12-13-2017 09:10 AM - edited 03-12-2019 04:49 AM
Hi Gurus,
I'm trying to build a L2L VPN between 2 ASAv.
Please note that all is running with Eve-NG emulation.
Also, attached is a screenshot of my network.
Configuration of ASAv1:
interface GigabitEthernet0/0
description Outside
nameif Outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/6
description Inside
nameif Inside
security-level 100
ip address 192.168.255.1 255.255.255.240
!
interface Management0/0
description MGT
nameif MGT
security-level 100
ip address 192.168.176.254 255.255.255.0
!
object network obj-192.168.255.16-28
subnet 192.168.255.16 255.255.255.240
description Inside Network On AVAv2
object network NETWORK_OBJ_192.168.255.0_28
subnet 192.168.255.0 255.255.255.240
access-list Outside_cryptomap extended permit ip 192.168.255.0 255.255.255.240 object obj-192.168.255.16-28 log default
access-list global_access extended permit icmp any any
nat (Inside,Outside) source static NETWORK_OBJ_192.168.255.0_28 NETWORK_OBJ_192.168.255.0_28 destination static obj-192.168.255.16-28 obj-192.168.255.16-28 no-proxy-arp route-lookup
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 192.168.1.2 1
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 172.16.1.1
crypto map Outside_map 1 set ikev1 phase1-mode aggressive
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map interface Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_172.16.1.1 internal
group-policy GroupPolicy_172.16.1.1 attributes
vpn-filter value Outside_cryptomap
vpn-tunnel-protocol ikev1
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 general-attributes
default-group-policy GroupPolicy_172.16.1.1
tunnel-group 172.16.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
Configuration of ASAv2:
interface GigabitEthernet0/0
description Outside
nameif Outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/6
description Inside
nameif Inside
security-level 100
ip address 192.168.255.17 255.255.255.240
!
interface Management0/0
description MGT
nameif MGT
security-level 100
ip address 192.168.176.253 255.255.255.0
!
object network obj-192.168.255.0-28
subnet 192.168.255.0 255.255.255.240
description Inside Network On ASAv1
object network NETWORK_OBJ_192.168.255.16_28
subnet 192.168.255.16 255.255.255.240
access-list Outside_cryptomap extended permit ip 192.168.255.16 255.255.255.240 object obj-192.168.255.0-28 log default
access-list global_access extended permit icmp any any
nat (Inside,Outside) source static NETWORK_OBJ_192.168.255.16_28 NETWORK_OBJ_192.168.255.16_28 destination static obj-192.168.255.0-28 obj-192.168.255.0-28 no-proxy-arp route-lookup
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 172.16.1.2 1
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 192.168.1.1
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map interface Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_192.168.1.1 internal
group-policy GroupPolicy_192.168.1.1 attributes
vpn-filter value Outside_cryptomap
vpn-tunnel-protocol ikev1
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 general-attributes
default-group-policy GroupPolicy_192.168.1.1
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
R3 Configuration:
interface Ethernet0/0
description *** Link To ASAv1 ***
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
description *** Link To ASAv2 ***
ip address 172.16.1.2 255.255.255.0
From ASAv1, I can ping R3 interfaces and ASAv2 Outside interface
From ASAv2, I can ping R3 interfaces ans ASAv1 Outside interface
So networking looks good.
For some reason :-) VPN is not coming UP but, moreover, it looks like firewalls are not trying to get it UP.
ASAv1# show crypto ikev1 sa
There are no IKEv1 SAs
ASAv1#
If I try to enable debugging (debug crypto ikev1 127 & debug crypto ipsec 127), I don't see any packet generated.
Also packet-tracer shows thah packet from Inside of ASAv1 to Inside of ASAv2 is not trying to go through the tunnel:
ASAv1# packet-tracer input Inside icmp 192.168.255.1 8 0 192.168.255.17
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.1.2 using egress ifc Outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static NETWORK_OBJ_192.168.255.0_28 NETWORK_OBJ_192.168.255.0_28 destination static obj-192.168.255.16-28 obj-192.168.255.16-28 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 192.168.255.17/0 to 192.168.255.17/0
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Does anyone know where the issue could be ?
Thanks a lot and have a nice day.
Solved! Go to Solution.
12-13-2017 09:57 AM
Hello @jean-christophe.valiere,
The configuration seems OK, you are just doing the packet-tracer wrong :)
packet-tracer input Inside icmp 192.168.255.1 8 0 192.168.255.17
The IPs that are used for the packet-tracer cannot be the same as the IPs configured on the FW so you need to change the IP 192.168.255.1 to something else, after this everything should be working fine and the packet-tracer should flow normally, remember you need to run it twice since the first one should trigger the VPN tunnel and the other should simulate the traffic.
Try this one twice:
packet-tracer input Inside icmp 192.168.255.21 8 0 192.168.255.17
HTH
Gio
12-13-2017 09:57 AM
Hello @jean-christophe.valiere,
The configuration seems OK, you are just doing the packet-tracer wrong :)
packet-tracer input Inside icmp 192.168.255.1 8 0 192.168.255.17
The IPs that are used for the packet-tracer cannot be the same as the IPs configured on the FW so you need to change the IP 192.168.255.1 to something else, after this everything should be working fine and the packet-tracer should flow normally, remember you need to run it twice since the first one should trigger the VPN tunnel and the other should simulate the traffic.
Try this one twice:
packet-tracer input Inside icmp 192.168.255.21 8 0 192.168.255.17
HTH
Gio
12-15-2017 12:51 AM
Hi @GioGonza,
Thanks a lot for the quick answer.
You're right, trying with another IP worked fine.
Once again thanks a lot :-)
Cheers,
Jean-Christophe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide