cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1643
Views
1
Helpful
29
Replies

Unable to send packet from PC to Server via IPSec Tunnel

heymastreo
Level 1
Level 1

I am trying to create a network comprising of two routers, one ASA 5505 firewall, one computer and one web server.

heymastreo_0-1697677800866.png

I have created a VPN tunnel in between Router4 and ASA5505 firewall. I have also configured both the routers and the ASA5505 firewall.

 

Also i read on the internet that i have to initiate interesting traffic for VPN to initialize. But I don't really understand what it means.

 

Below are the configuration of the router4:

Router(config)#exit

Router#

%SYS-5-CONFIG_I: Configured from console by console

show run

Building configuration...

 

Current configuration : 1226 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

!

!

!

ip cef

no ipv6 cef

!

!

!

!

license udi pid CISCO1941/K9 sn FTX15247V2V-

license boot module c1900 technology-package securityk9

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 5

lifetime 28800

!

crypto isakmp key 12345 address 192.168.2.1

!

!

!

crypto ipsec transform-set R1->ASA esp-aes esp-sha-hmac

!

crypto map IPSEC-MAP 10 ipsec-isakmp

! Incomplete

set peer 192.168.2.1

set transform-set R1->ASA

match address VPN-TRAFFIC

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface GigabitEthernet0/0

ip address 192.168.4.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.3.2 255.255.255.0

duplex auto

speed auto

crypto map IPSEC-MAP

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.3.1

!

ip flow-export version 9

!

!

ip access-list extended VPN-TRAFFIC

access-list 100 permit ip host 192.168.4.2 host 192.168.1.2

access-list 100 permit ip host 192.168.1.2 host 192.168.4.2

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

Router#

 

And ASA5505 firewall configuration are as follows:

ciscoasa#show run

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.2.1 255.255.255.0

!

object network local-network

!

route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

!

access-list VPN-TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list VPN-TRAFFIC extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0

!

!

!

!

!

!

!

telnet timeout 5

ssh timeout 5

!

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

!

!

!

crypto ipsec ikev1 transform-set ASA->R1 esp-aes esp-sha-hmac

!

crypto map IPSEC-MAP 10 match address VPN-TRAFFIC

crypto map IPSEC-MAP 10 set peer 192.168.3.2

crypto map IPSEC-MAP 10 set ikev1 transform-set ASA->R1

crypto map IPSEC-MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 5

lifetime 28800

!

tunnel-group 192.168.3.2 type ipsec-l2l

tunnel-group 192.168.3.2 ipsec-attributes

ikev1 pre-shared-key 12345

!

ciscoasa#

29 Replies 29

M02@rt37
VIP
VIP

Hello @heymastreo,

The interesting traffic for the VPN tunnel is defined by the "VPN-TRAFFIC" access lists on both devices, allowing traffic between the specified subnets (192.168.1.0/24 and 192.168.4.0/24) to trigger the VPN connection. To initiate the VPN tunnel, you need to send traffic between these subnets (for example, by pinging a device in the remote network from the local network). Once the devices detect the interesting traffic, the VPN tunnel should establish automatically.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

I tried pinging from server to pc using `ping -t 192.168.4.2` but it doesn't work

Router 

Share this

  • debug crypto isakmp

Router#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

192.168.2.1 192.168.3.2 QM_IDLE 1087 0 ACTIVE (deleted)

 

 

IPv6 Crypto ISAKMP SA

 

 

Router#

Can yoh ping from R to ASA outside interface?

I.e. ping from vpn endpoint to endpoint 

I think I can

heymastreo_0-1697708456492.png

 

That great

Meaning phase1 is OK

Phase2 now need to check 

Show crypto ipsec 

Share this output of router 

output of `show crypto ipsec sa` on router

Router#show crypto ipsec sa

 

interface: GigabitEthernet0/1

Crypto map tag: IPSEC-MAP, local addr 192.168.3.2

 

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer 192.168.2.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 0

#pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

 

local crypto endpt.: 192.168.3.2, remote crypto endpt.:192.168.2.1

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

current outbound spi: 0x55C37018(1438871576)

 

inbound esp sas:

spi: 0xD5C1765B(3586225755)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2005, flow_id: FPGA:1, crypto map: IPSEC-MAP

sa timing: remaining key lifetime (k/sec): (4525504/3078)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

 

inbound ah sas:

 

inbound pcp sas:

 

outbound esp sas:

spi: 0x55C37018(1438871576)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2006, flow_id: FPGA:1, crypto map: IPSEC-MAP

sa timing: remaining key lifetime (k/sec): (4525504/3078)

IV size: 16 bytes

replay detection support: N

Status: ACTIVE

 

outbound ah sas:

 

outbound pcp sas:

 

Router#

#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 0

#pkts decaps: 27, #pkts decrypt: 27, #pkts verify: 0

There packet encrypt decrypt so vpn is OK 

Check gw in Server and PC.

Also since there is asa you need to allow ping via 

inspect icmp under global policy of asa.

I think this is issue here 

These are the access-lists I have on my asa for now

ciscoasa#show access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300

access-list VPN-TRAFFIC; 2 elements; name hash: 0x2679b677

access-list VPN-TRAFFIC line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0(hitcnt=11) 0xd9419465

access-list VPN-TRAFFIC line 2 extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0(hitcnt=0) 0x478a1876

ciscoasa#

This acl for vpn remove second line 

access-list VPN-TRAFFIC line 2 extended permit icmp 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0(hitcnt=0)

And Add inspect icmp 

 

`inspect icmp` does not seem to be working. It gives invalid input detected error

heymastreo_0-1697709766178.png

 

By default icmp traffic is not inspected by ASA when flowing from higher to lower security zone so this video will give you a idea of hoe to explicitly configur icmp-inspection on ASA

I was able to add inspect icmp in asa but i have no idea what to do after this. 

Edit:

This is what i got after i ping from one end point of vpn to another

heymastreo_0-1697711260939.png

 

Review Cisco Networking for a $25 gift card