IPSec VPN differences between ISR to ASR routers?

t.vandenheuvel · ‎11-23-2022

I have 3 sites with IPSec VPN tunnels between each: Main site (A) runs on opnsense DEC2750, other sites run ISR2901. Amongst some changes at site B I wanted to update the 2901 to an ASR1001 but somehow I can't get VPN traffic to flow between site A (DEC2750) and B (ASR). Traffic between site B (ASR) and C (ISR) works fine.

Does anybody know about differences in IPSec implementation between ISR2900 series and ASR1001. It seems like isakmp negotiation works fine but routes are not getting installed between site A end B somehow.

I tried doing an in-place swap between the ISR and ISR (so same ipsec config, routing, NAT, access lists) to rule out any config error but I am just getting the same result. B to C works fine, A to B no routes are getting installed.

ISR software: c2900-universalk9-mz.SPA.156-2.T1.bin

ASR software: asr1001-universalk9.03.16.06.S.155-3.S6-ext.bin

When initiating traffic between site B and C I get the following debug output on the ASR:

*Nov 20 00:36:46.851: [] -> [ACL HQ-VPN-TRAFFIC]: message ACL notify RP
*Nov 20 00:36:46.851: [ACL HQ-VPN-TRAFFIC]: message = ACL notify RP
*Nov 20 00:36:56.818: [] -> [ACL HQ-VPN-TRAFFIC]: message ACL notify RP
*Nov 20 00:36:56.818: [ACL HQ-VPN-TRAFFIC]: message = ACL notify RP
*Nov 20 00:36:56.818: IPSEC(MESSAGE): ipsec_isakmp_sa_initiate_internal not time to kick IKE
*Nov 20 00:37:09.651: IPSEC(ipsec_get_crypto_session_id): Invalid Payload Id
*Nov 20 00:37:09.651: [] -> [SADB OUTSIDE-VPN:217.100.12.10]: message SADB root KMI message processing
*Nov 20 00:37:09.651: [SADB OUTSIDE-VPN:217.100.12.10]: message = SADB root KMI message processing
*Nov 20 00:37:09.651: [SADB OUTSIDE-VPN:217.100.12.10] -> [ACL HQ-VPN-TRAFFIC]: message ACL KMI create SA
*Nov 20 00:37:09.651: [ACL HQ-VPN-TRAFFIC]: message = ACL KMI create SA
*Nov 20 00:37:09.651: [ACL HQ-VPN-TRAFFIC] -> [KMI Forward]: message Forward KMI message
*Nov 20 00:37:09.651: [KMI Forward]: message = Forward KMI message
*Nov 20 00:37:09.651: [KMI Forward] -> [Ident 800001DD]: message Ping
*Nov 20 00:37:09.651: [Ident 800001DD]: message = Ping
*Nov 20 00:37:09.651: [KMI Forward] -> [Ident 800001DD]: message Message - Create SA
*Nov 20 00:37:09.651: [Ident 800001DD]: message = Message - Create SA
*Nov 20 00:37:09.651: [Ident 800001DD] -> [Session]: message Session Inserting Peer
*Nov 20 00:37:09.651: [Session]: message = Session Inserting Peer
*Nov 20 00:37:09.651: [Ident 800001DD] -> [Sibling]: message Message - Create Inbound SA
*Nov 20 00:37:09.651: [Sibling]: message = Message - Create Inbound SA
*Nov 20 00:37:09.651: [Sibling] -> [Session]: message Message - In Use
*Nov 20 00:37:09.651: [Session]: message = Message - In Use
*Nov 20 00:37:09.651: [Sibling 4E179731]: request insert_spi got error
*Nov 20 00:37:09.651: IPSEC(send_delete_notify_kmi): not sending KEY_ENG_NOTIFY_DECR_COUNT
*Nov 20 00:37:09.651: [Sibling 4E179731] -> [Ident 800001DD]: message Message - Delete SA [Ident 800001DD] : busy in Send SAs to sibling and install them state
*Nov 20 00:37:09.651: [Sibling 4E179731] -> [Session]: message Message - Not In Use
*Nov 20 00:37:09.651: [Session]: message = Message - Not In Use
*Nov 20 00:37:09.652: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL HQ-VPN-TRAFFIC, static seqno 10 dynamic seqno 0
*Nov 20 00:37:09.652: [Ident 800001DD]: request ipsec_wait_for_delete_to_complete got error
*Nov 20 00:37:09.652: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
*Nov 20 00:37:09.652: [Ident 800001DD]: message = Message - Delete SA
*Nov 20 00:37:16.852: [] -> [Ident 800001DD]: message Message - Rekey timeout
*Nov 20 00:37:16.852: [Ident 800001DD]: message = Message - Rekey timeout

