Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1358
Views
0
Helpful
2
Replies

CISCO ASA5506X IKEv2 Site-to-Site Strongswan works but with a disturbing issue

Xenion
Level 1
Level 1

‎11-23-2019 04:27 PM - edited ‎02-21-2020 09:48 PM

Dear Community,

 

This is my first post after many years of just reading along here and using all the valuable discussions as guidance. 

 

Our company recently moved offices, in doing so i had to reconfigure our site-to-site link to a new internet line. Ever since i can only get the Tunnel to work properly if i – now comes the crazy part – specify BOTH the local as well as the remote in my "local" definition. If i don't do this the tunnel will come up but traffic is only flowing towards the remote end but nothing comes back. I am really scratching my head on this as i've did this setup at least 20-30 times already and really cannot seem to fix this one.

 

Note, i've used the ASDM to create the configuration.

 

Quick summary of the setup (Anonymised):

 

CISCO ASA (Version 9.6)

  • Internal network: 172.16.8.0/22 on GE1/1
  • Internet line with DSL Modem an static IP via DHCP on GE1/3, assume 80.90.100.110 as the static internet IP
  • There are in total 3 Internet links, two are bundled via a traffic zone and have the default route, therefore i've set no default route for GE1/3 and the remote IP of the Strongswan as a fixed route for this interfaces default GW, this works well. The Clients surf using the two other links and my tunnel is put up with this dedicated line. 

Strongswan Gateway (Version 5.8.1)

  • Internal network: 172.16.0.0/22 on eth1
  • Internet line eth0, with the assumed static IP of 20.30.40.50

 

The goal is to connect 172.16.8.0/22 (ASA local network) with 172.16.0.0/22 (Strongswan local network) using PSK.

If i configure this using the ASDM wizard the tunnel comes up without flaw automatically but traffic only flows from the ASA towards the Strongswan Gateway but no traffic ever comes back. If i now add the 172.16.0.0/22, the Strongswan local network, as a local traffic selector for the crypto map in the ASDM it works immediately. Technically all is fine doing this, the tunnel works flawless but this really is freaking me out as it should not be this way so any help restoring my sanity is welcome. It is very likely a very silly config error that i am just not seeing.

 

The configuration is as follows

 

CISCO ASA anonymised excerpt (please ask for more if needed)

 

interface GigabitEthernet1/1

 description ASA local backbone network

 speed 1000

 duplex full

 nameif Local_Backbone

 security-level 100

 ip address 172.16.8.1 255.255.252.0 

!

interface GigabitEthernet1/3

 nameif Internet_Line-01

 security-level 0

 pppoe client vpdn group Internet_Line-01

 ip address pppoe 

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

 subnet 0.0.0.0 0.0.0.0

object network ASA_local_P1

 host 172.16.8.1

object network Local_Backbone

 subnet 172.16.8.0 255.255.252.0

object network Remote_Backbone

 subnet 172.16.0.0 255.255.252.0

!

object-group protocol DM_INLINE_PROTOCOL_2

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_13

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_1

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_4

 protocol-object ip

 protocol-object icmp

object-group network DM_INLINE_NETWORK_1

 network-object object Other_Remote_Site_Backbone

 network-object object Local_Backbone

object-group protocol DM_INLINE_PROTOCOL_3

 protocol-object ip

 protocol-object icmp

object-group network DM_INLINE_NETWORK_3

 network-object object Remote_Backbone

 network-object object Other_Remote_Site_Backbone

object-group protocol DM_INLINE_PROTOCOL_5

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_9

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_6

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_17

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_7

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_8

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_10

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_11

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_12

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_15

 protocol-object ip

 protocol-object icmp

object-group protocol DM_INLINE_PROTOCOL_16

 protocol-object ip

 protocol-object icmp

!

