Hi David, Thanks very much

bsui.strade · ‎03-09-2015

I am trying to set up site-to-site VPN between my local network and AWS VPC. On AWS, it shows the tunnel is up. But when I try to ping my local network from AWS and ping AWS from local, both fail. I am not a network engineer and this is the first time I work with a firewall. I have spent days working on this. Could someone please help?

I have attached the configuration of my ASA 5500. Please let me know if you need more.

David Johan Castro Fernandez · ‎03-09-2015

Hi,

I see the VPN configuration:

crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800

crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac

crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer xx.xx.xx.xx(AWS_Tunnel1_ip) xx.xx.xx.xx(AWS_Tunnel2_ip)
crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map interface outside

access-list acl-amzn extended permit ip any 172.31.0.0 255.255.0.0

tunnel-group xx.xx.xx.xx(AWS_Tunnel2_ip) type ipsec-l2l
tunnel-group xx.xx.xx.xx(AWS_Tunnel2_ip) general-attributes
 default-group-policy filter

group-policy filter internal
group-policy filter attributes
 vpn-filter value amzn-filter
 vpn-tunnel-protocol ikev1

access-list amzn-filter extended deny ip any any
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.64.30.0 255.255.255.0

nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn

object network obj-SrcNet
 subnet 0.0.0.0 0.0.0.0
object network obj-amzn
 subnet 172.31.0.0 255.255.0.0

I see you have a VPN filter set up under the group policy filter, filtering the traffic, though it is dropping all the traffic because there is a deny ip any any, now the VPN filter is defined to filter the traffic based on ports (TCP or UDP), so on this case go ahead and remove the VPN filter as follow:

group-policy filter internal
group-policy filter attributes
 no vpn-filter value amzn-filter

Then clear the Security Associations:

clear crypto ipsec sa peer <peer IP address>

Then Start sending traffic across, and that should make the trick.

Now for future reference you have here what a VPN filter is for:

- http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc7

Please don´t forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

bsui.strade · ‎03-10-2015

Hi David,

Thanks very much for your reply.

I followed your suggestions. Now the VPN filter has been removed. But I don't know what <peer ip address> should I use for the clear crypto ipsec sa peer <peer IP address> command. I tried to run that command with the ips of my two AWS VPC tunnel. Then I tried to ping my local network(10.64.30.106) from my EC2 instance and ping VPC(172.31.21.9) from my local network, both still failed.

I attached the new configuration. Please let me know if I miss something.

David Johan Castro Fernandez · ‎03-10-2015

Hello,

On this case, when you clear the SAs will be the Public IP addresses of the device son the other side, on this case those that you hide:

crypto map amzn_vpn_map 1 set peer xx.xx.xx.xx(AWS_Tunnel1_ip) xx.xx.xx.xx(AWS_Tunnel2_ip)

Please attach the following:

- Packet-tracer input inside tcp 10.64.30.106 80 172.31.21.9 80 detailed

- debug crypto condition peer <AWS_Tunnel1_ip>

- debug crypto ipsec 250

- show crypto ipsec sa peer <AWS_Tunnel1_ip>

- show crypto isakmp sa

Please don´t forget to rate and mark as correct the helpful Post!

David Castro,

Regards,

bsui.strade · ‎03-10-2015

Hi David,

Then I think I have removed the security association correctly. I attached the output of the four commands you listed. Please have a check.

Thanks a lot!

Benson

David Johan Castro Fernandez · ‎03-10-2015

Hello Benson,

I have checked the text file, and now this is isolated:

peer address: xx.xx.xx.xx(AWS_Tunnel1_ip)
    Crypto map tag: amzn_vpn_map, seq num: 1, local addr: 192.168.7.75

      access-list acl-amzn extended permit ip any 172.31.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
      current_peer: xx.xx.xx.xx(AWS_Tunnel1_ip)

      #pkts encaps: 62, #pkts encrypt: 62, #pkts digest: 62
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 62, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

As you can see the Packet tracer shows, that the packet is being encrypted and getting to the other side , though according to the output above, the packets from your side as I just said it's being encrypted and the other side is not responding to us.

On this case now you will need to involve support from the VPC side, to see why the packets are not getting encrypted.

You will need to see if they have mirrored the configuration on the VPC side.

It was a pleasure to help you!, please rate all of the Post that helped you!

David Castro,

Regards,

AWS site-to-site VPN with ASA 5500