IPSEC config on ASR:

!
vpdn enable
!
vpdn-group CLIENT-VPN
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 90
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key aaa address a.a.a.a
crypto isakmp key ccc address c.c.c.c
crypto isakmp key client-vpn address 0.0.0.0
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set AES-SHA-TRANS esp-aes esp-sha-hmac
 mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set HQ esp-aes esp-sha256-hmac
 mode tunnel
!
!
crypto dynamic-map CLIENT-AES-SHA 90
 set transform-set AES-SHA-TRANS
!
!
crypto map OUTSIDE-VPN 10 ipsec-isakmp
 description A VPN
 set peer a.a.a.a
 set transform-set HQ
 set pfs group2
 match address A-VPN-TRAFFIC
crypto map OUTSIDE-VPN 20 ipsec-isakmp
 description C VPN
 set peer c.c.c.c
 set transform-set AES-SHA
 match address C-VPN-TRAFFIC
crypto map OUTSIDE-VPN 90 ipsec-isakmp dynamic CLIENT-AES-SHA
!
!
interface Port-channel31
 description TO CS1
 no ip address
 no negotiation auto
!
interface Port-channel31.98
 description PTP CS1
 encapsulation dot1Q 98
 ip address 192.168.13.249 255.255.255.252
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0/0/0
 no ip address
 negotiation auto
 channel-group 31 mode active
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
 channel-group 31 mode active
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/3
 description INTERNET FACING
 ip address b.b.b.b 255.255.255.248
 ip nat outside
 ip access-group INTERNET_FIREWALL in
 ip tcp adjust-mss 1340
 negotiation auto
 crypto map OUTSIDE-VPN
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Virtual-Template1
 description VPN-GATEWAY
 ip address 192.168.13.201 255.255.255.224
 ip nat inside
 peer default ip address pool CLIENT-VPN-POOL
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2
 ip virtual-reassembly
!
ip local pool CLIENT-VPN-POOL 192.168.13.202 192.168.13.220
!
ip nat inside source list NAT interface GigabitEthernet0/0/3 overload
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 y.y.y.y
ip route 192.168.8.0 255.255.255.0 192.168.13.250
ip route 192.168.9.0 255.255.255.0 192.168.13.250
ip route 192.168.12.0 255.255.255.0 192.168.13.250
ip route 192.168.13.0 255.255.255.128 192.168.13.250
ip route 192.168.14.0 255.255.255.0 192.168.13.250
ip ssh version 2
!
ip access-list extended C-VPN-TRAFFIC
 permit ip 192.168.8.0 0.0.0.255 192.168.16.0 0.0.0.255
 permit ip 192.168.9.0 0.0.0.255 192.168.16.0 0.0.0.255
 permit ip 192.168.12.0 0.0.0.255 192.168.16.0 0.0.0.255
 permit ip 192.168.13.0 0.0.0.127 192.168.16.0 0.0.0.255
 permit ip 192.168.14.0 0.0.0.255 192.168.16.0 0.0.0.255
 permit ip 192.168.12.0 0.0.0.255 192.168.20.0 0.0.0.127
 permit ip 192.168.8.0 0.0.0.255 192.168.21.0 0.0.0.127
 permit ip 192.168.9.0 0.0.0.255 192.168.21.0 0.0.0.127
 permit ip 192.168.12.0 0.0.0.255 192.168.21.0 0.0.0.127
 permit ip 192.168.13.0 0.0.0.127 192.168.21.0 0.0.0.127
 permit ip 192.168.14.0 0.0.0.255 192.168.21.0 0.0.0.127
