Cisco ASA 5505 and 2Wire

Mariusz Bochen · ‎02-19-2013

Hi all,

I need some help from someone who has experience with configuring VPN on ASA over 2Wire router setup as dmzplus.

Topology:

ASA 5505 ---- 2Wire (dmzplus) -------------- ( cloud ) -------------- 2Wire (dmzplus) ---- ASA 5505

BT is the ISP on both ends. Static IPs are currently forwarded to the firewalls on both ends (outside interface is DHCP client).

All other services are working as expected (static NAT for few ports and so on).

I have found on some other forums the solution is to setup router in full bridge mode and then configure PPPoE on ASA, but I am trying to avoid this (for few other reasons).

The weird thing is when I am trying to initiate tunnel traffic from site A I can see IKE peer responder from site B, but not the opposite.

IKE state is MM_WAIT_MSG2 so it’s not passing the phase one. What I also notice in the arp table despite only one IP is assigned per site, the BT router has IP one less than the public one.

So my questions are:

1. Do I missing something in the config?

2. Is it possible to setup VPN on ASA over dmzplus?

3. Does the BT PPPoA service will become PPPoE after changing 2Wire to bridge mode?

4. Is there any different workaround or alternative solution?

CONFIG (crypto policies and all different settings are mirrored on the other end so it doesn’t make sense to post both):

: Saved

:

ASA Version 8.2(5)

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

access-list outside_in extended permit object-group PRS_PORTS any host 1.1.1.10

access-list outside_in extended permit object-group CCTV_PORTS any host 1.1.1.10

access-list VPN_traffic extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list no-nat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no-nat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface <omitted>

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.1.1.9 1 (points

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set L2LVPN esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map L2LCRYPTO 10 match address VPN_traffic

crypto map L2LCRYPTO 10 set peer 2.2.2.10

crypto map L2LCRYPTO 10 set transform-set L2LVPN

crypto map L2LCRYPTO interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 569bb150

quit

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh <omitted>

ssh timeout 15

console timeout 0

management-access inside

dhcpd dns 194.72.0.98 194.74.65.68

dhcpd auto_config outside

!

dhcpd address 192.168.0.2-192.168.0.33 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 84.45.87.84 source outside prefer

webvpn

tunnel-group <2.2.2.10> type ipsec-l2l

tunnel-group <2.2.2.10> ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 100 retry 2

ISAKMP debug:

Feb 19 03:25:25 [IKEv1 DEBUG]: IP = <dest_ip>, IKE SA MM:8021bed6 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Feb 19 03:25:25 [IKEv1 DEBUG]: IP = <dest_ip>, sending delete/delete with reason message

Feb 19 03:25:28 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128

Feb 19 03:25:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:25:33 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:25:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:25:33 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:25:36 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128

Feb 19 03:25:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:25:44 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:25:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:25:44 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:25:44 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128

Feb 19 03:25:52 [IKEv1 DEBUG]: IP = <dest_ip>, IKE MM Responder FSM error history (struct &0xc6dc3588) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent

Feb 19 03:25:52 [IKEv1 DEBUG]: IP = <dest_ip>, IKE SA MM:a22d74b8 terminating: flags 0x01000002, refcnt 0, tuncnt 0

Feb 19 03:25:52 [IKEv1 DEBUG]: IP = <dest_ip>, sending delete/delete with reason message

Feb 19 03:25:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:25:54 [IKEv1]: IP = <dest_ip>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <dest_ip> local Proxy Address 192.168.0.0, remote Proxy Address 192.168.1.0, Crypto map (L2LCRYPTO)

Feb 19 03:25:54 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:25:54 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing ISAKMP SA payload

Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver 02 payload

Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver 03 payload

Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver RFC payload

Feb 19 03:25:54 [IKEv1 DEBUG]: IP = <dest_ip>, constructing Fragmentation VID + extended capabilities payload

Feb 19 03:25:54 [IKEv1]: IP = <dest_ip>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 19 03:25:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:25:57 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:26:02 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 19 03:26:07 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:26:07 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:26:10 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 19 03:26:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:26:17 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:26:18 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 19 03:26:26 [IKEv1 DEBUG]: IP = <dest_ip>, IKE MM Initiator FSM error history (struct &0xc6aa7940) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Feb 19 03:26:26 [IKEv1 DEBUG]: IP = <dest_ip>, IKE SA MM:2e549563 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Feb 19 03:26:26 [IKEv1 DEBUG]: IP = <dest_ip>, sending delete/delete with reason message

Feb 19 03:26:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:26:32 [IKEv1]: IP = <dest_ip>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <dest_ip> local Proxy Address 192.168.0.0, remote Proxy Address 192.168.1.0, Crypto map (L2LCRYPTO)

Feb 19 03:26:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:26:32 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing ISAKMP SA payload

Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver 02 payload

Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver 03 payload

Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing NAT-Traversal VID ver RFC payload

Feb 19 03:26:32 [IKEv1 DEBUG]: IP = <dest_ip>, constructing Fragmentation VID + extended capabilities payload

Feb 19 03:26:32 [IKEv1]: IP = <dest_ip>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 19 03:26:40 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 19 03:26:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:26:43 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:26:43 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:26:43 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

no debug crypto isakmp 127 Feb 19 03:26:48 [IKEv1]: IP = <dest_ip>, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) totano debug crypto isakmp 127 Feb 19 03:26:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:26:53 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Feb 19 03:26:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Feb 19 03:26:53 [IKEv1]: IP = <dest_ip>, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Kind regards

Mariusz

ALIAOF_ · ‎02-19-2013

I'm assuming you are getting one of the RFC1918 IP's from the BT's router? Make sure they are not blocking IPSec on their router.

Mariusz Bochen · ‎02-20-2013

Thanks for the reply.

No, I get the public IP from the router so all TCP and UDP traffic is being managed by ASA.

But technically this is not a full bridge mode. That's what the problem is.

ALIAOF_ · ‎02-20-2013

Ok ask your ISP to confirm that they do not have the firewall enabled on their router and are allowing all traffic to pass through.

Mariusz Bochen · ‎03-04-2013

Hi Mohammad,

I have spoken to a BT engineer. They are not supporting VPN as a standard support, but at least he has confirmed that nothing is blocked between sites.

As the next step I am going to try to enable full bridge mode and setup PPPoE on ASA external ports.

Another update: last Saturday the tunnel was up for few hours but next day morning has failed. No luck since then (Tried to reload both firewalls, etc.) Nothing was changed on the firewall so it's bit weird.

When I do isakmp debug I get "IKE MM Initiator FSM error history" which looks like IKE packets are lost in transit.

Thanks for your help again.

Regards

Mariusz

Mariusz Bochen · ‎04-15-2013

Hi all,

The latest update

I've finally managed to get the VPN to work! As soon as I've reconfigure the router and the firewall it took 1 second to establish the tunnel. So the answer for the most important question number 2. Is it possible to setup VPN on ASA over dmzplus? is no. I think the issue is related to routing which doesn't look normal with the dmzplus (can't properly traceroute to IPs etc)

So my solution was :

- changed 2Wire settings (Bridged LLC, ATM PVC disabled, Connection type: direct IP, save and uncheck Routing mode)

- changed ASA external interface settings to pppoe with automatic routing and IP

Regards

Mariusz