access-list Internet_Line-01_cryptomap_2 extended permit object-group DM_INLINE_PROTOCOL_5 object Local_Backbone object Other_Remote_Backbone 

access-list Backbone_access_in extended permit object-group DM_INLINE_PROTOCOL_6 object-group DM_INLINE_NETWORK_1 object Local_Backbone 

access-list Backbone_access_in extended permit object-group DM_INLINE_PROTOCOL_16 object Local_Backbone object-group DM_INLINE_NETWORK_3 

access-list Backbone_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any 

access-list Internet_Line-01_cryptomap_3 extended permit ip object Local_Backbone object Remote_Backbone 

access-list Internet_Line-03_access_in extended permit object-group DM_INLINE_PROTOCOL_17 any any 

access-list InternetUplink extended permit object-group DM_INLINE_PROTOCOL_9 any any 

!

nat (Local_Backbone,Internet_Line-02) after-auto source dynamic Local_Backbone interface

nat (Local_Backbone,Internet_Line-03) after-auto source dynamic Local_Backbone interface

!

access-group Backbone_access_in in interface Local_Backbone

access-group Line1_access_in in interface Internet_Line-01

!

route Internet_Line-03 0.0.0.0 0.0.0.0 192.168.10.1 1

route Internet_Line-01 0.0.0.0 0.0.0.0 GW_OF_LINE1 3

route Internet_Line-01 20.30.40.50 255.255.255.255 GW_OF_LINE1 1

route Internet_Line-01 172.16.0.0 255.255.252.0 GW_OF_LINE1 1

!

crypto map Internet_Line-01_map2 1 match address Internet_Line-01_cryptomap_3

crypto map Internet_Line-01_map2 1 set peer 20.30.40.50

crypto map Internet_Line-01_map2 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AES256-SHA256 AES256-GMAC-SHA256 AES256-SHA

crypto map Internet_Line-01_map2 1 set ikev2 pre-shared-key *****

crypto map Internet_Line-01_map2 1 set nat-t-disable

crypto map Internet_Line-01_map2 1 set reverse-route

!

crypto isakmp identity address

!

crypto ikev2 enable Internet_Line-01

crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0

!

group-policy DfltGrpPolicy attributes

 vpn-idle-timeout none

 vpn-tunnel-protocol ikev1 ikev2 

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

 vpn-filter value Internet_Line-01_cryptomap_3

 vpn-tunnel-protocol ikev2 

!

tunnel-group DefaultL2LGroup ipsec-attributes

 ikev1 pre-shared-key *****

 peer-id-validate nocheck

 ikev2 remote-authentication pre-shared-key *****

 ikev2 remote-authentication certificate

 ikev2 local-authentication pre-shared-key *****

tunnel-group 20.30.40.50 type ipsec-l2l

tunnel-group 20.30.40.50 general-attributes

 default-group-policy GroupPolicy2

tunnel-group 20.30.40.50 ipsec-attributes

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

!

 

Strongswan anonymised excerpt (please ask for more if needed)

connections {

local-to-asa {

local_addrs = 20.30.40.50

remote_addrs = 80.90.100.110

local {

auth = psk

id = @20.30.40.50

}

remote {

auth = psk

}

children {

local-to-asa-ipsec {

local_ts = 172.16.0.0/22

remote_ts = 172.16.8.0/22

esp_proposals = aes-sha1

start_action = start

}

}

version = 2

mobike = no

reauth_time = 28800

proposals = aes-sha1-modp1536

}

 

You're support is truly appreciated!

 

With greetings

 

Xenion

0 Helpful
2 Replies 2

Xenion
Level 1
Level 1

‎11-25-2019 02:29 PM

Bump

 

Can someone please have a look at this?

It only needs a short glimpse likely to spot this probably very obvious fault which I am not seeing?

 

Thanks a lot!

0 Helpful

Rob Ingram
VIP
VIP
In response to Xenion

‎11-25-2019 02:48 PM

Hi,

Can you run packet-tracer, run the command twice and provide the output from the 2nd. Example - "packet-tracer input Local_Backbone tcp 172.16.8.3 3000 172.16.0.3 80"

 

Can you provide the output of "show crypto ipsec sa" from when it works and when it doesn't.

 

Have you provided the full configuration of the ASA?

0 Helpful
Customers Also Viewed These Support Documents