Re: DMVPN over Internet with ASA firewall in the middle

gastrich · ‎06-21-2012

I am setting up DMVPN over the Internet with an ASA firewall in the middle. When I configure this in the lab without the ASA and without NAT-T, it comes up like a champ. The hub is a 3925 (152-1.T1) and the spokes are 881s (152-3.T). Both spokes are being natted behind a carrier. In the lab the hub is another 881 (152-3.T)

The ISAKMP appears to come up and the IPSEC appears good, but packets are not being encrypted or decrypted. The provider is telling me that the ASA is permitting everything destined to 75.124.79.50. If I take the tunnel protection off and leave it as straight mGRE, it still fails.

The only item that I see is that nothing is getting encrypted or decrypted in ISAKMP, but I don't known why.

CHIPB-VPN-RT01#sho crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

75.124.79.50 65.189.37.109 QM_IDLE 29009 ACTIVE

75.124.79.50 216.68.234.170 QM_IDLE 29010 ACTIVE

IPv6 Crypto ISAKMP SA

CHIPB-VPN-RT01#sho crypto ipsec sa vrf DMVPN det

interface: Tunnel200

Crypto map tag: Tunnel200-head-0, local addr 75.124.79.50

protected vrf: DMVPN

local ident (addr/mask/prot/port): (75.124.79.50/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (216.68.234.170/255.255.255.255/47/0)

current_peer 216.68.234.170 port 3224

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts no sa (send) 0, #pkts invalid sa (rcv) 0

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 75.124.79.50, remote crypto endpt.: 216.68.234.170

path mtu 1514, ip mtu 1514, ip mtu idb Loopback100

current outbound spi: 0xB021C8CE(2955004110)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x4BC745EA(1271350762)

transform: esp-aes ,

in use settings ={Transport UDP-Encaps, }

conn id: 19709, flow_id: ISM VPN:1709, sibling_flags 80000030, crypto map: Tunnel200-head-0

sa timing: remaining key lifetime (k/sec): (4157900/3509)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0xF9C96201(4190724609)

transform: ah-sha-hmac ,

in use settings ={Transport UDP-Encaps, }

conn id: 19709, flow_id: ISM VPN:1709, sibling_flags 80000030, crypto map: Tunnel200-head-0

sa timing: remaining key lifetime (k/sec): (4157900/3509)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0x32FE203D(855515197)

transform: esp-aes ,

in use settings ={Transport UDP-Encaps, }

conn id: 19710, flow_id: ISM VPN:1710, sibling_flags 80000030, crypto map: Tunnel200-head-0

sa timing: remaining key lifetime (k/sec): (4157900/3509)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0xB021C8CE(2955004110)

transform: ah-sha-hmac ,

in use settings ={Transport UDP-Encaps, }

conn id: 19710, flow_id: ISM VPN:1710, sibling_flags 80000030, crypto map: Tunnel200-head-0

sa timing: remaining key lifetime (k/sec): (4157900/3509)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

protected vrf: DMVPN

local ident (addr/mask/prot/port): (75.124.79.50/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (65.189.37.109/255.255.255.255/47/0)

current_peer 65.189.37.109 port 4500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts no sa (send) 0, #pkts invalid sa (rcv) 0

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 75.124.79.50, remote crypto endpt.: 65.189.37.109

path mtu 1514, ip mtu 1514, ip mtu idb Loopback100

current outbound spi: 0x37349588(926193032)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x558CCC9D(1435290781)

transform: esp-aes ,

in use settings ={Transport UDP-Encaps, }

conn id: 19707, flow_id: ISM VPN:1707, sibling_flags 80000030, crypto map: Tunnel200-head-0

sa timing: remaining key lifetime (k/sec): (4298068/3451)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

spi: 0x8A804CDD(2323664093)

transform: ah-sha-hmac ,

in use settings ={Transport UDP-Encaps, }

conn id: 19707, flow_id: ISM VPN:1707, sibling_flags 80000030, crypto map: Tunnel200-head-0

sa timing: remaining key lifetime (k/sec): (4298068/3451)

replay detection support: Y

Status: ACTIVE

inbound pcp sas:

outbound esp sas:

spi: 0xFAB4199D(4206107037)

transform: esp-aes ,

in use settings ={Transport UDP-Encaps, }

conn id: 19708, flow_id: ISM VPN:1708, sibling_flags 80000030, crypto map: Tunnel200-head-0

sa timing: remaining key lifetime (k/sec): (4298068/3451)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

spi: 0x37349588(926193032)

transform: ah-sha-hmac ,

in use settings ={Transport UDP-Encaps, }

conn id: 19708, flow_id: ISM VPN:1708, sibling_flags 80000030, crypto map: Tunnel200-head-0

sa timing: remaining key lifetime (k/sec): (4298068/3451)

replay detection support: Y

Status: ACTIVE

outbound pcp sas:

Here's the snippet of the hub and spoke configuration, again this works without the firewall and the remote NAT in the middle:

