11-30-2020 04:49 PM
Hello everyone,
I am working on getting a site to site VPN up between 2 5505s in a lab environment. I am putting a generic config on the ASAs, enough to get Internet and access to the ASDM. From there I am running the VPN wizard for site to site. However, after running the wizard, there is no connection between the ASAs. I am a beginner at the firewall aspect of networking, so I am not sure what to look at while troubleshooting. I am mainly just doing this so I can learn a bit more about VPNs on a site to site aspect. I have files for each site.
I am hoping someone can help me with whatever I am missing.
Thanks!
Solved! Go to Solution.
01-08-2021 02:55 PM
please do this in both ASA, and share the packet-tracer output.
crypto isakmp enable outside<- remove this command
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
!
crypto ikev2 enable outside
!
crypto map S2SCRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map S2SCRYPTO-MAP 1 set peer 50.5.189.189<- are you sure that his is public ip of other ASA?
crypto map S2SCRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map S2SCRYPTO-MAP interface outside
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
!
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
tunnel-group 50.5.189.189 type ipsec-l2l
!
tunnel-group 50.5.189.189 general-attributes<-add this
default-group-policy anyname
!
tunnel-group 50.5.189.189 ipsec-attributes
ikev2 local-authentication pre-shared-key s2stest
ikev2 remote-authentication pre-shared-key s2stest
isakmp keepalive threshold 10 retry 2
!
group-policy anyname internal <-add this
!
group-policy anyname attributes<-add this
vpn-idle-timeout 30
vpn-tunnel-protocol ikev2
01-08-2021 07:16 PM
this missing from site B
crypto map S2SCRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM<-still this missing
and second you specify dhcp for outside which is peer of IKEv2, you must config ip not use dhcp.
11-30-2020 06:22 PM - edited 12-02-2020 05:26 AM
Allow port 500 and 4500 in outside of each asa.
12-03-2020 04:32 PM
I added the following lines, (hopefully they are correct) should the tunnel come right up, or do I have to do something to kick it off?
object-group service VPN-INBOUND udp
port-object eq 500
port-object eq 4500
access-list outside_access_in line 1 extended permit udp any interface outside object-group VPN-INBOUND
access-group outside_access_in in interface outside
Thanks!
01-08-2021 12:24 PM
So this is truly driving me insane. I am almost convinced this is impossible with these devices..
I have tried using the wizard and that does not work (although the wizard worked perfectly for the client side vpn). I have tried to use cli from a few diff sources and that has not worked either.. I am missing something, I know I am, just not sure what.
I am not even seeing the tunnels trying to come up. I have a PC on one of the ASAs and have the ASDM connected to one of them, so via the syslogs in the ASDM, I do not even see stuff coming from one to the other..
Anyone have any thoughts on this?
Thanks!
01-08-2021 12:44 PM
A policy based VPN won't automatically establish until some interesting traffic is sent. How are you testing the VPN?
You should test by sending traffic from a device behind the ASA to a device behind the other ASA. Don't test from the ASA and expect the VPN to establish. You could use packet-tracer (run it twice) to simulate generating traffic.
The ACL on the outside interface permitting VPN-INBOUND services won't be doing anything and is not required. The ACL is for traffic "through" the ASA not "to". If the ACL was applied to the control-plane, it would limit traffic "to" the ASA, but it isn't configured - so all traffic would be permitted.
01-08-2021 02:41 PM
I was testing both with the ASAs trying to ping the internal IPs and using endpoints (PC on one end and a Raspberry Pi on the other) to ping each other.
I will admit I forgot about using packet tracer to see about simulating the traffic. When I did, (172.16.20.50 trying to ssh to 10.10.20.50) that failed with nat-xlate-failed. So now to look that up and see if I can fix that..
01-08-2021 02:24 PM
On ASA we can use packet-tracer to initiate the traffic, please share the output here.
example:-
packet-tracer inout inside tcp LAN1 12345 LAN2 80.
01-08-2021 02:55 PM
please do this in both ASA, and share the packet-tracer output.
crypto isakmp enable outside<- remove this command
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
!
crypto ikev2 enable outside
!
crypto map S2SCRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map S2SCRYPTO-MAP 1 set peer 50.5.189.189<- are you sure that his is public ip of other ASA?
crypto map S2SCRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map S2SCRYPTO-MAP interface outside
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
!
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
!
tunnel-group 50.5.189.189 type ipsec-l2l
!
tunnel-group 50.5.189.189 general-attributes<-add this
default-group-policy anyname
!
tunnel-group 50.5.189.189 ipsec-attributes
ikev2 local-authentication pre-shared-key s2stest
ikev2 remote-authentication pre-shared-key s2stest
isakmp keepalive threshold 10 retry 2
!
group-policy anyname internal <-add this
!
group-policy anyname attributes<-add this
vpn-idle-timeout 30
vpn-tunnel-protocol ikev2
01-08-2021 07:00 PM
Here are the results of of the PT request:
SITE-A# packet-tracer input inside tcp 172.16.20.50 12345 10.10.20.50 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.20.0 255.255.255.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
SITE-A#
SITE-B# packet-tracer input inside tcp 10.10.20.50 12345 172.16.20.50 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.20.0 255.255.255.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
SITE-B#
Even with those changes, I still am not getting a link, but then again, it now looks like (according to PT) a ACL issue..
Guess I will be looking into that now..
01-08-2021 07:16 PM
this missing from site B
crypto map S2SCRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM<-still this missing
and second you specify dhcp for outside which is peer of IKEv2, you must config ip not use dhcp.
01-08-2021 07:37 PM
CRAP... I missed that it failed when I pasted the config in.
One thing I want to be clear on is the ACL & NAT. For Site A it should be:
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-A object OBJ-SITE-B
nat (inside,outside) source static OBJ-SITE-A OBJ-SITE-A destination static OBJ-SITE-B OBJ-SITE-B no-proxy-arp route-lookup
and Site B should be:
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-SITE-B object OBJ-SITE-A
nat (inside,outside) source static OBJ-SITE-B OBJ-SITE-B destination static OBJ-SITE-A OBJ-SITE-A no-proxy-arp route-lookup
Am I correct on that?
On the DHCP for the external interface. Unfortunately, I do not have static IPs. These are IPs that are pulled from my ISP dynamically.
Thank you so much for your help! ! !
01-08-2021 07:44 PM
if the outside ip learn form dhcp then IKE never work simple it don't know the ip of other peer because it change each time the dhcp assign new ip.
try VTI and IPSec profile as link below
01-08-2021 08:06 PM
In my case, the IP almost never changes, unless the power is off for more than an hour. Which in that case I have some work arounds to deal with that and get he site-to-site back up and running. I am not really looking to use an IOS router as the DHCP server for the clients will only be on one side and this is mainly just learning what it will take to get it up and running. Basically I am working on a script that I know I can use to get a site-to-site VPN up and running in short time just by changing a few IP addresses.
Do I have the understanding of the ACL & NAT correct?
Thanks! !
01-09-2021 11:11 AM
https://blog.router-switch.com/2013/03/site-to-site-ipsec-vpn-between-two-cisco-asa-5520/
please see this example as your request and the config of NAT and ACL.
01-09-2021 04:44 PM
I was able to finally get a link between the two... Once I was able to get all the correct lines in there, the tunnel linked up right away (I had a ping from a workstation going to the opposite gateway).
THANK YOU MHM Cisco World for all of your help!
I did note that as I was putting the configs on the ASAs at times certain things needed to be done in a certain order. Such as trying to put in the crypto map for the interesting traffic failed until I put the ACL on the ASA. So I rearranged the config to match what would be done in proper order to minimize the 'errors'.
I included the final configs that I used on both the ASAs for someone else to use in their testing and learning. Now that I have it up and running I get to tear into the details to understand why to use each command..
Have a good one ya'll!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide