Solved: Re: ASA: configuring RA and site-to-site VPN together

tramseyG4S · ‎07-14-2022

Hi there, I think that I've self-solved or identified the solution to my problem. And I think I'm writing this discussion thread more to just literally write down my own thoughts and discoveries. Though, I'd otherwise appreciate if anyone can confirm my thoughts / potential solution. (I'm trying my best to "RTFM" and fix the problem myself using my own Google-Fu vs depend on anyone else solving my problem)

I have a prior 7+ year old IKEv1 IPSec remote access VPN on a 5505 ASA and I want to add an IKEv2 site-to-site IPSec tunnel from the 5505 to a Ubiquiti EdgeRouter PoE-5 - The problem I've run into is that when I add the site-to-site VPN config, well, I break the remote access VPN. As in, my clients (Apple iPhone/iPad with built-in Legacy Cisco IPSec VPN client) can't connect / VPN anymore.

Thanks to this 6 year old: Multiple Crypto Maps on a single ASA Interface discussion thread - I think I've figured out the problem and a likely solution. I mistakenly thought you could just add a second cyptomap to the outside ASA interface. That is the RA VPN breaks because applying a "second" crypto map to the outside ASA interface for the site-to-site VPN, instead, just replaces the RA VPN crypto map.

In fact, if I switch between them: "crypto map <Site-to-Site VPN map> interface outside" vs "crypto map <IKEv1 RA map> interface outside" the RA vpn un-breaks or breaks.

Ergo, the seeming solution then, is to instead sequence inside one or the other. Either figure out how to add the IKEv2 to the pre-existing crypto map or add the RA IKEv1 to the site-to-site crypto map.

----------------

Background info: I have an existing Cisco lab network. It's documented a bit in my last discussion thread). The remote clients are entirely my Apple iPhone / iPad / iMac / MacBook devices. Apple implements that legacy Cisco IPsec VPN client and I utilize it connect to the basement Cisco lab to check on things when it suits my fancy. I have to imagine that's insecure, but this is an experimental lab for me to play around with. Not a production or business critical network.

I've moved and now have a rental townhome with seperate Ubiquiti network - and am now trying to forge a IKEv2 site-to-site VPN between the townhome Ubiquiti Edgerouter and the (left at the prior address) 5505 ASA in the Cisco lab. Not out of necessity, but more because I can, to figure it out, and to (anyone that find it attractive) be able to say I have an inter-town LAN now.

Aref Alsouqi · ‎07-16-2022

If you want to use a single crypto map for both RA and S2S, then please swap the crypto map name "naper_elgin" in they "crypto map" commands with "outside_map", or, you can do it the way around by swapping the name of the crypto map "outside_map" with "naper_elgin".

View solution in original post

MHM Cisco World · ‎07-14-2022

I dont get what you want here,
you have one Outside interface and have IKEv2 and RA IPSec user,
can I see the config of ASA ?

tramseyG4S · ‎07-16-2022

Since I seemingly understand why I understand why my RA VPN broke when I tried to implement the site-to-site VPN. I'd be looking to figure out how to combine the two under one crypto map. I need both to be functional at the same time.

Site 1 is my old address where my Cisco lab network exists. This has the pre-existing RA VPN. This is where I'm experiencing the problem when I try to implement the site-to-site VPN. Site 2 is my new address where I have an Ubiquiti EdgeRouter PoE-5 that I'll configure to Site 1's IPsec VPN.

Site 1 IKEv1 RA VPN config:

!
! Support objects for RA VPN
!
object network ipsec-vpn-network
 subnet 10.10.11.0 255.255.255.0
 description IPSec VPN remote access network
!
object-group network NAT_Exempt_Networks
 description Remote access networks exempt from NAT
 network-object object ssl-vpn-network
 network-object object ipsec-vpn-network
!
!
! DHCP pool for VPN
!
ip local pool IPSEC_VPN_POOL 10.10.11.10-10.10.11.250 mask 255.255.255.0
!
! IPsec Phase 1
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 1800
!
! IPsec Phase 2
!
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
!
! Enable on outside interface
!
crypto ikev1 enable outside
!
! Group Policy
!
group-policy IPSEC_VPN internal
group-policy IPSEC_VPN attributes
 dns-server value 1.1.1.1 9.9.9.9
 vpn-tunnel-protocol ikev1 
!
! Tunnel Group (connection protocol)
!
tunnel-group IPSEC_VPN type remote-access
tunnel-group IPSEC_VPN general-attributes
 address-pool IPSEC_VPN_POOL
 authentication-server-group RAYQUAZA-RADIUS LOCAL
 default-group-policy IPSEC_VPN
tunnel-group IPSEC_VPN ipsec-attributes
 ikev1 pre-shared-key ****
!
! Dynamic map for RA VPN
!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2
!
! Apply crypto map to interface to activate it
!
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
!
! NAT for VPN
! RA VPN is a full tunnel (no split-tunnel) that hairpins gobal internet traffic
!
object network ipsec-vpn-network
 nat (outside,outside) dynamic interface
!
!  Don't NAT traffic for interior networks
!
nat (any,any) source static NAT_Exempt_Networks NAT_Exempt_Networks destination static All_Inside_Networks All_Inside_Networks
!

Site 1's proposed IKEv2 site-to-site VPN config to allow Site 2 to connect:

!
! Support Objects
!
object-group network Site1_VPN_Networks
  description Site1 networks for site-to-site VPN
  network-object object interior-network
object-group network Site2_VPN_Networks
  description Site2 networks for site-to-site VPN
  network-object object Site2-network
!
! IPsec Phase 1
!
crypto ikev2 policy 1
  encryption aes-256
  integrity sha256
  group 21
  prf sha256
  lifetime seconds 1800
!
! IPsec Phase 2 (transform set)
!
crypto ipsec ikev2 ipsec-proposal SITE1_SITE2_VPN_TRANSFORM
  protocol esp encryption aes-256
  protocol esp integrity sha-1
!
! Enable on outside interface
!
crypto ikev2 enable outside
!
! Interesting traffic / traffic to encrypt
!
access-list S2S-VPN_traffic line 1 extended permit ip object-group Site1_VPN_Networks object-group Site2_VPN_Networks 
!
! Don't NAT traffic from ASA to EdgeRouter
!
nat (inside,outside) 2 source static Site1_VPN_Networks Site1_VPN_Networks destination static Site2_VPN_Networks Site2_VPN_Networks no-proxy-arp route-lookup
!
! Tunnel Group config
!
tunnel-group 73.168.169.14 type ipsec-l2l
tunnel-group 73.168.169.14 ipsec-attributes
  ikev2 local-authentication pre-shared-key ***
  ikev2 remote-authentication pre-shared-key ***
  isakmp keepalive threshold 10 retry 2
!
! Crypto map for Site to Site VPN
!
crypto map naper_elgin 1 match address S2S-VPN_traffic
crypto map naper_elgin 1 set  peer  x.x.x.x
crypto map naper_elgin 1 set  ikev2 ipsec-proposal SITE1_SITE2_VPN_TRANSFORM
crypto map naper_elgin 1 set  pfs group21
crypto map naper_elgin interface outside

tramseyG4S · ‎07-16-2022

So ultimately, I'm still looking to find resources to help me "sequence" the two VPN configs inside a single crypt map to combine the two together.

MHM Cisco World · ‎07-16-2022

Sure you can, i am out now, when i retrun to home i will send some examples.

Aref Alsouqi · ‎07-16-2022

If you want to use a single crypto map for both RA and S2S, then please swap the crypto map name "naper_elgin" in they "crypto map" commands with "outside_map", or, you can do it the way around by swapping the name of the crypto map "outside_map" with "naper_elgin".

tramseyG4S · ‎07-16-2022

Oh! Thank you! This might just be the tip I need. I just implemented this suggestion. Unfortunately, I don't have the EdgeRouter configured yet - so I can't tell if the S2S is functional - the RA vpn is functional still now with the S2S config seemingly integrated into the crypto map.

I'll try to config the EdgeRouter either tonight or tomorrow and let you know if it's a full solution for the problem.

MHM Cisco World · ‎07-16-2022

after checking and checking the config there is no any issue until I see the exception NAT,
the NAT of RA VPN is confuse me,
the NAT source is include SSL VPN, I dont get what is SSL VPN here, we use here RA IPSEC VPN not SSL VPN
second this must be destination not source.
so correct it and check again.

tramseyG4S · ‎07-16-2022

@MHM Cisco World wrote:
the NAT source is include SSL VPN, I dont get what is SSL VPN here, we use here RA IPSEC VPN not SSL VPN

I suppose I should have left that out. I did not (or didn't want to) mention that there is also a clentless SSL VPN, 1) because I don't care about it 2) it was only ever a proof of concept implementation. (this is just a playground / experimental network) I haven't ever used the SSL vpn again since I first verified it worked the better part of a decade ago. That said, I can post the whole literal ASA config. Perhaps, I will if Aref's suggestion isn't a full solution.

The exception NAT for the RA VPN - last I understood - is necessary as I need to hairpin (NAT) regular internet traffic since it's a full tunnel (not split) and because a couple of inside devices have static IPs / defined NAT, but I need to exempt interior network traffic from that NAT for the RA clients.

MHM Cisco World · ‎07-16-2022

Yes, his suggest as following
since we must have one crypto map for outside of interface so we will use one crypto map BUT BUT
using two Seq number,
Seq Number 1 for RA IPSec VPN
Seq Number 2 for S2S IPSec.

for NAT, now it is clear for me since you have SSL VPN also.

tramseyG4S · ‎07-19-2022

I've spent the past couple of days trying to configure and setup the other end of my S2S vpn. That is, I have configuration now on the Ubiquiti EdgeRouter (site 2), but I don't seem to see anything coming up. I more so figure its a problem with the EdgeRouter config, since I'm way more adept and familiar with Cisco. But, if it isn't. And it's some Cisco side problem -- What debug commands would be / are useful?

My 5505 ASA is running software version 9.2(4)33. What I can see from the CLI are:

debug crypto { ikev1 | ikev2 | ipsec } seem like candidates. But, I'm unfamiliar with "levels". Looks like lower the number the less debug info. The higher the number the more.

Any other troubleshooting commands?

MHM Cisco World · ‎07-19-2022

sh cry isa sa det

please share the output of this command

tramseyG4S · ‎07-20-2022

@MHM Cisco World wrote:
sh cry isa sa det
please share the output of this command

There are no IKEv1 SAs
There are no IKEv2 SAs

Declaration: Far less familiar with the EdgeRouter and it's CLI / OS. Missing config or miss-configuration likely exists on the Site 2 (Ubiquiti EdgeRouter). That said...

I'm getting nothing out of the (debug / syslog wise) ASA when I try to ping an address inside of site2 (10.255.255.222). I would think that when I issue a ping that would require the S2S VPN be raised - that I'd get syslog or debug info confirming the ASA is trying to raise the tunnel (or metaphorical bridge). But, nothing is showing up.

Debug commands i'm trying on the ASA:
debug crypto ikev1 127
debug crypto ikev2 platform 127
debug crypto ikev2 protocol 127
debug crypto ipsec 127

I've also set the ASDM syslog buffer to debug and I watch the live ASA syslog from the ASDM GUI. Sorting by source or destination -- hoping to see something going from the WAN ip of my ASA to the WAN ip of my EdgeRouter. Still nothing *sigh* The only thing I can confirm is that the device I'm generating the pings on those attempted pings do show in syslog. Just no crypto / S2S vpn attempts. Which is discomforting to me.

The present config I'm trying to use / troubleshoot is that of UBNT's own guide.

!
object network site1-ASA-network
 subnet 10.255.255.0 255.255.255.0
!
object network site2-ER-network
 subnet 10.1.10.0 255.255.255.0
!
access-list ipsec-acl extended permit ip object site1-network object site2-network
!
crypto ikev1 policy 100
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime 28800
!
crypto ipsec ikev1 transform-set ipsec-ts esp-aes esp-sha-hmac
!
crypto map ipsec-cm 100 set peer <ER PoE-5 WAN IP>
crypto map ipsec-cm 100 set ikev1 transform-set ipsec-ts
crypto map ipsec-cm 100 set security-association lifetime seconds 3600
crypto map ipsec-cm 100 match address ipsec-acl
crypto map ipsec-cm interface outside
!
tunnel-group <ER PoE-5 WAN IP> type ipsec-l2l
tunnel-group <ER PoE-5 WAN IP> ipsec-attributes
 ikev1 pre-shared-key 123456
!
crypto ikev1 enable outside
!
nat (router,outside) source static site1-ASA-network site1-ASA-network destination static site2-ER-network site2-ER-network no-proxy-arp route-lookup
nat (router,outside) source dynamic site1-ASA-network interface

Quicknote: "Router" is my ASA's effective 'inside' interface.

If you think it might help I can post a diagram of my network and a sanitized copy of the entire full running-config.

MHM Cisco World · ‎07-20-2022

https://community.cisco.com/t5/vpn/vpn/m-p/4653878#M284495

check this issue and how I solve it.