Re: L2L IPSec ASA 5515 <-> Ubiquiti ER-4. Settings and pre-shared-key match but VPN still down

Anaximander · ‎01-06-2020

Hello all!

I have a Ubiquiti ER-4 in my hub office, that I am trying to connect to an ASA 5515 VPN in the datacenter. I have match the pre-shared keys and gone through the Config Wizard (https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html) for Site-To-Site VPNs on the ASA.

I have entered the following settings on the ER-4:

ASA 5515 related settings:

crypto map Remote-Site 5 match address VPN-FRONTED_cryptomap_3
crypto map Remote-Site 5 set peer <ER-4_public_ip>
crypto map Remote-Site 5 set ikev1 transform-set USNJ-to-NYC

crypto ipsec ikev1 transform-set USNJ-to-NYC esp-aes-256 esp-sha-hmac

group-policy GroupPolicy_<ER-4_public_ip> internal
group-policy GroupPolicy_<ER-4_public_ip> attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec

tunnel-group <ER-4_public_ip> type ipsec-l2l
tunnel-group <ER-4_public_ip> general-attributes
default-group-policy GroupPolicy_<ER-4_public_ip>
tunnel-group <ER-4_public_ip> ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

For the "local IP" in the screenshot above I have entered the <ER-4_public_ip>

Any assistance is greatly appreciated.

Thank you!

mwood000111 · ‎01-07-2020

Can you do a sh crypto isakmp sa? What phase is the tunnel negotiating failing at? Best chance is to do a debug on the ASA and check the output.

Anaximander · ‎01-07-2020

Hi,

There are many VPNs on this ASA.

"sh crypto isakmp sa" and "sh crypto ipsec sa" don't show either end points' IP.

The control panel for the EdgeRouter 4 in "VPN Status" simply says AES256 and "down"

Thank you!

mwood000111 · ‎01-07-2020

Do you have a crypto policy that matches the phase 1 parameters? Make sure all phase 1 is matched on both sides. Use this for debugging on ASA side:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

Also enter, term mon, if you are SSH'd in to the ASA. That will show you the debug logs and you should be able to see where the breakdown is. When done, turn off debugging with, un all. HTH.

Anaximander · ‎01-10-2020

Hi!

Thanks for the help, I tried your helpful tip but I didn't find any instances of the peer's IP (aside from my command that I typed in) in 13,030 lines that I saved to a text file.

Anaximander · ‎01-21-2020

I tried this as well: https://help.ubnt.com/hc/en-us/articles/115011058387-EdgeRouter-Site-to-Site-IPsec-VPN-to-Cisco-ASA

For those commands I have already in the running config:

1. Enter configuration mode.

2. Define Network Objects for the remote and local subnets.

object network US-Network
 subnet 10.32.0.0 255.240.0.0

object network US-NY-HUB
 subnet 10.47.0.0 255.255.0.0

3. Create an Access List that links to the Network Objects.

access-list VPN-BACKEND_access_in extended permit ip object US-Network object US-NY-HUB 
access-list VPN-FRONTED_cryptomap_3 extended permit ip object-group Primary_Networks object US-NY-HUB

4. Create an IKE policy.

crypto ikev1 policy 200
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 2880

5. Configure a Transform Set for IPsec.

crypto ipsec ikev1 transform-set USNJ-to-NYC esp-aes-256 esp-sha-hmac

6. Create a crypto map and link it to the previously created transform-set and access-list.

crypto map Remote-Site 5 match address VPN-FRONTED_cryptomap_3
crypto map Remote-Site 5 set peer <CURRENT OFFICE PUBLIC IP> 
crypto map Remote-Site 5 set ikev1 transform-set USNJ-to-NYC

7. Create a tunnel group (replace <secret> with your desired passphrase).

tunnel-group <CURRENT OFFICE PUBLIC IP> type ipsec-l2l
tunnel-group <CURRENT OFFICE PUBLIC IP> general-attributes
 default-group-policy GroupPolicy_<CURRENT OFFICE PUBLIC IP>
tunnel-group <CURRENT OFFICE PUBLIC IP> ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****