Can't Get VPN Connection to Established

damori.pierce · ‎05-05-2022

So I am configuring a couple of FTDs in a lab environment. I went through the steps of creating the VPN connection, but I cant get them to establish the tunnel. I will lay out my process below.

My set up is as follows:

2 - FTDs

1 - L3 Switch

2 - PCs

Lab Scenario:

Create a Site-to-Site VPN between the two FTDs and test connectivity over the tunnel.

Process:

I created 4 Vlans on the switch; VLAN 1, 2, 3, 4:

Vlan 1 is 192.168.1.0/24

Vlan 2 is xxx.xxx.2.0/24

Vlan 3 is xxx.xxx.10.0/24

Vlan 4 is xxx.xxx.20.0/24

I turned on routing on the Switch and eveything is locally connected in the routing table

On the FTDs inside FMC:

FTD1 - 192.168.1.1 - outside

FTD1 - xxx.xxx.10.1 - inside

FTD2 - xxx.xxx.2.1 - outside

FTD2 - xxx.xxx.20.1 - inside

Devices -> VPN -> Site-to-Site

- Policy Based

- IKEv2

- Endpoints

- Node A:

- device name - FTD2

- Interface - Outside

- IP - xxx.xxx.2.1

- Connection Type - Bidirectional

- Protected Network - xxx.xxx.20.1

- Node B:

- device name - FTD1

- Interface - Outside

- IP - xxx.xxx.1.1

- Connection Type - Bidirectional

- Protected Network - xxx.xxx.10.1

- IKE - Default

- Manual Pre-Shared Key - PaS$w0rD

- IPsec - Default

- Advanced tab

- Tunnel - Bypass AC (sysopt permit-vpn)

So this is everything the instructions from cisco said do, but the tunnel is not establishing.

Rob Ingram · ‎05-05-2022

@damori.pierce

Has the VPN been established - run "show crypto ipsec sa" from the CLI of the FTDs, provide the output if it has been established.

Are there routes on the switches to send all traffic to the FTD?

Can the FTD communication with each - ping the outside interface of the other FTD from the CLI?

Run packet-tracer from the CLI of the FTD twice and provide the output of the second packet-tracer output.

Can you enable debugging on the FTD and provide the output for review.

damori.pierce · ‎05-05-2022

@Rob Ingram

No, they haven't been established yet, and that command shows me "there are no ipsec sas".

Yes, the routs are directly connected.

Yes, I can ping the outside interface on each FTD in both directions.

I'll try PT and Debug now and let you know what it returns

damori.pierce · ‎05-05-2022

Output of Packet-trace

> packet-tracer input outside icmp 192.168.1.1 3 3 192.168.2.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.2.1 using egress ifc identity(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000560b8b0af854 flow (NA)/NA

MHM Cisco World · ‎05-05-2022

Solution
if you use two L3SW
in each L3SW config
ip route LAN-remoteSite FTD inside interface

this make the traffic go to inside FTD and then through VPN.

damori.pierce · ‎05-05-2022

@MHM Cisco World

I only have one L3 switch to work with at the moment

MHM Cisco World · ‎05-05-2022

then the traffic never use tunnel
because it use
InterVLAN

disable routing table
make PC default GW is FTD inside.

damori.pierce · ‎05-05-2022

so I will need a second L3 Switch?

MHM Cisco World · ‎05-05-2022

Yes otherwise the InterVLAN using SVI in SW and not send traffic to FTD
check my workaround

disable routing table
make PC default GW is FTD inside.

damori.pierce · ‎05-05-2022

I did both those and still no luck on getting the VPN established... I am going to see if they will give me another SW to put in and separate them that way... But you have raised a question:

What is the difference of using a separate SW and using two totally different vlans? the same config will go on to the new switch and it will be physically connected in the same way it was logically. I get what you are saying about inter-vlan routing, but given that the IP's are in totally different subnets, to the switch, it may as well be a on different switch, right?

MHM Cisco World · ‎05-05-2022

using VLAN is same as using two different SW
but are you disable ip routing in SW?
are you config the PC GW to be FTD inside interface ?

check the VLAN you config in port you connect PC as source and VLAN you config in port you connect PC as destination.

damori.pierce · ‎05-05-2022

Yes "no ip routing" on the switch, and the gateways on the PCs are10.1 (FTD1 inside) and 20.1 (FTD2 inside)

MHM Cisco World · ‎05-05-2022

IN FTD 1 share output of this
packet-tracer input Inside tcp x.x.x.x 12345 y.y.y.y 80 detail

x.x.x.x is inside subnet of FTD1

y.y.y.y is remonte subnet

damori.pierce · ‎05-06-2022