after-auto source dynamic any interface

nat (VLAN111,OUTSIDE) after-auto source dynamic any interface

nat (VLAN112,OUTSIDE) after-auto source dynamic any interface

nat (VLAN113,OUTSIDE) after-auto source dynamic any interface

nat (VLAN114,OUTSIDE) after-auto source dynamic any interface

nat (VLAN115,OUTSIDE) after-auto source dynamic any interface

nat (VLAN116,OUTSIDE) after-auto source dynamic any interface

nat (VLAN117,OUTSIDE) after-auto source dynamic any interface

nat (VLAN118,OUTSIDE) after-auto source dynamic any interface

nat (VLAN119,OUTSIDE) after-auto source dynamic any interface

nat (VLAN120,OUTSIDE) after-auto source dynamic any interface

nat (VLAN121,OUTSIDE) after-auto source dynamic any interface

nat (VLAN122,OUTSIDE) after-auto source dynamic any interface

 

crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap_2

crypto map OUTSIDE_map 1 set peer xxx.xxx.xxx.xxx

crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map OUTSIDE_map 1 set ikev2 ipsec-proposal VPN-TRANSFORM DES 3DES AES AES192 AES256

 

group-policy GroupPolicy_xxx.xxx.xxx.xxx internal

group-policy GroupPolicy_xxx.xxx.xxx.xxx attributes

 vpn-tunnel-protocol ikev1 ikev2

 

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx general-attributes

 default-group-policy GroupPolicy_xxx.xxx.xxx.xxx

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

 ikev1 pre-shared-key *****

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

 

Cheers

 

Hello,

 

the configuration snippets you have posted don't seem to match the VPN parameters configured on the Cisco router. 

 

On the ASA, you need:

 

- a NAT exemption for local networks 10.0.0.0/24, 172.16.60.0/24, 172.16.254.0/24 to remote network 172.16.10.0/24

- an access list defining traffic sourced from those local networks to the remote network

- corresponding network objects

 

I don't see any of that in the snippets you have posted.

 

It is going to be tedious to find out what you are missing without seeing the entire config. Save it as a text file and post it.

 

 

Network group is not capabilities in router 

Show crypto ikev2 sa 

how many child sa you see?

Hi,

 

Below are some stats, what is strange is that there are matches on the remote vlans I am pinging.....

 

show crypto ikev2 sa

 IPv4 Crypto IKEv2  SA

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

2         xxx.xxx.xxx.134/500    xxx.xxx.xxx.2/500      none/none            READY

      Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 300/183 sec

 

Tunnel-id Local                 Remote                fvrf/ivrf            Status

1         xxx.xxx.xxx.134/500    xxx.xxx.xxx.2/500      none/none            READY

      Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 3600/190 sec

 

 IPv6 Crypto IKEv2  SA

 

show crypto ipsec sa

interface: Ethernet0.100

    Crypto map tag: CMAP-ASA, local addr xxx.xxx.xxx.134

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.60.0/255.255.255.0/0/0)

   current_peer xxx.xxx.xxx.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 8855, #pkts encrypt: 8855, #pkts digest: 8855

    #pkts decaps: 9178, #pkts decrypt: 9178, #pkts verify: 9178

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: xxx.xxx.xxx.134, remote crypto endpt.: xxx.xxx.xxx.2

     plaintext mtu 1750, path mtu 1800, ip mtu 1800, ip mtu idb Ethernet0.100

     current outbound spi: 0xFDFBE5B9(4261143993)

     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

      spi: 0x4631D65(73604453)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2005, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: CMAP-ASA

        sa timing: remaining key lifetime (k/sec): (4326069/3468)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

      spi: 0xFDFBE5B9(4261143993)

        transform: esp-des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 2006, flow_id: Onboard VPN:6, sibling_flags 80000040, crypto map: CMAP-ASA

        sa timing: remaining key lifetime (k/sec): (4325971/3468)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

 

     outbound ah sas:

 

     outbound pcp sas:

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.100.0/255.255.255.0/0/0)

   current_peer xxx.xxx.xxx.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 5, #recv errors 0

 

     local crypto endpt.: xxx.xxx.xxx.134, remote crypto endpt.: xxx.xxx.xxx.2

     plaintext mtu 1800, path mtu 1800, ip mtu 1800, ip mtu idb Ethernet0.100

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.254.0/255.255.255.0/0/0)

   current_peer xxx.xxx.xxx.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

 

     local crypto endpt.: xxx.xxx.xxx.134, remote crypto endpt.: xxx.xxx.xxx.2

     plaintext mtu 1800, path mtu 1800, ip mtu 1800, ip mtu idb Ethernet0.100

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

 

sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       a - application route

       + - replicated route, % - next hop override, p - overrides from PfR

 

Gateway of last resort is xxx.xxx.xxx.133 to network 0.0.0.0

 

S*    0.0.0.0/0 [1/0] via xxx.xxx.xxx.133

      60.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        xxx.xxx.xxx.132/30 is directly connected, Ethernet0.100

L        xxx.xxx.xxx.134/32 is directly connected, Ethernet0.100

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.10.0/24 is directly connected, Vlan10

L        172.16.10.1/32 is directly connected, Vlan10

 

sh access-lists
Extended IP access list 100
10 deny ip 172.16.10.0 0.0.0.255 10.0.100.0 0.0.0.255 (5 matches)
20 deny ip 172.16.10.0 0.0.0.255 172.16.60.0 0.0.0.255 (14155 matches)
30 deny ip 172.16.10.0 0.0.0.255 172.16.254.0 0.0.0.255 (5 matches)
40 permit ip 172.16.10.0 0.0.0.255 any (341 matches)
Extended IP access list DFW-S2S-ASA
10 permit ip 172.16.10.0 0.0.0.255 172.16.60.0 0.0.0.255 (14155 matches)
20 permit ip 172.16.10.0 0.0.0.255 10.0.100.0 0.0.0.255 (5 matches)
30 permit ip 172.16.10.0 0.0.0.255 172.16.254.0 0.0.0.255 (5 matches)

 

cheers

 

local  ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.100.0/255.255.255.0/0/0)

   current_peer xxx.xxx.xxx.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 5, #recv errors 0

 

this error meaning the problem in router, the router never encrypt any packets

 

permit ip 172.16.10.0 0.0.0.255 10.0.0.0 0.255.255.255<-this in router but proxy show 10.0.100.0

 

so exactly same ACL in ASA must be found in router "except make flip source with destination"

 

no ok, 
just clear crypto ipsec sa 
"you may be need to do this step three or four times"

and then try again

 

clear crypto ipsec sa, doesn't work on this router but what is did do is disabled S2S on ASA for both IKEv1 & IKEv2, then ran several times "clear crypto session" and "clear crypto sa"...

 

Still the same issue, its bizarre that only 1 out of the 3 access-list items are working...

 

Is there a way to drill down into the "send errors"?

 

Does the extract below help?

Dec 10 12:26:23.733: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.16.10.0-172.16.10.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 10.0.100.0-10.0.100.255 Protocol: 256 Port Range: 0-65535

Dec 10 12:26:23.755: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Unsupported DH group

Dec 10 12:26:48.974: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.16.10.0-172.16.10.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 172.16.254.0-172.16.254.255 Protocol: 256 Port Range: 0-65535

Dec 10 12:26:48.996: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Unsupported DH group

 

Cheers

 

crypto map OUTSIDE_map 1 set pfs group 5

do this in ASA

Hi All,

 

Many thanks for your kind assistance.

 

I resolved the issue myself, the logs gave me a hit where to look.

 

I removed the "set pfs group5" from the crypto map and now its working.....

 

Cheers

 

Review Cisco Networking for a $25 gift card