Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
5
Helpful
8
Replies

ASA to IOS XE IKEv2 VPN Tunnel one way traffic

networkadmin-cogg
Level 1
Level 1

‎02-05-2020 02:50 PM - edited ‎02-05-2020 02:53 PM

Hey all!

Been working on this for a few days and I've hit a wall.

Traditionally we have used IKEv1 VPN tunnels with static IPs on each side.

 

Going forward we will be using 4G as backup and transitioning to IKEv2.

Issue I am having only getting what appears to be one way traffic. VPN tunnel is up and active.

I feel it is something simple I have missed that works differently with IKEv2

 

--CONFIG--

-------------------------------------

InternetVPN-ASA# show crypto IKEv2 sa detail

IKEv2 SAs:

Session-id:12022, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
1523606657 xx.xx.xx.xx/500 124.xx.xx.xx/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1418 sec
Session-id: 12022
Status Description: Negotiation done
Local spi: 90038ED36B90271B Remote spi: 8551897DE50EBA99
Local id: xx.xx.xx.xx
Remote id: S2S-IKEv2
Local req mess id: 0 Remote req mess id: 2
Local next mess id: 0 Remote next mess id: 2
Local req queued: 0 Remote req queued: 2
Local window: 1 Remote window: 5
DPD configured for 10 seconds, retry 2
NAT-T is not detected
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
Child sa: local selector 10.1.0.0/0 - 10.1.255.255/65535
remote selector 10.1.169.0/0 - 10.1.169.255/65535
ESP spi in/out: 0xcb4ef68a/0x377823fa
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA256
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

 


access-list outside-1Gb_cryptomap_65535.30 extended permit ip any4 10.1.0.0 255.255.0.0

crypto ipsec ikev2 ipsec-proposal IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

tunnel-group S2S-IKEv2 type ipsec-l2l
tunnel-group S2S-IKEv2 general-attributes
default-group-policy Site-to-Site
tunnel-group S2S-IKEv2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****


crypto dynamic-map outside-1Gb_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside-1Gb_dyn_map 30 match address outside-1Gb_cryptomap_65535.30
crypto dynamic-map outside-1Gb_dyn_map 30 set ikev2 ipsec-proposal IKEv2

 

-------------------------------------------------------------------

 

 


C1100#show crypto IKEv2 sa detail
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 124.xx.xx.xx/500 xx.xx.xx.xx/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1376 sec
CE id: 1013, Session-id: 13
Status Description: Negotiation done
Local spi: 8551897DE50EBA99 Remote spi: 90038ED36B90271B
Local id: S2S-IKEv2
Remote id: xx.xx.xx.xx
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA


group-policy Site-to-Site internal
group-policy test attributes
vpn-tunnel-protocol ikev2


crypto ikev2 proposal L2L-Prop
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy L2L-Pol
match fvrf any
proposal L2L-Prop
!
crypto ikev2 keyring L2L-Keyring
peer vpn
address xx.xx.xx.xx
pre-shared-key local *****
pre-shared-key remote *****

 

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha256-hmac
mode tunnel
!
!
!
crypto map vpn 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ESP-AES-SHA
set ikev2-profile L2L-Prof
match address vpn


ip access-list extended vpn
permit ip 10.1.169.0 0.0.0.255 10.1.0.0 0.0.255.255

 

Cheers

Labels:
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎02-05-2020 02:58 PM

Hi,
Run the command "show crypto ipsec sa" and confirm whether the IPSec SA has actually been built and check the encaps|decaps to determine whether traffic is even sent over the tunnel.

One common issue is that traffic is being natted and therefore not matching the crypto ACL. Normally you would define a NAT exemption rule to ensure traffic from the local to the remote network is not natted. Provide your nat configuration if you require further assistance.

HTH
0 Helpful

networkadmin-cogg
Level 1
Level 1
In response to Rob Ingram

‎02-05-2020 03:36 PM

Thanks for the quick reply.

 

Here is the output from IOS device.

 

Showing encap on one site with no decap and opposite on other end.

 

-----------------

InternetVPN-ASA# show crypto ipsec sa peer 124.xx.xx.xx
peer address: 124.xx.xx.xx
Crypto map tag: outside-1Gb_dyn_map, seq num: 30, local addr: xx.xx.xx.xx

access-list outside-1Gb_cryptomap_65535.30 extended permit ip 10.1.0.0 255.255.254.0 10.1.169.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.0.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (10.1.169.0/255.255.255.0/0/0)
current_peer: 124.xx.xx.xx


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 505, #pkts decrypt: 505, #pkts verify: 505
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: xx.xx.xx.xx/500, remote crypto endpt.: 124.xx.xx.xx/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 2493DCDA
current inbound spi : E108DB72

inbound esp sas:
spi: 0xE108DB72 (3775454066)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 213291008, crypto-map: outside-1Gb_dyn_map
sa timing: remaining key lifetime (kB/sec): (3916764/28496)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2493DCDA (613670106)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 213291008, crypto-map: outside-1Gb_dyn_map
sa timing: remaining key lifetime (kB/sec): (4331520/28496)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

------------------------------------------------------


C1100#sshow ip access-lists vpn
Extended IP access list vpn
10 permit ip 10.1.169.0 0.0.0.255 10.1.0.0 0.0.1.255 (1 match)
Test#show crypto ipsec sa

interface: Cellular0/2/0
Crypto map tag: vpn, local addr 124.xx.xx.xx

protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.169.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.254.0/0/0)
current_peer xx.xx.xx.xx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 654, #pkts encrypt: 654, #pkts digest: 654
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 124.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Cellular0/2/0
current outbound spi: 0xE108DB72(3775454066)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x2493DCDA(613670106)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: ESG:2, sibling_flags FFFFFFFF80000048, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4608000/3154)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE108DB72(3775454066)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: ESG:1, sibling_flags FFFFFFFF80000048, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4607953/3154)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to networkadmin-cogg

‎02-05-2020 04:25 PM - edited ‎02-05-2020 04:27 PM

OK, what about checking the NAT configuration? especially on the ASA

You'd want a NAT exemption rule such as "nat (INSIDE,OUTSIDE) source static LAN LAN destination static BRANCH BRANCH". Replace LAN with an object representing your local ASA network "10.1.0.0/23" and replace BRANCH with an object representing the network on the router "10.1.169.0/24".

0 Helpful

networkadmin-cogg
Level 1
Level 1
In response to Rob Ingram

‎02-05-2020 07:49 PM

I normally don't use any NAT on either side.

 

I've added this to the ASA and still same outcome.

 

ASA Config

--------------

object network LAN-TEST
subnet 10.1.0.0 255.255.254.0
object network REMOTE-TEST
subnet 10.1.169.0 255.255.255.0

nat (inside,outside-1Gb) source static LAN-TEST LAN-TEST destination static REMOTE-TEST REMOTE-TEST

 

InternetVPN# show nat translated interface outside-1Gb
Manual NAT Policies (Section 1)
2 (inside) to (outside-1Gb) source static LAN-TEST LAN-TEST destination static REMOTE-TEST REMOTE-TEST
translate_hits = 2807, untranslate_hits = 2807

 

0 Helpful

Rob Ingram
VIP
VIP
In response to networkadmin-cogg

‎02-06-2020 02:34 AM

Ok, so if you aren't already using NAT then you won't a NAT exemption rule.
On the ASA side does the ASA have a route to the local network or is it directly connected?
Are you testing from the ASA itself of from a device connected behind the ASA?
0 Helpful

networkadmin-cogg
Level 1
Level 1
In response to Rob Ingram

‎02-06-2020 03:15 AM

ASA is directly connected to local subnet e.g. Inside IP 10.1.1.7/23
I am testing from the remote device e.g. 10.1.169.0/24 to 10.1.0.0/23

Rob Ingram
VIP
VIP
In response to networkadmin-cogg

‎02-06-2020 04:05 AM

but are you testing from the ASA itself or a device on the inside of the network? Don't run the tests on the ASA itself, do it from a local device on the network.....ensure the local devices have the ASA as their default gateway.

Run a packet-tracer from the CLI of the ASA and upload the output for review
0 Helpful

networkadmin-cogg
Level 1
Level 1
In response to Rob Ingram

‎02-06-2020 01:41 PM

This is the output I get.

It is getting dropped at phase 6. Not sure why though.

 

InternetVPN# packet-tracer input inside rawip 10.1.1.190 0 10.1.169.10 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac8be2950, priority=1, domain=permit, deny=false
hits=761965630, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.169.10 using egress ifc outside-1Gb

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group PERMIT_OUT in interface inside
access-list PERMIT_OUT extended permit ip 10.1.0.0 255.255.254.0 object REMOTE-TEST
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaacbd05a90, priority=13, domain=permit, deny=false
hits=0, user_data=0x2aaabdbdfdc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.0.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=10.1.169.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac7eb3fe0, priority=0, domain=nat-per-session, deny=true
hits=31858612, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac8becd40, priority=0, domain=inspect-ip-options, deny=true
hits=32244728, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaaca8db4e0, priority=69, domain=encrypt, deny=false
hits=116899, user_data=0x0, cs_id=0x2aaacc3edea0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.1.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside-1Gb

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside-1Gb
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful
Customers Also Viewed These Support Documents