Solved: IPSEC VPN Tunnel on Zonebased Firewall issue

m1xed0s · ‎02-19-2014

Please help!!!

I am trying to setup a lab router ISR1921 to build VPN tunnel with vmware vshield edge. The configure of the 1921 is pasted below. There is not much setting on the vshield side really and I am positive both sides are matching for phase 1&2.

The issue i have: The tunnel can be built properly and i can also see encap and decap counters increasing from show crypto ipsec sa output. However devices on either side can communicate. With that been said, I can ping from 1921 to internal interface IP of the vshield with specified source IP. But just no communication from either side...

I did debugs and the only "error related" messages are:

Feb 20 01:58:03.193: ISAKMP:(1001):deleting node 1656104565 error FALSE reason "Informational (in) state d1"

...

Feb 20 01:58:03.193: ISAKMP:(1001):purging node -1657220080

I hope I did not make a stupid mistake in configure but I have spent too much time on this. It is suposed to be a really simple setup...please help!!

!

version 15.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Lab-1900

!

boot-start-marker

boot system flash:c1900-universalk9-mz.SPA.154-1.T1.bin

boot system flash:c1900-universalk9-mz.SPA.151-4.M7.bin

boot system flash:c1900-universalk9-mz.SPA.150-1.M4.bin

boot-end-marker

!

aaa new-model

!

aaa authentication login default local

aaa authorization console

aaa authorization exec default local

!

aaa session-id common

clock timezone AST -4 0

clock summer-time ADT recurring 3 Sun Mar 2:00 2 Sun Nov 2:00

!

ip dhcp excluded-address 192.168.100.1 192.168.100.40

!

ip dhcp pool DHCPPOOL

import all

network 192.168.100.0 255.255.255.0

domain-name LAB

dns-server 8.8.8.8 4.2.2.2

default-router 192.168.100.1

lease 4

!

ip domain name lab

ip name-server 8.8.8.8

ip name-server 4.2.2.2

ip inspect log drop-pkt

ip cef

no ipv6 cef

!

parameter-map type inspect global

log dropped-packets enable

max-incomplete low 18000

max-incomplete high 20000

multilink bundle-name authenticated

!

redundancy

!

ip ssh version 2

!

class-map type inspect match-any ESP_CMAP

match access-group name ESP_ACL

class-map type inspect match-all SDM_GRE_CMAP

match access-group name GRE_ACL

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-cls-VPNOutsideToInside-13

match access-group 154

class-map type inspect match-all ALLOW-VPN-TRAFFIC-OUT

match access-group name ALLOW-VPN-TRAFFIC-OUT

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

match protocol http

class-map type inspect match-any AH_CMAP

match access-group name AH_ACL

class-map type inspect match-all ALLOW-VPN-TRAFFIC

match access-group name ALLOW-VPN-TRAFFIC-OUT

class-map type inspect match-all ccp-invalid-src

match access-group 126

class-map type inspect match-any ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map AH_CMAP

match class-map ESP_CMAP

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all SDM_VPN_PT

match access-group 137

match class-map SDM_VPN_TRAFFIC

!

policy-map type inspect self-out-pmap

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect out-self-pmap

class type inspect SDM_VPN_PT

pass

class class-default

drop log

policy-map type inspect in-out-pmap

class type inspect ccp-invalid-src

drop log

class type inspect ALLOW-VPN-TRAFFIC-OUT

inspect

class type inspect ccp-insp-traffic

inspect

class class-default

drop log

policy-map type inspect out-in-pmap

class type inspect sdm-cls-VPNOutsideToInside-13

inspect

class class-default

drop log

!

zone security out-zone

zone security in-zone

zone-pair security zp-self-out source self destination out-zone

service-policy type inspect self-out-pmap

zone-pair security zp-out-To-in source out-zone destination in-zone

service-policy type inspect out-in-pmap

zone-pair security zp-in-out source in-zone destination out-zone

service-policy type inspect in-out-pmap

zone-pair security zp-out-self source out-zone destination self

service-policy type inspect out-self-pmap

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key iL9rY483fF address 172.24.92.103

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

!

crypto map IPSEC_MAP 1 ipsec-isakmp

description Tunnel-to-Sandbox2

set peer 172.24.92.103

set security-association lifetime seconds 28800

set transform-set ESP-3DES-SHA

set pfs group2

match address 150

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description WAN

ip address 172.24.92.18 255.255.255.0

ip nat outside

no ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

no mop enabled

crypto map IPSEC_MAP

crypto ipsec df-bit clear

!

interface GigabitEthernet0/1

description LAN

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

!

ip nat inside source route-map RMAP_4_PAT interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 172.24.92.254

!

ip access-list extended AH_ACL

permit ahp any any

ip access-list extended ALLOW-VPN-TRAFFIC-OUT

permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended ESP_ACL

permit esp any any

ip access-list extended TELNET_ACL

permit tcp any any eq telnet

!

route-map RMAP_4_PAT permit 1

match ip address 108

!

snmp-server community 1snmp2use RO

access-list 108 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 108 permit ip 192.168.100.0 0.0.0.255 any

access-list 126 permit ip host 255.255.255.255 any

access-list 126 permit ip 127.0.0.0 0.255.255.255 any

access-list 137 permit ip 172.24.92.0 0.0.0.255 any

access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 154 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class TELNET_ACL in

exec-timeout 0 0

logging synchronous

transport input all

line vty 5 15

access-class TELNET_ACL in

exec-timeout 0 0

logging synchronous

transport input all

!

scheduler allocate 20000 1000

ntp server 0.ca.pool.ntp.org prefer

ntp server 1.ca.pool.ntp.org

!

end

Javier Portuguez · ‎02-24-2014

NAT seems to be fine.

Please create an ACL with bidirecctional ACEs and add it as an access-group to the ingress interface:

ip access-list extended 180

permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 log

permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 log

permit ip any any

interface GigabitEthernet0/1

ip access-group 180 in

ip access-group 180 out

Then generate some traffic and run the show access-lists 180 command.

Also, if possible enable debug ip icmp at the same time.

Share the results.

Thanks,

View solution in original post

Javier Portuguez · ‎02-24-2014

Sounds like a possible CEF issue.

Since this is a TEST environment, remove the access-group from the interface and issue the following command in configuration mode:

no ip cef

Let me know if it works after that.

View solution in original post

m1xed0s · ‎02-20-2014

No one has any experience of the combination of two...

Still waiting...

m1xed0s · ‎02-21-2014

Wow...this would be the quietest discussion ever?

m1xed0s · ‎02-24-2014

Bump it for another time...Still wonder if anyone could share some light on this...

Javier Portuguez · ‎02-24-2014

Hi,

I took a quick look at the configuration and seems to be fine, I did not check the ZBF piece though.

If you add both interfaces to the same zone-member, do you notice any difference?

If so, put the configuration back and run:

ip inspect log drop-pkt

Also, does the tunnel flap?

show crypto session detail

HTH.

Message was edited by: Javier Portuguez

m1xed0s · ‎02-24-2014

I do have the ip inspect log drop-pkt configured but funny enough, there is not log of dropping...

I did also try to have both interfaces configured in in-zone but nothing changed.

Another funny point: if I do "ping 192.168.1.10 source 192.168.100.1" on 1921 router, I got replies properly but not on the host connected inside of 1921...

From show crypto ipsec sa:

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

Javier Portuguez · ‎02-24-2014

NAT seems to be fine.

Please create an ACL with bidirecctional ACEs and add it as an access-group to the ingress interface:

ip access-list extended 180

permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255 log

permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 log

permit ip any any

interface GigabitEthernet0/1

ip access-group 180 in

ip access-group 180 out

Then generate some traffic and run the show access-lists 180 command.

Also, if possible enable debug ip icmp at the same time.

Share the results.

Thanks,

m1xed0s · ‎02-24-2014

Well, magically the 2 permits rule solved issue. However WHY?

Isnt the zone-based firewall suppose to permit the traffic with my configured rules? Why I have to apply static ACL to interface (LAN ONE) to permit? Isnt ZBF supposed to replaced the traditional static ACL firewall...?

Javier Portuguez · ‎02-24-2014

Sounds like a possible CEF issue.

Since this is a TEST environment, remove the access-group from the interface and issue the following command in configuration mode:

no ip cef

Let me know if it works after that.

m1xed0s · ‎02-24-2014

U r awesome!!!!

Removed the access group 180 from gig0/1 on both directions and disabled IP CEF. Connection is back gain!!!

So does this mean it is a bug in IOS or I did configure wrong...

Javier Portuguez · ‎02-24-2014

It is a possibility.

Try this:

1- Add reverse-route to the crypto map:

crypto map outside_map 10 ipsec-isakmp

reverse-route static

Some more information about IP CEF.

Troubleshooting Prefix Inconsistencies with Cisco Express Forwarding

Please share the "show version | inc 15".

Thanks!

m1xed0s · ‎02-24-2014

With IP CEF enabled and adding reverse-route static also brought the connection back.

Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.4(1)T1, RELEASE SOFTWARE (fc2)

ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)

System image file is "flash:c1900-universalk9-mz.SPA.154-1.T1.bin"

Cisco CISCO1921/K9 (revision 1.0) with 491520K/32768K bytes of memory.

BTW, ur link does not work.

Javier Portuguez · ‎02-24-2014

Very good, then that is your fix.

The link is: http://www.cisco.com/c/en/us/support/docs/ip/express-forwarding-cef/14540-cefincon.html

Please rate any helpful posts.

m1xed0s · ‎02-24-2014

Thanks alot for your help!!! I am still trying to figure out why the Reverse Route Injection is needed on IOS?

While I was waiting for help, I also setup an ASA 5505 to the same vshield edge and I did not have to enable reverse route injection there...

I should read the IP CEF stuff more I guess...

Javier Portuguez · ‎02-24-2014

You are welcome!

Feel free to ping me back at any time.