Solved: IKEv2 Site-to-Site VPN IOS router to ASA issue

geoffFx · ‎12-09-2020

Hi,

I am struggle with a routing or nat issue from branch IOS router (C927) to ASA (9.5), I am able to successfully establish a IKEv2 connection to ASA from C927 and can successfully route traffic on branch network to datacenter but only to one of many vlans within DC configured on the ASA.

Attached is config and sa results plus ASA stuff.

I have missed something with either a NAT rules or routes?

Also note, that the tunnel is not using IPsecOverNatT, is this the issue?

Any assistance would be very much appreciated.

Cheers

geoffFx · ‎12-10-2020

Hi All,

Many thanks for your kind assistance.

I resolved the issue myself, the logs gave me a hit where to look.

I removed the "set pfs group5" from the crypto map and now its working.....

Cheers

View solution in original post

MHM Cisco World · ‎12-09-2020

Interest traffic is include only one VLAn which is SR-VLANs

you must config object group contain all VLAN and config ipsec interest use this object

for NAT I think it OK no problem

geoffFx · ‎12-09-2020

Both SR-VLANS & DB-VLANS are in network groups on ASA, please see attachment.

Do I need to create network group on IOS router, I didn't think it was possible?

Georg Pauwen · ‎12-10-2020

Hello,

post the running config of the ASA (sh run). The router config looks good.

geoffFx · ‎12-10-2020

Hi Georg,

Many thanks for your kind assistance, the running config for ASA is large, I will grab snippets from it related to S2S VPN. Is there something specific that we can drill in on for assistance?

We have many S2S VPN's running on this ASA with no issues, we have ASA's, Netgear, Ubiquiti, TP-Link, MikroTik and Billion modems/routers successfully running S2S VPN's, we always use Site-to-Site wizard to build clients connections on the ASA. This is the first time we have implemented Cisco Router.

We are wishing to standardise with C927's going forward for VDSL2 clients.

object-group network DB-VLANS

network-object object DB-VLAN10

object-group network SR-VLANS

network-object 172.16.254.0 255.255.255.0

network-object object VLAN60

network-object 10.0.100.0 255.255.255.0

network-object 10.0.12.0 255.255.255.0

network-object 10.0.13.0 255.255.255.0

network-object 10.0.14.0 255.255.255.0

network-object 10.0.15.0 255.255.255.0

network-object 10.0.11.0 255.255.255.0

network-object 10.0.10.0 255.255.255.0

network-object 10.0.17.0 255.255.255.0

network-object 10.0.18.0 255.255.255.0

network-object 10.0.19.0 255.255.255.0

network-object 10.0.20.0 255.255.255.0

network-object 10.0.21.0 255.255.255.0

network-object 10.0.16.0 255.255.255.0

network-object 10.0.22.0 255.255.255.0

nat (VMGMT,OUTSIDE) source static VLAN60 VLAN60 destination static DB-VLANS DB-VLANS no-proxy-arp route-lookup

nat (VLAN100,OUTSIDE) source static VLAN100 VLAN100 destination static DB-VLANS DB-VLANS no-proxy-arp route-lookup

nat (MGMT,OUTSIDE) source static MGMT-VLAN MGMT-VLAN destination static DB-VLANS DB-VLANS no-proxy-arp route-lookup

nat (VMGMT,OUTSIDE) after-auto source dynamic any interface

nat (MGMT,OUTSIDE) after-auto source dynamic any interface

nat (VLAN100,OUTSIDE) after-auto source dynamic any interface

nat (VLAN110,OUTSIDE) after-auto source dynamic any interface

nat (VLAN111,OUTSIDE) after-auto source dynamic any interface

nat (VLAN112,OUTSIDE) after-auto source dynamic any interface

nat (VLAN113,OUTSIDE) after-auto source dynamic any interface

nat (VLAN114,OUTSIDE) after-auto source dynamic any interface

nat (VLAN115,OUTSIDE) after-auto source dynamic any interface

nat (VLAN116,OUTSIDE) after-auto source dynamic any interface

nat (VLAN117,OUTSIDE) after-auto source dynamic any interface

nat (VLAN118,OUTSIDE) after-auto source dynamic any interface

nat (VLAN119,OUTSIDE) after-auto source dynamic any interface

nat (VLAN120,OUTSIDE) after-auto source dynamic any interface

nat (VLAN121,OUTSIDE) after-auto source dynamic any interface

nat (VLAN122,OUTSIDE) after-auto source dynamic any interface

crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap_2

crypto map OUTSIDE_map 1 set peer xxx.xxx.xxx.xxx

crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map OUTSIDE_map 1 set ikev2 ipsec-proposal VPN-TRANSFORM DES 3DES AES AES192 AES256

group-policy GroupPolicy_xxx.xxx.xxx.xxx internal

group-policy GroupPolicy_xxx.xxx.xxx.xxx attributes

vpn-tunnel-protocol ikev1 ikev2

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx general-attributes

default-group-policy GroupPolicy_xxx.xxx.xxx.xxx

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

Cheers

Georg Pauwen · ‎12-10-2020

Hello,

the configuration snippets you have posted don't seem to match the VPN parameters configured on the Cisco router.

On the ASA, you need:

- a NAT exemption for local networks 10.0.0.0/24, 172.16.60.0/24, 172.16.254.0/24 to remote network 172.16.10.0/24

- an access list defining traffic sourced from those local networks to the remote network

- corresponding network objects

I don't see any of that in the snippets you have posted.

