08-10-2016 09:47 PM - edited 02-21-2020 08:55 PM
Hi, been battling today to bring up a tunnel between 2 ASA 5506-X using IKEv2 with the same pre-shared key. Short summary, followed by "show run" from both.
ASA1:
- GE1/1 outside 10.12.2.1/24 - connected to ASA2 GE1/1 outside
- GE1/2 10.2.2.1/24 - connected to ASA2 GE1/2 as well as a desktop computer. This is the local network.
- GE1/3 inside 10.1.1.1/24 - connected to 10.1.1.2/24 test client
ASA2:
- GE1/1 outside 10.12.2.2/24 - connected to ASA1 GE1/1 outside
- GE1/2 10.2.2.2/24 - connected to ASA1 GE1/2 as well as a desktop computer.
- GE1/3 inside 10.3.1.1/24 - connected to 10.3.1.2/24 test client
Both ASA routers can ping each other on the directly connected interfaces and can also ping the other systems connected to them, either directly or, in the case of 10.2.2.0/24 network, using a switch. After configuring everything the tunnel doesn't come up, even after "reload" on both and I don't get any debug output, even though on both "show debug" returns:
debug icmp trace enabled at level 1
debug crypto ipsec enabled at level 1
debug crypto engine enabled at level 1
debug crypto ikev2 protocol enabled at level 1
debug crypto ikev2 platform enabled at level 1
debug crypto ike-common enabled at level 1
"show crypto ipsec sa" on both returns: "There are no ipsec sas"
ASA1 "show run":
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname ASA1
[...]
!
interface GigabitEthernet1/1
nameif ge1outside
security-level 0
ip address 10.12.2.1 255.255.255.0
!
interface GigabitEthernet1/2
nameif ge2
security-level 100
ip address 10.2.2.1 255.255.255.0
!
interface GigabitEthernet1/3
nameif ge3inside
security-level 100
ip address 10.1.1.1 255.255.255.0
[...]
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list ikev2-list extended permit ip 10.1.1.0 255.255.255.0 10.3.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu ge1outside 1500
mtu ge2 1500
mtu ge3inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,ge1outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 10.2.2.0 255.255.255.0 ge2
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal ikev2-proposal
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map ikev2-map 1 match address ikev2-list
crypto map ikev2-map 1 set peer 10.12.2.2
crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal
crypto map ikev2-map interface ge1outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 7200
crypto ikev2 enable ge1outside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.2.2.0 255.255.255.0 ge2
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
dhcpd auto_config ge1outside
!
dynamic-access-policy-record DfltAccessPolicy
[...]
tunnel-group 10.12.2.2 type ipsec-l2l
tunnel-group 10.12.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
ASA2 "show run":
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname ASA2
[...]
interface GigabitEthernet1/1
nameif ge1outside
security-level 0
ip address 10.12.2.2 255.255.255.0
!
interface GigabitEthernet1/2
nameif ge2
security-level 100
ip address 10.2.2.2 255.255.255.0
!
interface GigabitEthernet1/3
nameif ge3inside
security-level 100
ip address 10.3.1.1 255.255.255.0
!
[...]
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list ikev2-list extended permit ip 10.3.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu ge1outside 1500
mtu ge2 1500
mtu ge3inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (any,ge1outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 10.2.2.0 255.255.255.0 ge2
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal ikev2-proposal
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map ikev2-map 1 match address ikev2-list
crypto map ikev2-map 1 set peer 10.12.2.1
crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal
crypto map ikev2-map interface ge1outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 7200
crypto ikev2 enable ge1outside
telnet timeout 5
ssh stricthostkeycheck
ssh 10.2.2.0 255.255.255.0 ge2
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
dhcpd auto_config ge1outside
!
dynamic-access-policy-record DfltAccessPolicy
[...]
tunnel-group 10.12.2.1 type ipsec-l2l
tunnel-group 10.12.2.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Any idea? Thanks.
Solved! Go to Solution.
08-11-2016 12:48 AM
Hi,
The issue is with NAT as per below flow:
Anyway try the below config:
ASA 1 config:
object network GE3_10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network GE3_10.3.1.0
subnet 10.3.1.0 255.255.255.0
nat (ge3inside,ge1outside) source static GE3_10.1.1.0 GE3_10.1.1.0 destination static GE3_10.3.1.0 GE3_10.3.1.0
ASA 2 config:
object network GE3_10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network GE3_10.3.1.0
subnet 10.3.1.0 255.255.255.0
nat (ge3inside,ge1outside) source static GE3_10.3.1.0 GE3_10.3.1.0 destination static GE3_10.1.1.0 GE3_10.1.1.0
HTH.
Regards,
Terence
08-11-2016 12:48 AM
Hi,
The issue is with NAT as per below flow:
Anyway try the below config:
ASA 1 config:
object network GE3_10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network GE3_10.3.1.0
subnet 10.3.1.0 255.255.255.0
nat (ge3inside,ge1outside) source static GE3_10.1.1.0 GE3_10.1.1.0 destination static GE3_10.3.1.0 GE3_10.3.1.0
ASA 2 config:
object network GE3_10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network GE3_10.3.1.0
subnet 10.3.1.0 255.255.255.0
nat (ge3inside,ge1outside) source static GE3_10.3.1.0 GE3_10.3.1.0 destination static GE3_10.1.1.0 GE3_10.1.1.0
HTH.
Regards,
Terence
08-11-2016 05:11 PM
Legend! Excellent explanation and, above all, working!
Thanks a lot :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide