11-23-2022 09:41 AM
I have 3 sites with IPSec VPN tunnels between each: Main site (A) runs on opnsense DEC2750, other sites run ISR2901. Amongst some changes at site B I wanted to update the 2901 to an ASR1001 but somehow I can't get VPN traffic to flow between site A (DEC2750) and B (ASR). Traffic between site B (ASR) and C (ISR) works fine.
Does anybody know about differences in IPSec implementation between ISR2900 series and ASR1001. It seems like isakmp negotiation works fine but routes are not getting installed between site A end B somehow.
I tried doing an in-place swap between the ISR and ISR (so same ipsec config, routing, NAT, access lists) to rule out any config error but I am just getting the same result. B to C works fine, A to B no routes are getting installed.
ISR software: c2900-universalk9-mz.SPA.156-2.T1.bin
ASR software: asr1001-universalk9.03.16.06.S.155-3.S6-ext.bin
When initiating traffic between site B and C I get the following debug output on the ASR:
*Nov 20 00:36:46.851: [] -> [ACL HQ-VPN-TRAFFIC]: message ACL notify RP
*Nov 20 00:36:46.851: [ACL HQ-VPN-TRAFFIC]: message = ACL notify RP
*Nov 20 00:36:56.818: [] -> [ACL HQ-VPN-TRAFFIC]: message ACL notify RP
*Nov 20 00:36:56.818: [ACL HQ-VPN-TRAFFIC]: message = ACL notify RP
*Nov 20 00:36:56.818: IPSEC(MESSAGE): ipsec_isakmp_sa_initiate_internal not time to kick IKE
*Nov 20 00:37:09.651: IPSEC(ipsec_get_crypto_session_id): Invalid Payload Id
*Nov 20 00:37:09.651: [] -> [SADB OUTSIDE-VPN:217.100.12.10]: message SADB root KMI message processing
*Nov 20 00:37:09.651: [SADB OUTSIDE-VPN:217.100.12.10]: message = SADB root KMI message processing
*Nov 20 00:37:09.651: [SADB OUTSIDE-VPN:217.100.12.10] -> [ACL HQ-VPN-TRAFFIC]: message ACL KMI create SA
*Nov 20 00:37:09.651: [ACL HQ-VPN-TRAFFIC]: message = ACL KMI create SA
*Nov 20 00:37:09.651: [ACL HQ-VPN-TRAFFIC] -> [KMI Forward]: message Forward KMI message
*Nov 20 00:37:09.651: [KMI Forward]: message = Forward KMI message
*Nov 20 00:37:09.651: [KMI Forward] -> [Ident 800001DD]: message Ping
*Nov 20 00:37:09.651: [Ident 800001DD]: message = Ping
*Nov 20 00:37:09.651: [KMI Forward] -> [Ident 800001DD]: message Message - Create SA
*Nov 20 00:37:09.651: [Ident 800001DD]: message = Message - Create SA
*Nov 20 00:37:09.651: [Ident 800001DD] -> [Session]: message Session Inserting Peer
*Nov 20 00:37:09.651: [Session]: message = Session Inserting Peer
*Nov 20 00:37:09.651: [Ident 800001DD] -> [Sibling]: message Message - Create Inbound SA
*Nov 20 00:37:09.651: [Sibling]: message = Message - Create Inbound SA
*Nov 20 00:37:09.651: [Sibling] -> [Session]: message Message - In Use
*Nov 20 00:37:09.651: [Session]: message = Message - In Use
*Nov 20 00:37:09.651: [Sibling 4E179731]: request insert_spi got error
*Nov 20 00:37:09.651: IPSEC(send_delete_notify_kmi): not sending KEY_ENG_NOTIFY_DECR_COUNT
*Nov 20 00:37:09.651: [Sibling 4E179731] -> [Ident 800001DD]: message Message - Delete SA [Ident 800001DD] : busy in Send SAs to sibling and install them state
*Nov 20 00:37:09.651: [Sibling 4E179731] -> [Session]: message Message - Not In Use
*Nov 20 00:37:09.651: [Session]: message = Message - Not In Use
*Nov 20 00:37:09.652: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL HQ-VPN-TRAFFIC, static seqno 10 dynamic seqno 0
*Nov 20 00:37:09.652: [Ident 800001DD]: request ipsec_wait_for_delete_to_complete got error
*Nov 20 00:37:09.652: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
*Nov 20 00:37:09.652: [Ident 800001DD]: message = Message - Delete SA
*Nov 20 00:37:16.852: [] -> [Ident 800001DD]: message Message - Rekey timeout
*Nov 20 00:37:16.852: [Ident 800001DD]: message = Message - Rekey timeout
IPSEC config on ASR:
!
