Re: Anyconnect Client over BGP ikev2 VPN on ASA to AWS

wvovchykw · ‎02-12-2023

Hi!

I hope I can get some advice regarding ASA configuration.

I have ASA 5516-X with asa9-16-3-23-lfbff-k8.SPA. The BGP VPN with IKEV2 version between ASA and AWS is set up using AWS downloaded configuration. The S2S VPN is working properly, the network behind ASA can see AWS VPC network and vice versa. The anyconnect client from outside can reach the network behind ASA but the AWS VPC network. Packet-tracer shows that it's working.

The Anyconnect VPN Client network - 172.23.23.0/24

The network behind ASA - 10.1.1.0/24

AWS VPC network - 172.18.0.0/16

Some relevant parts of my config:

sh ver:

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 150 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 4 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 300 perpetual
Total VPN Peers : 300 perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 1000 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual
VPN Load Balancing : Enabled perpetual

sh run ip local pool:

ip local pool VPN-Clients 172.23.23.100-172.23.23.199 mask 255.255.255.0

sh run same-security-traffic:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

sh run group-policy:

group-policy VPN-Clients internal
group-policy VPN-Clients attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelall

group-policy AWS internal
group-policy AWS attributes
vpn-tunnel-protocol ikev2

sh run tunnel-group VPN-Clients:

tunnel-group VPN-Clients type remote-access
tunnel-group VPN-Clients general-attributes
address-pool VPN-Clients
default-group-policy VPN-Clients
tunnel-group VPN-Clients webvpn-attributes
group-alias VPN-CLIENTS enable

sh run interfaces:

interface GigabitEthernet1/1
description COGENT-ISP
nameif ISP
security-level 0
ip address *.*.*.* 255.255.255.248

interface Tunnel119
nameif NON-PROD-NV-STAGING-1
ip address 169.254.192.126 255.255.255.252
tunnel source interface ISP
tunnel destination 34.206.167.84
tunnel mode ipsec ipv4
tunnel protection ipsec profile AWS
!
interface Tunnel120
nameif NON-PROD-NV-STAGING-2
ip address 169.254.90.154 255.255.255.252
tunnel source interface ISP
tunnel destination 35.169.111.250
tunnel mode ipsec ipv4
tunnel protection ipsec profile AWS

sh run router:

router bgp 65000
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
neighbor 169.254.192.125 remote-as 64512
neighbor 169.254.192.125 ebgp-multihop 255
neighbor 169.254.192.125 timers 10 30 30
neighbor 169.254.192.125 activate
neighbor 169.254.90.153 remote-as 64512
neighbor 169.254.90.153 ebgp-multihop 255
neighbor 169.254.90.153 timers 10 30 30
neighbor 169.254.90.153 activate
network 10.1.1.0 mask 255.255.255.0
network 172.23.23.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family

sh run crypto ipsec:

crypto ipsec ikev2 ipsec-proposal AWS
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec profile AWS
set ikev2 ipsec-proposal AWS
set pfs group21
set security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df ISP

sh run crypto ikev2:

crypto ikev2 policy 200
encryption aes-256
integrity sha256
group 21 14
prf sha256
lifetime seconds 28800
crypto ikev2 enable ISP client-services port 443
crypto ikev2 enable management

sh run nat:

nat (TEST,ISP) source static TEST TEST destination static VPN-Clients VPN-Clients no-proxy-arp route-lookup

object network TEST
nat (TEST,ISP) dynamic interface
object network VPN-Clients
nat (ISP,ISP) dynamic interface

sh run object:

object network TEST
range 10.1.1.10 10.1.1.254
object network VPN-Clients
range 172.23.23.100 172.23.23.199

sh vpn-sessiondb l2l:

Connection : 34.206.167.84
Index : 18 IP Addr : 34.206.167.84
Protocol : IKEv2 IPsecOverNatT
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256
Hashing : IKEv2: (1)SHA256 IPsecOverNatT: (1)SHA1
Bytes Tx : 465868 Bytes Rx : 293136
Login Time : 18:15:52 EST Sun Feb 12 2023
Duration : 6h:48m:53s

Connection : 35.169.111.250
Index : 19 IP Addr : 35.169.111.250
Protocol : IKEv2 IPsecOverNatT
Encryption : IKEv2: (1)AES256 IPsecOverNatT: (1)AES256
Hashing : IKEv2: (1)SHA256 IPsecOverNatT: (1)SHA1
Bytes Tx : 307987 Bytes Rx : 286473
Login Time : 18:15:52 EST Sun Feb 12 2023
Duration : 6h:48m:54s

Thanks beforehand for your help.

wvovchykw · ‎02-20-2023

For those who are interested in it. I've found the solution by adding the lines to bgp setup:

neighbor 169.254.192.125 default-originate

neighbor 169.254.90.153 default-originate

So, my

sh run router:

router bgp 65000
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
neighbor 169.254.192.125 remote-as 64512
neighbor 169.254.192.125 ebgp-multihop 255

neighbor 169.254.192.125 default-originate
neighbor 169.254.192.125 timers 10 30 30
neighbor 169.254.192.125 activate
neighbor 169.254.90.153 remote-as 64512
neighbor 169.254.90.153 ebgp-multihop 255

neighbor 169.254.90.153 default-originate
neighbor 169.254.90.153 timers 10 30 30
neighbor 169.254.90.153 activate
network 10.1.1.0 mask 255.255.255.0
network 172.23.23.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family

I compared bgp ikev2 and ikev1 setups for AWS and found those lines for BGP ikev1.

I don't know why it didn't work without them. Perhaps, some experts can clear it up.