 permit ip 192.168.14.0 0.0.0.255 192.168.22.0 0.0.0.255
!
ip access-list extended A-VPN-TRAFFIC
 permit ip 192.168.8.0 0.0.0.127 192.168.0.0 0.0.0.127
 permit ip 192.168.8.192 0.0.0.31 192.168.0.0 0.0.0.127
 permit ip 192.168.9.0 0.0.0.127 192.168.0.0 0.0.0.127
 permit ip 192.168.12.0 0.0.0.127 192.168.0.0 0.0.0.127
 permit ip 192.168.12.128 0.0.0.63 192.168.0.0 0.0.0.127
 permit ip 192.168.13.0 0.0.0.127 192.168.0.0 0.0.0.127
 permit ip 192.168.14.0 0.0.0.255 192.168.0.0 0.0.0.127
 permit ip 192.168.8.0 0.0.0.127 192.168.4.0 0.0.0.127
 permit ip 192.168.9.0 0.0.0.127 192.168.4.0 0.0.0.127
 permit ip 192.168.12.0 0.0.0.127 192.168.4.0 0.0.0.127
 permit ip 192.168.8.0 0.0.0.127 192.168.5.0 0.0.0.127
 permit ip 192.168.8.192 0.0.0.31 192.168.5.0 0.0.0.127
 permit ip 192.168.9.0 0.0.0.127 192.168.5.0 0.0.0.127
 permit ip 192.168.12.0 0.0.0.127 192.168.5.0 0.0.0.127
 permit ip 192.168.12.128 0.0.0.63 192.168.5.0 0.0.0.127
 permit ip 192.168.13.0 0.0.0.127 192.168.5.0 0.0.0.127
 permit ip 192.168.13.160 0.0.0.31 192.168.5.0 0.0.0.127
 permit ip 192.168.14.0 0.0.0.255 192.168.5.0 0.0.0.127
 permit ip 192.168.14.0 0.0.0.255 192.168.6.0 0.0.0.255
 permit ip host 192.168.8.11 192.168.6.0 0.0.0.255
!
ip access-list extended INTERNET_FIREWALL
...
 remark *** VPN ***
 permit gre any host 217.100.12.10
 permit esp any host 217.100.12.10
 permit udp any host 217.100.12.10 eq isakmp
 permit udp any host 217.100.12.10 eq non500-isakmp
 permit tcp any host 217.100.12.10 eq 1701
 permit tcp any host 217.100.12.10 eq 1723
 remark *** Ping ***
 permit icmp any host 217.100.12.10 echo
 permit icmp any host 217.100.12.10 echo-reply
 permit icmp any host 217.100.12.10 time-exceeded
 permit icmp any host 217.100.12.10 unreachable
 remark *** Deny all the rest ***
 deny   ip any any log
!
ip access-list extended NAT
 remark *** A-VPN Subnets ***
 deny   ip any 192.168.0.0 0.0.0.255
 deny   ip any 192.168.4.0 0.0.0.127
 deny   ip any 192.168.5.0 0.0.0.127
 deny   ip any 192.168.6.0 0.0.0.255
 deny   ip any 172.16.0.0 0.0.0.255
 remark *** C-VPN Subnets ***
 deny   ip any 192.168.16.0 0.0.0.255
 deny   ip any 192.168.17.0 0.0.0.255
 deny   ip any 192.168.20.0 0.0.0.255
 deny   ip any 192.168.21.0 0.0.0.255
 deny   ip any 192.168.22.0 0.0.0.255
 remark *** Translated Subnets ***
 permit ip 192.168.8.0 0.0.0.255 any
 permit ip 192.168.9.0 0.0.0.255 any
 permit ip 192.168.12.0 0.0.0.255 any
 permit ip 192.168.13.0 0.0.0.127 any
 permit ip 192.168.13.160 0.0.0.31 any
 permit ip 192.168.14.0 0.0.0.255 any
!

So the above config works on site DEC2750 to ISR2901 but not on DEC2750 to ASR1001, I am wondering what the differences in IPSec implementation could be between ISR and ASR?

t.vandenheuvel · ‎11-25-2022

I figured it out:

seems the ASR1000 does not like the SHA256 Hash I set in the HQ transform set.

after setting the ASR1000 and DEC2750 to SHA1 hash it all works.