Solved: Re: 5505 site to site vpn issues

deca24 · ‎11-30-2020

Hello everyone,

I am working on getting a site to site VPN up between 2 5505s in a lab environment. I am putting a generic config on the ASAs, enough to get Internet and access to the ASDM. From there I am running the VPN wizard for site to site. However, after running the wizard, there is no connection between the ASAs. I am a beginner at the firewall aspect of networking, so I am not sure what to look at while troubleshooting. I am mainly just doing this so I can learn a bit more about VPNs on a site to site aspect. I have files for each site.

I am hoping someone can help me with whatever I am missing.

Thanks!

MHM Cisco World · ‎01-08-2021

please do this in both ASA, and share the packet-tracer output.

crypto isakmp enable outside<- remove this command
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
!
crypto ikev2 enable outside
!
crypto map S2SCRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map S2SCRYPTO-MAP 1 set peer 50.5.189.189<- are you sure that his is public ip of other ASA?
crypto map S2SCRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map S2SCRYPTO-MAP interface outside
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
!
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
tunnel-group 50.5.189.189 type ipsec-l2l
!

tunnel-group 50.5.189.189 general-attributes<-add this

default-group-policy anyname

!
tunnel-group 50.5.189.189 ipsec-attributes
ikev2 local-authentication pre-shared-key s2stest
ikev2 remote-authentication pre-shared-key s2stest
isakmp keepalive threshold 10 retry 2

!
group-policy anyname internal <-add this
!

group-policy anyname attributes<-add this

vpn-idle-timeout 30

vpn-tunnel-protocol ikev2

View solution in original post

MHM Cisco World · ‎01-08-2021

this missing from site B

crypto map S2SCRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM<-still this missing

and second you specify dhcp for outside which is peer of IKEv2, you must config ip not use dhcp.

View solution in original post

MHM Cisco World · ‎11-30-2020

Allow port 500 and 4500 in outside of each asa.

deca24 · ‎12-03-2020

I added the following lines, (hopefully they are correct) should the tunnel come right up, or do I have to do something to kick it off?

object-group service VPN-INBOUND udp
port-object eq 500
port-object eq 4500
access-list outside_access_in line 1 extended permit udp any interface outside object-group VPN-INBOUND
access-group outside_access_in in interface outside

Thanks!

deca24 · ‎01-08-2021

So this is truly driving me insane. I am almost convinced this is impossible with these devices..

I have tried using the wizard and that does not work (although the wizard worked perfectly for the client side vpn). I have tried to use cli from a few diff sources and that has not worked either.. I am missing something, I know I am, just not sure what.

I am not even seeing the tunnels trying to come up. I have a PC on one of the ASAs and have the ASDM connected to one of them, so via the syslogs in the ASDM, I do not even see stuff coming from one to the other..

Anyone have any thoughts on this?

Thanks!

Rob Ingram · ‎01-08-2021

@deca24

A policy based VPN won't automatically establish until some interesting traffic is sent. How are you testing the VPN?

You should test by sending traffic from a device behind the ASA to a device behind the other ASA. Don't test from the ASA and expect the VPN to establish. You could use packet-tracer (run it twice) to simulate generating traffic.

The ACL on the outside interface permitting VPN-INBOUND services won't be doing anything and is not required. The ACL is for traffic "through" the ASA not "to". If the ACL was applied to the control-plane, it would limit traffic "to" the ASA, but it isn't configured - so all traffic would be permitted.

deca24 · ‎01-08-2021

I was testing both with the ASAs trying to ping the internal IPs and using endpoints (PC on one end and a Raspberry Pi on the other) to ping each other.

I will admit I forgot about using packet tracer to see about simulating the traffic. When I did, (172.16.20.50 trying to ssh to 10.10.20.50) that failed with nat-xlate-failed. So now to look that up and see if I can fix that..

MHM Cisco World · ‎01-08-2021

On ASA we can use packet-tracer to initiate the traffic, please share the output here.
example:-
packet-tracer inout inside tcp LAN1 12345 LAN2 80.

MHM Cisco World · ‎01-08-2021

please do this in both ASA, and share the packet-tracer output.

crypto isakmp enable outside<- remove this command
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
!
crypto ikev2 enable outside
!
crypto map S2SCRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map S2SCRYPTO-MAP 1 set peer 50.5.189.189<- are you sure that his is public ip of other ASA?
crypto map S2SCRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map S2SCRYPTO-MAP interface outside
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
!
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
tunnel-group 50.5.189.189 type ipsec-l2l
!

tunnel-group 50.5.189.189 general-attributes<-add this

default-group-policy anyname

!
tunnel-group 50.5.189.189 ipsec-attributes
ikev2 local-authentication pre-shared-key s2stest
ikev2 remote-authentication pre-shared-key s2stest
isakmp keepalive threshold 10 retry 2

!
group-policy anyname internal <-add this
!

group-policy anyname attributes<-add this

vpn-idle-timeout 30

vpn-tunnel-protocol ikev2

deca24 · ‎01-08-2021

Here are the results of of the PT request:

SITE-A# packet-tracer input inside tcp 172.16.20.50 12345 10.10.20.50 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.20.0 255.255.255.0 inside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

SITE-A#

SITE-B# packet-tracer input inside tcp 10.10.20.50 12345 172.16.20.50 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.20.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

SITE-B#

Even with those changes, I still am not getting a link, but then again, it now looks like (according to PT) a ACL issue..

Guess I will be looking into that now..

MHM Cisco World · ‎01-08-2021

this missing from site B

crypto map S2SCRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM<-still this missing

and second you specify dhcp for outside which is peer of IKEv2, you must config ip not use dhcp.

deca24 · ‎01-08-2021

CRAP... I missed that it failed when I pasted the config in.

One thing I want to be clear on is the ACL & NAT. For Site A it should be:

access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B

nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup

and Site B should be:

access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-B object OBJ-SITE-A

nat (inside,outside) source static OBJ-SITE-B OBJ-SITE-B destination static OBJ-SITE-A OBJ-SITE-A no-proxy-arp route-lookup

Am I correct on that?

On the DHCP for the external interface. Unfortunately, I do not have static IPs. These are IPs that are pulled from my ISP dynamically.

Thank you so much for your help! ! !

MHM Cisco World · ‎01-08-2021

if the outside ip learn form dhcp then IKE never work simple it don't know the ip of other peer because it change each time the dhcp assign new ip.

try VTI and IPSec profile as link below

https://integratingit.wordpress.com/2018/06/09/configuring-a-vti-tunnel-between-asa-firewall-and-ios-router/

deca24 · ‎01-08-2021

In my case, the IP almost never changes, unless the power is off for more than an hour. Which in that case I have some work arounds to deal with that and get he site-to-site back up and running. I am not really looking to use an IOS router as the DHCP server for the clients will only be on one side and this is mainly just learning what it will take to get it up and running. Basically I am working on a script that I know I can use to get a site-to-site VPN up and running in short time just by changing a few IP addresses.

Do I have the understanding of the ACL & NAT correct?

Thanks! !

MHM Cisco World · ‎01-09-2021

https://blog.router-switch.com/2013/03/site-to-site-ipsec-vpn-between-two-cisco-asa-5520/

please see this example as your request and the config of NAT and ACL.

deca24 · ‎01-09-2021

I was able to finally get a link between the two... Once I was able to get all the correct lines in there, the tunnel linked up right away (I had a ping from a workstation going to the opposite gateway).

THANK YOU MHM Cisco World for all of your help!

I did note that as I was putting the configs on the ASAs at times certain things needed to be done in a certain order. Such as trying to put in the crypto map for the interesting traffic failed until I put the ACL on the ASA. So I rearranged the config to match what would be done in proper order to minimize the 'errors'.

I included the final configs that I used on both the ASAs for someone else to use in their testing and learning. Now that I have it up and running I get to tear into the details to understand why to use each command..

Have a good one ya'll!