Solved: AnyConnect IpSec Client to Client connections not possible / ssl works

glade · ‎04-07-2022

Hi all

I have the problem that when two AnyConnect clients are connected, no connection is possible (for example for voip traffic). It is interesting that all works with SSL tunnels by the same settings.

I use the same profiles and the same group policies.

It can't be NAT, we don't use NAT and I also created a rule that NAT is not used.

I noticed that the client doesn't seem to be sending the packets into the tunnel at all. It doesn't matter if I use split tunneling or send all traffic into the tunnel. It seems that in case of IPSec, AnyConnect does not send these packets further.

I have also tested if it works with a netmask (255.255.255.0) or with a hostmask (255.255.255.255) for the pool - also without success.

But the routes on the client are always set correctly - as already mentioned, if SSL is enabled (same settings), it works.

Does anyone have an idea?

glade · ‎05-02-2022

The problem was, that the communication from client to client must be defined as "Not Protected".

ASDM:

running config:

object-group network DM_INLINE_NETWORK_48
network-object 172.16.x.x x.x.x.x
network-object 195.37.x.x x.x.x.x
network-object 195.37.x.x x.x.x.x

...

object-group network DM_INLINE_NETWORK_57
network-object object vpnpool-vpnuser
network-object object vpnpool6-vpnuser

...

crypto dynamic-map ipsec-networks 1 match address dmz_cryptomap_2
crypto dynamic-map ipsec-networks 1 set ikev1 transform-set ESP-AES-256-SHA TRANSPORT-ESP-AES-256-SHA ESP-AES-128-SHA TRANSPORT-ESP-AES-128-SHA
crypto dynamic-map ipsec-networks 6 match address dmz_cryptomap_1.2
crypto dynamic-map ipsec-networks 6 set pfs
crypto dynamic-map ipsec-networks 6 set ikev1 transform-set ESP-AES-256-SHA TRANSPORT-ESP-AES-256-SHA
crypto dynamic-map ipsec-networks 6 set ikev2 ipsec-proposal ESPv2-AES-256-SHA1 ESPv2-AES-256-SHA-256
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

...

access-list dmz_cryptomap_1.2 extended deny ip object-group DM_INLINE_NETWORK_57 object-group DM_INLINE_NETWORK_57
access-list dmz_cryptomap_1.2 remark Connection Client - DBFZ Networks
access-list dmz_cryptomap_1.2 extended permit ip object-group DM_INLINE_NETWORK_57 object-group DM_INLINE_NETWORK_48

I hope it helps others in their search with this error...

Many greetings

Robert

View solution in original post

glade · ‎05-02-2022

The problem was, that the communication from client to client must be defined as "Not Protected".

ASDM:

running config:

object-group network DM_INLINE_NETWORK_48
network-object 172.16.x.x x.x.x.x
network-object 195.37.x.x x.x.x.x
network-object 195.37.x.x x.x.x.x

...

object-group network DM_INLINE_NETWORK_57
network-object object vpnpool-vpnuser
network-object object vpnpool6-vpnuser

...

crypto dynamic-map ipsec-networks 1 match address dmz_cryptomap_2
crypto dynamic-map ipsec-networks 1 set ikev1 transform-set ESP-AES-256-SHA TRANSPORT-ESP-AES-256-SHA ESP-AES-128-SHA TRANSPORT-ESP-AES-128-SHA
crypto dynamic-map ipsec-networks 6 match address dmz_cryptomap_1.2
crypto dynamic-map ipsec-networks 6 set pfs
crypto dynamic-map ipsec-networks 6 set ikev1 transform-set ESP-AES-256-SHA TRANSPORT-ESP-AES-256-SHA
crypto dynamic-map ipsec-networks 6 set ikev2 ipsec-proposal ESPv2-AES-256-SHA1 ESPv2-AES-256-SHA-256
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

...

access-list dmz_cryptomap_1.2 extended deny ip object-group DM_INLINE_NETWORK_57 object-group DM_INLINE_NETWORK_57
access-list dmz_cryptomap_1.2 remark Connection Client - DBFZ Networks
access-list dmz_cryptomap_1.2 extended permit ip object-group DM_INLINE_NETWORK_57 object-group DM_INLINE_NETWORK_48

I hope it helps others in their search with this error...

Many greetings

Robert