11-23-2019 04:27 PM - edited 02-21-2020 09:48 PM
Dear Community,
This is my first post after many years of just reading along here and using all the valuable discussions as guidance.
Our company recently moved offices, in doing so i had to reconfigure our site-to-site link to a new internet line. Ever since i can only get the Tunnel to work properly if i – now comes the crazy part – specify BOTH the local as well as the remote in my "local" definition. If i don't do this the tunnel will come up but traffic is only flowing towards the remote end but nothing comes back. I am really scratching my head on this as i've did this setup at least 20-30 times already and really cannot seem to fix this one.
Note, i've used the ASDM to create the configuration.
Quick summary of the setup (Anonymised):
CISCO ASA (Version 9.6)
Strongswan Gateway (Version 5.8.1)
The goal is to connect 172.16.8.0/22 (ASA local network) with 172.16.0.0/22 (Strongswan local network) using PSK.
If i configure this using the ASDM wizard the tunnel comes up without flaw automatically but traffic only flows from the ASA towards the Strongswan Gateway but no traffic ever comes back. If i now add the 172.16.0.0/22, the Strongswan local network, as a local traffic selector for the crypto map in the ASDM it works immediately. Technically all is fine doing this, the tunnel works flawless but this really is freaking me out as it should not be this way so any help restoring my sanity is welcome. It is very likely a very silly config error that i am just not seeing.
The configuration is as follows
CISCO ASA anonymised excerpt (please ask for more if needed)
interface GigabitEthernet1/1
description ASA local backbone network
speed 1000
duplex full
nameif Local_Backbone
security-level 100
ip address 172.16.8.1 255.255.252.0
!
interface GigabitEthernet1/3
nameif Internet_Line-01
security-level 0
pppoe client vpdn group Internet_Line-01
ip address pppoe
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network ASA_local_P1
host 172.16.8.1
object network Local_Backbone
subnet 172.16.8.0 255.255.252.0
object network Remote_Backbone
subnet 172.16.0.0 255.255.252.0
!
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_13
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_1
network-object object Other_Remote_Site_Backbone
network-object object Local_Backbone
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_3
network-object object Remote_Backbone
network-object object Other_Remote_Site_Backbone
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_17
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_10
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_11
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_12
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_15
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_16
protocol-object ip
protocol-object icmp
!
access-list Internet_Line-01_cryptomap_2 extended permit object-group DM_INLINE_PROTOCOL_5 object Local_Backbone object Other_Remote_Backbone
access-list Backbone_access_in extended permit object-group DM_INLINE_PROTOCOL_6 object-group DM_INLINE_NETWORK_1 object Local_Backbone
access-list Backbone_access_in extended permit object-group DM_INLINE_PROTOCOL_16 object Local_Backbone object-group DM_INLINE_NETWORK_3
access-list Backbone_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list Internet_Line-01_cryptomap_3 extended permit ip object Local_Backbone object Remote_Backbone
access-list Internet_Line-03_access_in extended permit object-group DM_INLINE_PROTOCOL_17 any any
access-list InternetUplink extended permit object-group DM_INLINE_PROTOCOL_9 any any
!
nat (Local_Backbone,Internet_Line-02) after-auto source dynamic Local_Backbone interface
nat (Local_Backbone,Internet_Line-03) after-auto source dynamic Local_Backbone interface
!
access-group Backbone_access_in in interface Local_Backbone
access-group Line1_access_in in interface Internet_Line-01
!
route Internet_Line-03 0.0.0.0 0.0.0.0 192.168.10.1 1
route Internet_Line-01 0.0.0.0 0.0.0.0 GW_OF_LINE1 3
route Internet_Line-01 20.30.40.50 255.255.255.255 GW_OF_LINE1 1
route Internet_Line-01 172.16.0.0 255.255.252.0 GW_OF_LINE1 1
!
crypto map Internet_Line-01_map2 1 match address Internet_Line-01_cryptomap_3
crypto map Internet_Line-01_map2 1 set peer 20.30.40.50
crypto map Internet_Line-01_map2 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AES256-SHA256 AES256-GMAC-SHA256 AES256-SHA
crypto map Internet_Line-01_map2 1 set ikev2 pre-shared-key *****
crypto map Internet_Line-01_map2 1 set nat-t-disable
crypto map Internet_Line-01_map2 1 set reverse-route
!
crypto isakmp identity address
!
crypto ikev2 enable Internet_Line-01
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
!
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-filter value Internet_Line-01_cryptomap_3
vpn-tunnel-protocol ikev2
!
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group 20.30.40.50 type ipsec-l2l
tunnel-group 20.30.40.50 general-attributes
default-group-policy GroupPolicy2
tunnel-group 20.30.40.50 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
Strongswan anonymised excerpt (please ask for more if needed)
connections {
local-to-asa {
local_addrs = 20.30.40.50
remote_addrs = 80.90.100.110
local {
auth = psk
id = @20.30.40.50
}
remote {
auth = psk
}
children {
local-to-asa-ipsec {
local_ts = 172.16.0.0/22
remote_ts = 172.16.8.0/22
esp_proposals = aes-sha1
start_action = start
}
}
version = 2
mobike = no
reauth_time = 28800
proposals = aes-sha1-modp1536
}
You're support is truly appreciated!
With greetings
Xenion
11-25-2019 02:29 PM
Bump
Can someone please have a look at this?
It only needs a short glimpse likely to spot this probably very obvious fault which I am not seeing?
Thanks a lot!
11-25-2019 02:48 PM
Hi,
Can you run packet-tracer, run the command twice and provide the output from the 2nd. Example - "packet-tracer input Local_Backbone tcp 172.16.8.3 3000 172.16.0.3 80"
Can you provide the output of "show crypto ipsec sa" from when it works and when it doesn't.
Have you provided the full configuration of the ASA?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide