Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1602
Views
0
Helpful
2
Replies

Add subnet to existing VPN

Go to solution
rdpierce
Level 1
Level 1

‎04-27-2022 10:09 AM

Hey Guys,

 

I'm looking for some help with a VPN modification I'm trying to make.  I've an existing VPN carrying traffic from on-prem 10.34.0.0/16 to my AWS environment using 10.10.0.0/16 address space.  I'm trying to add a destination in AWS of 10.33.0.0/16.  I thought it would be as easy as adding the 10.33.0.0/16 subnet to the crypto map address matching, add a no-NAT statement and modify the traffic ACL.  And it was... except that when I initiate traffic from on-prem to a host in the 10.33 address space that traffic starts working but the traffic to 10.10.x.x systems dies.

 

The system logs show:

 

Apr 26 2022 15:36:52 DC3-VPN-FW01 : %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xD1F93352, sequence number= 0x32F7) from <PEER IP> (user= <PEER IP>) to <LOCAL IP>. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.34.8.31, its source as 10.10.168.6, and its protocol as tcp. The SA specifies its local proxy as 10.34.0.0/255.255.0.0/ip/0 and its remote_proxy as 10.33.0.0/255.255.0.0/ip/0.

 

 

So, I'm sure I've missed something obvious but need some assistance figuring out what it is!  Any help would be appreciated.

 

My config is:

Network Objects:
object network AWS-Network_10.10.0.0_16
subnet 10.10.0.0 255.255.0.0
object network AW2-Network_10.33.0.0_16
subnet 10.33.0.0 255.255.0.0

 

Group Objects:
object-group network VPN-AWS1
network-object object AWS-Network_10.10.0.0_16
network-object object AW2-Network_10.33.0.0_16
object-group network DC3-NETWORK
network-object 10.34.0.0 255.255.0.0

 

Traffic access list:
access-list DC3-AWS-VPN extended permit ip any object AWS-Network_10.10.0.0_16 log notifications
access-list DC3-AWS-VPN extended permit ip any object AW1-Network_10.33.0.0_16 log notifications

Encrytion access list:
DC3-AWS-encrypt_domain::
access-list DC3-AWS-encrypt_domain extended permit ip object-group DC3-NETWORK object-group VPN-AWS1 log notifications
access-list DC3-AWS-encrypt_domain extended permit ip object-group DC3-NETWORK object AW2-Network_10.33.0.0_16 log notifications ((tried removing this line but didn't seem to fix the problem))


No-NAT rules:
nat (INSIDE,INET) source static DC3-NETWORK DC3-NETWORK destination static AWS-Network_10.10.0.0_16 AWS-Network_10.10.0.0_16 no-proxy-arp
nat (INSIDE,INET) source static DC3-NETWORK DC3-NETWORK destination static AW2-Network_10.33.0.0_16 AW2-Network_10.33.0.0_16 no-proxy-arp


Phase 1:
crypto ikev2 policy 5
encryption aes-256
integrity sha384
group 20 24 5
prf sha384
lifetime seconds 28800

 

Phase 2:
crypto ipsec ikev2 ipsec-proposal IPSEC-PROF-AWS
protocol esp encryption aes-256
protocol esp integrity sha-256

 

Crypto Map:
crypto map DC3_MAP 1 match address DC3-AWS-encrypt_domain
crypto map DC3_MAP 1 set pfs group14
crypto map DC3_MAP 1 set connection-type bidirectional
crypto map DC3_MAP 1 set peer <PEER IP>
crypto map DC3_MAP 1 set ikev1 phase1-mode main
crypto map DC3_MAP 1 set ikev2 mode tunnel
crypto map DC3_MAP 1 set ikev2 ipsec-proposal IPSEC-PROF-AWS
crypto map DC3_MAP 1 set ikev2 pre-shared-key *****
crypto map DC3_MAP 1 set security-association lifetime seconds 1800
crypto map DC3_MAP 1 set security-association lifetime kilobytes unlimited
no crypto map DC3_MAP 1 set tfc-packets


Routes:
No specific routes. All non-local networks take the DGW out the INET interface

 

thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-27-2022 10:22 AM

@rdpierce AWS limits the number of IPSec Security Associates (SA) to a single pair, so that would explain why your VPN drops. As you require 2 SA pairs, changing to a route based VPN would be a workaround.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎04-27-2022 10:22 AM

@rdpierce AWS limits the number of IPSec Security Associates (SA) to a single pair, so that would explain why your VPN drops. As you require 2 SA pairs, changing to a route based VPN would be a workaround.

0 Helpful

Go to solution
rdpierce
Level 1
Level 1
In response to Rob Ingram

‎04-27-2022 10:26 AM

Where's the "smacking your head against the wall" emote???  Of course they do because why would you have an environment that allows for multiple subnets with various CIDR's that you can peer or connect to a Transit Gateway and then make the VPN capable of carrying multiple subnet SA's?

 

I initially tried setting the VPN up as a route-based but failed so I switched to policy based...  anyway, this is good information.  Thanks Rob.

0 Helpful
Customers Also Viewed These Support Documents