vpdn enable
!
vpdn-group CLIENT-VPN
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 90
encr 3des
authentication pre-share
group 2
crypto isakmp key aaa address a.a.a.a
crypto isakmp key ccc address c.c.c.c
crypto isakmp key client-vpn address 0.0.0.0
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set AES-SHA-TRANS esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set HQ esp-aes esp-sha256-hmac
mode tunnel
!
!
crypto dynamic-map CLIENT-AES-SHA 90
set transform-set AES-SHA-TRANS
!
!
crypto map OUTSIDE-VPN 10 ipsec-isakmp
description A VPN
set peer a.a.a.a
set transform-set HQ
set pfs group2
match address A-VPN-TRAFFIC
crypto map OUTSIDE-VPN 20 ipsec-isakmp
description C VPN
set peer c.c.c.c
set transform-set AES-SHA
match address C-VPN-TRAFFIC
crypto map OUTSIDE-VPN 90 ipsec-isakmp dynamic CLIENT-AES-SHA
!
!
interface Port-channel31
description TO CS1
no ip address
no negotiation auto
!
interface Port-channel31.98
description PTP CS1
encapsulation dot1Q 98
ip address 192.168.13.249 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
channel-group 31 mode active
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
channel-group 31 mode active
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/3
description INTERNET FACING
ip address b.b.b.b 255.255.255.248
ip nat outside
ip access-group INTERNET_FIREWALL in
ip tcp adjust-mss 1340
negotiation auto
crypto map OUTSIDE-VPN
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Virtual-Template1
description VPN-GATEWAY
ip address 192.168.13.201 255.255.255.224
ip nat inside
peer default ip address pool CLIENT-VPN-POOL
ppp encrypt mppe 40
ppp authentication ms-chap-v2
ip virtual-reassembly
!
ip local pool CLIENT-VPN-POOL 192.168.13.202 192.168.13.220
!
ip nat inside source list NAT interface GigabitEthernet0/0/3 overload
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 y.y.y.y
ip route 192.168.8.0 255.255.255.0 192.168.13.250
ip route 192.168.9.0 255.255.255.0 192.168.13.250
ip route 192.168.12.0 255.255.255.0 192.168.13.250
ip route 192.168.13.0 255.255.255.128 192.168.13.250
ip route 192.168.14.0 255.255.255.0 192.168.13.250
ip ssh version 2
!
ip access-list extended C-VPN-TRAFFIC
permit ip 192.168.8.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip 192.168.9.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.127 192.168.16.0 0.0.0.255
permit ip 192.168.14.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 192.168.20.0 0.0.0.127
permit ip 192.168.8.0 0.0.0.255 192.168.21.0 0.0.0.127
permit ip 192.168.9.0 0.0.0.255 192.168.21.0 0.0.0.127
permit ip 192.168.12.0 0.0.0.255 192.168.21.0 0.0.0.127
permit ip 192.168.13.0 0.0.0.127 192.168.21.0 0.0.0.127
permit ip 192.168.14.0 0.0.0.255 192.168.21.0 0.0.0.127
permit ip 192.168.14.0 0.0.0.255 192.168.22.0 0.0.0.255
!
ip access-list extended A-VPN-TRAFFIC
permit ip 192.168.8.0 0.0.0.127 192.168.0.0 0.0.0.127
permit ip 192.168.8.192 0.0.0.31 192.168.0.0 0.0.0.127
permit ip 192.168.9.0 0.0.0.127 192.168.0.0 0.0.0.127
permit ip 192.168.12.0 0.0.0.127 192.168.0.0 0.0.0.127
permit ip 192.168.12.128 0.0.0.63 192.168.0.0 0.0.0.127
permit ip 192.168.13.0 0.0.0.127 192.168.0.0 0.0.0.127
permit ip 192.168.14.0 0.0.0.255 192.168.0.0 0.0.0.127
permit ip 192.168.8.0 0.0.0.127 192.168.4.0 0.0.0.127
permit ip 192.168.9.0 0.0.0.127 192.168.4.0 0.0.0.127
permit ip 192.168.12.0 0.0.0.127 192.168.4.0 0.0.0.127
permit ip 192.168.8.0 0.0.0.127 192.168.5.0 0.0.0.127
permit ip 192.168.8.192 0.0.0.31 192.168.5.0 0.0.0.127
permit ip 192.168.9.0 0.0.0.127 192.168.5.0 0.0.0.127
permit ip 192.168.12.0 0.0.0.127 192.168.5.0 0.0.0.127
permit ip 192.168.12.128 0.0.0.63 192.168.5.0 0.0.0.127
permit ip 192.168.13.0 0.0.0.127 192.168.5.0 0.0.0.127
permit ip 192.168.13.160 0.0.0.31 192.168.5.0 0.0.0.127
permit ip 192.168.14.0 0.0.0.255 192.168.5.0 0.0.0.127
permit ip 192.168.14.0 0.0.0.255 192.168.6.0 0.0.0.255
permit ip host 192.168.8.11 192.168.6.0 0.0.0.255
!
ip access-list extended INTERNET_FIREWALL
...
remark *** VPN ***
permit gre any host 217.100.12.10
permit esp any host 217.100.12.10
permit udp any host 217.100.12.10 eq isakmp
permit udp any host 217.100.12.10 eq non500-isakmp
permit tcp any host 217.100.12.10 eq 1701
permit tcp any host 217.100.12.10 eq 1723
remark *** Ping ***
permit icmp any host 217.100.12.10 echo
permit icmp any host 217.100.12.10 echo-reply
permit icmp any host 217.100.12.10 time-exceeded
permit icmp any host 217.100.12.10 unreachable
remark *** Deny all the rest ***
deny ip any any log
!
ip access-list extended NAT
remark *** A-VPN Subnets ***
deny ip any 192.168.0.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.127
deny ip any 192.168.5.0 0.0.0.127
deny ip any 192.168.6.0 0.0.0.255
deny ip any 172.16.0.0 0.0.0.255
remark *** C-VPN Subnets ***
deny ip any 192.168.16.0 0.0.0.255
deny ip any 192.168.17.0 0.0.0.255
deny ip any 192.168.20.0 0.0.0.255
deny ip any 192.168.21.0 0.0.0.255
deny ip any 192.168.22.0 0.0.0.255
remark *** Translated Subnets ***
permit ip 192.168.8.0 0.0.0.255 any
permit ip 192.168.9.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
permit ip 192.168.13.0 0.0.0.127 any
permit ip 192.168.13.160 0.0.0.31 any
permit ip 192.168.14.0 0.0.0.255 any
!
So the above config works on site DEC2750 to ISR2901 but not on DEC2750 to ASR1001, I am wondering what the differences in IPSec implementation could be between ISR and ASR?
11-25-2022 04:16 AM
I figured it out:
seems the ASR1000 does not like the SHA256 Hash I set in the HQ transform set.
after setting the ASR1000 and DEC2750 to SHA1 hash it all works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide