L2L (2) ASA 5505 with Dynamic Client behind NAT

goliver · ‎01-19-2018

Hi, I have a central ASA that has several L2L IPSec VPNs active. Our company "was" using the phone-proxy on another ASA, but the certs on the phones are expiring and issues are cropping up all over the place, so I am switching to an ASA at every home and just tunnel the phone traffic through.

I ran into several issues configuring the DefaultL2LGroup for this as the DefaultRAGroup was cathing all the traffic. I finally found the culprit and saw ike was now using the L2L group versus RA group.

Now I have an issue where it seems the remote ASA is too smart for it's own good when Nat-T is enabled at the remote end. The central ASA reports:

Jan 19 14:23:23 [IKEv1]Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Tunnel  Cfg'd: UDP Tunnel(NAT-T)

I understand it is doing this because it knows it is behind NAT already, but I do not know how to get NAT ignored for the protected networks as usual on the DefaultL2LGroup's tunnel group.

If I disable Nat-T on the remote ASA, ike/ipsec completes, but I cannot pass traffic through the tunnel even though packet tracer tells me I am able to. I have RR enabled on the central ASA and it adds a route for the remote protected network to it's default gateway and the IPSec SAs appear correct between the 2 systems.

I just tried moving the remote ASA to behind the router with it being DMZ'ed the external IP address of the WAN connection and Nat-T now works as expected, but I still cannot ping the sites from each other, or access resources behind the central ASA from behind the remote ASA.

Any ideas what I might look for to nail this one down.

remote ike success..

Jan 19 15:15:02 [IKEv1]Group = DefaultL2LGroup, IP = x.x.x.x, PHASE 2 COMPLETED (msgid=ea0d643f)
Jan 19 15:15:02 [IKEv1]Group = DefaultL2LGroup, IP = x.x.x.x, Adding static route for L2L peer coming in on a dynamic map. address: 10.255.2.0, mask: 255.255.255.0

Central ASA crypto:

asa0-colo# sh crypto ipsec sa peer x.x.x.x            
peer address: x.x.x.x
    Crypto map tag: Dynamic-lslate, seq num: 4, local addr: y.y.y.y

      access-list outside_cryptomap_2 extended permit ip 192.168.5.0 255.255.255.0 10.255.2.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.255.2.0/255.255.255.0/0/0)
      current_peer: x.x.x.x


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 44, #pkts decrypt: 44, #pkts verify: 44
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: y.y.y.y/0, remote crypto endpt.: x.x.x.x/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B07D2377
      current inbound spi : EC6D68ED
              
    inbound esp sas:
      spi: 0xEC6D68ED (3966593261)
         transform: esp-aes-256 esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 46489600, crypto-map: Dynamic-lslate
         sa timing: remaining key lifetime (sec): 28474
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00001FFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xB07D2377 (2960991095)
         transform: esp-aes-256 esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 46489600, crypto-map: Dynamic-lslate
         sa timing: remaining key lifetime (sec): 28474
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Remote ASA crypto:

asa-lslate# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x

      access-list outside_cryptomap extended permit ip 10.255.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
      local ident (addr/mask/prot/port): (10.255.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
      current_peer: y.y.y.y


      #pkts encaps: 55, #pkts encrypt: 55, #pkts digest: 55
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 55, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/0, remote crypto endpt.: y.y.y.y/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: EC6D68ED
      current inbound spi : B07D2377
              
    inbound esp sas:
      spi: 0xB07D2377 (2960991095)
         transform: esp-aes-256 esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28306
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xEC6D68ED (3966593261)
         transform: esp-aes-256 esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28306
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Bogdan Nita · ‎01-22-2018

Hi goliver,

NAT traversal comes into play for the peer IPs trying to bring up the vpn tunnel. For example if the branch ASA does not have a public IP on the outside interface and it resides behind a device that performs NAT.

In this case you will need to have NAT traversal enables on the branch ASA as well as central ASA. The NAT will be detected along the transmission path and udp 4500 will be used instead of ESP.

The error you received is indicating that NAT was detected by one of the devices, but the other ASA has NAT traversal disabled, but then you go on to say that you disabled NAT traversal and the phase 2 came up, this is a bit confusing , but as long as phase 2 is working it should be ok.

Looking at the sh crypto ipsec sa peer output it seems that the central ASA is not sending the packets back through the tunnel. This usually indicates a routing or a NAT problem:

- make sure that the branch network is routed to the outside interface

- configure identity NAT for the VPN networks, should look something like this:

nat (inside,outside) source static VPN-NETWORK-CENTRAL VPN-NETWORK-CENTRAL destination static VPN-NETWORK-BRANCH VPN-NETWORK-BRANCH no-proxy-arp route-lookup

Also, you can use packet tracer on the central ASA to make sure the packets are routed and NATed correctly.

HTH

Bogdan