It is going to be tedious to find out what you are missing without seeing the entire config. Save it as a text file and post it.

MHM Cisco World · ‎12-10-2020

Network group is not capabilities in router

Show crypto ikev2 sa

how many child sa you see?

geoffFx · ‎12-10-2020

Hi,

Below are some stats, what is strange is that there are matches on the remote vlans I am pinging.....

show crypto ikev2 sa

IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status

2 xxx.xxx.xxx.134/500 xxx.xxx.xxx.2/500 none/none READY

Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 300/183 sec

Tunnel-id Local Remote fvrf/ivrf Status

1 xxx.xxx.xxx.134/500 xxx.xxx.xxx.2/500 none/none READY

Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 3600/190 sec

IPv6 Crypto IKEv2 SA

show crypto ipsec sa

interface: Ethernet0.100

Crypto map tag: CMAP-ASA, local addr xxx.xxx.xxx.134

protected vrf: (none)

local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.60.0/255.255.255.0/0/0)

current_peer xxx.xxx.xxx.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 8855, #pkts encrypt: 8855, #pkts digest: 8855

#pkts decaps: 9178, #pkts decrypt: 9178, #pkts verify: 9178

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xxx.xxx.xxx.134, remote crypto endpt.: xxx.xxx.xxx.2

plaintext mtu 1750, path mtu 1800, ip mtu 1800, ip mtu idb Ethernet0.100

current outbound spi: 0xFDFBE5B9(4261143993)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x4631D65(73604453)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2005, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: CMAP-ASA

sa timing: remaining key lifetime (k/sec): (4326069/3468)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xFDFBE5B9(4261143993)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 2006, flow_id: Onboard VPN:6, sibling_flags 80000040, crypto map: CMAP-ASA

sa timing: remaining key lifetime (k/sec): (4325971/3468)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.100.0/255.255.255.0/0/0)

current_peer xxx.xxx.xxx.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 5, #recv errors 0

local crypto endpt.: xxx.xxx.xxx.134, remote crypto endpt.: xxx.xxx.xxx.2

plaintext mtu 1800, path mtu 1800, ip mtu 1800, ip mtu idb Ethernet0.100

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)

local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.254.0/255.255.255.0/0/0)

current_peer xxx.xxx.xxx.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xxx.xxx.xxx.134, remote crypto endpt.: xxx.xxx.xxx.2

plaintext mtu 1800, path mtu 1800, ip mtu 1800, ip mtu idb Ethernet0.100

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

a - application route

+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is xxx.xxx.xxx.133 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via xxx.xxx.xxx.133

60.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C xxx.xxx.xxx.132/30 is directly connected, Ethernet0.100

L xxx.xxx.xxx.134/32 is directly connected, Ethernet0.100

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.10.0/24 is directly connected, Vlan10

L 172.16.10.1/32 is directly connected, Vlan10

sh access-lists
Extended IP access list 100
10 deny ip 172.16.10.0 0.0.0.255 10.0.100.0 0.0.0.255 (5 matches)
20 deny ip 172.16.10.0 0.0.0.255 172.16.60.0 0.0.0.255 (14155 matches)
30 deny ip 172.16.10.0 0.0.0.255 172.16.254.0 0.0.0.255 (5 matches)
40 permit ip 172.16.10.0 0.0.0.255 any (341 matches)
Extended IP access list DFW-S2S-ASA
10 permit ip 172.16.10.0 0.0.0.255 172.16.60.0 0.0.0.255 (14155 matches)
20 permit ip 172.16.10.0 0.0.0.255 10.0.100.0 0.0.0.255 (5 matches)
30 permit ip 172.16.10.0 0.0.0.255 172.16.254.0 0.0.0.255 (5 matches)

cheers

MHM Cisco World · ‎12-10-2020

local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.100.0/255.255.255.0/0/0)

current_peer xxx.xxx.xxx.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 5, #recv errors 0

this error meaning the problem in router, the router never encrypt any packets

permit ip 172.16.10.0 0.0.0.255 10.0.0.0 0.255.255.255<-this in router but proxy show 10.0.100.0

so exactly same ACL in ASA must be found in router "except make flip source with destination"

MHM Cisco World · ‎12-10-2020

no ok,
just clear crypto ipsec sa
"you may be need to do this step three or four times"

and then try again

geoffFx · ‎12-10-2020

clear crypto ipsec sa, doesn't work on this router but what is did do is disabled S2S on ASA for both IKEv1 & IKEv2, then ran several times "clear crypto session" and "clear crypto sa"...

Still the same issue, its bizarre that only 1 out of the 3 access-list items are working...

Is there a way to drill down into the "send errors"?

Does the extract below help?

Dec 10 12:26:23.733: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.16.10.0-172.16.10.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 10.0.100.0-10.0.100.255 Protocol: 256 Port Range: 0-65535

Dec 10 12:26:23.755: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Unsupported DH group

Dec 10 12:26:48.974: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 172.16.10.0-172.16.10.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range: 172.16.254.0-172.16.254.255 Protocol: 256 Port Range: 0-65535

Dec 10 12:26:48.996: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Unsupported DH group

Cheers

MHM Cisco World · ‎12-10-2020

crypto map OUTSIDE_map 1 set pfs group 5

do this in ASA

geoffFx · ‎12-10-2020

Hi All,

Many thanks for your kind assistance.

I resolved the issue myself, the logs gave me a hit where to look.

I removed the "set pfs group5" from the crypto map and now its working.....

Cheers