**************HUB**************

!
crypto pki token default removal timeout 0
!
ip vrf 3RD_PARTY
rd 30:30
!
ip vrf DMVPN
rd 20:20
!
crypto keyring DMVPN vrf DMVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key SECRET
!
crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2
lifetime 14400
crypto isakmp keepalive 60
!
!
crypto ipsec transform-set PBI_DMVPN ah-sha-hmac esp-aes
mode transport
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile PBI_DR
set transform-set PBI_DMVPN
!
crypto call admission limit ike sa 100
!
interface Loopback0
description MANAGEMENT
ip vrf forwarding DMVPN
ip address 10.110.110.2 255.255.255.255
!
interface Loopback100
description DMVPN loopback
ip vrf forwarding DMVPN
ip address 75.124.79.50 255.255.255.255
!
interface Tunnel200
description ** DR DMVPN HUB INTERFACE **
bandwidth 1000
ip vrf forwarding DMVPN
ip address 10.110.109.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PBI_DR
ip nhrp map multicast dynamic
ip nhrp network-id 200
ip nhrp holdtime 900
ip nhrp server-only
ip nhrp registration no-unique
ip tcp adjust-mss 1360
tunnel source Loopback100
tunnel mode gre multipoint
tunnel key 200
tunnel vrf DMVPN
tunnel protection ipsec profile PBI_DR
!
interface GigabitEthernet0/0
description CHIBT-SW-3750-EXT-01
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.15
description CHIBT-SW-3750-EXT-01_VLAN15_3RD_PARTY_EXTERNAL
encapsulation dot1Q 15
ip vrf forwarding 3RD_PARTY
ip address 10.110.105.162 255.255.255.252
!
interface GigabitEthernet0/0.16
description CHIBT-SW-3750-EXT-01_VLAN16_DMVPN_EXTERNAL
encapsulation dot1Q 16
ip vrf forwarding DMVPN
ip address 10.110.105.130 255.255.255.252
!
interface GigabitEthernet0/0.25
description CHIBT-SW-3750-EXT-01_VLAN25_3RD_PARTY_INTERNAL
encapsulation dot1Q 25
ip vrf forwarding 3RD_PARTY
ip address 10.110.105.170 255.255.255.248
standby 0 ip 10.110.105.169
standby 0 preempt
!
interface GigabitEthernet0/0.26
description CHIBT-SW-3750-EXT-01_VLAN26_DMVPN_INTERNAL
encapsulation dot1Q 26
ip vrf forwarding DMVPN
ip address 10.110.105.138 255.255.255.248
standby 0 ip 10.110.105.137
standby 0 preempt
!
router eigrp 100
!
address-family ipv4 vrf DMVPN
network 10.0.0.0
passive-interface default
no passive-interface Tunnel200
autonomous-system 100
exit-address-family
!
ip route vrf DMVPN 0.0.0.0 0.0.0.0 10.110.105.129
ip route vrf DMVPN 10.0.0.0 255.0.0.0 10.110.105.141
!
end

*************SPOKE*************

!

ip vrf INTERNET

rd 10:10

!

crypto keyring DMVPN vrf INTERNET

pre-shared-key address 0.0.0.0 0.0.0.0 key SECRET

!

crypto isakmp policy 100

encr aes

hash md5

authentication pre-share

group 2

lifetime 14400

crypto isakmp keepalive 60

!

crypto ipsec transform-set PBI_DMVPN ah-sha-hmac esp-aes

mode transport

crypto ipsec fragmentation after-encryption

!

crypto ipsec profile PBI_DR

set transform-set PBI_DMVPN

!

crypto call admission limit ike sa 100

!

interface Loopback0

description MANAGEMENT

ip address 10.110.110.25 255.255.255.255

!

interface Tunnel200

description ** DR DMVPN HUB INTERFACE **

bandwidth 1000

ip address 10.110.109.25 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication PBI_DR

ip nhrp map multicast 75.124.79.50

ip nhrp map 10.110.109.2 75.124.79.50

ip nhrp network-id 200

ip nhrp holdtime 900

ip nhrp nhs 10.110.109.2

ip tcp adjust-mss 1360

tunnel source FastEthernet4

tunnel mode gre multipoint

tunnel key 200

tunnel vrf INTERNET

tunnel protection ipsec profile PBI_DR

!

interface FastEthernet4

description ** INTERNET **

ip vrf forwarding INTERNET

ip address 192.168.0.100 255.255.255.0

duplex auto

speed auto

!

router eigrp 100

network 10.0.0.0

passive-interface default

no passive-interface Tunnel120

no passive-interface Tunnel200

eigrp stub connected summary

!

ip route vrf INTERNET 0.0.0.0 0.0.0.0 192.168.0.1

!

end !
ip vrf INTERNET
rd 10:10
!
crypto keyring DMVPN vrf INTERNET
pre-shared-key address 0.0.0.0 0.0.0.0 key SECRET
!
crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2
lifetime 14400
crypto isakmp keepalive 60
!
crypto ipsec transform-set PBI_DMVPN ah-sha-hmac esp-aes
mode transport
crypto ipsec fragmentation after-encryption
!
crypto ipsec profile PBI_DR
set transform-set PBI_DMVPN
!
crypto call admission limit ike sa 100
!
interface Loopback0
description MANAGEMENT
ip address 10.110.110.25 255.255.255.255
!
interface Tunnel200
description ** DR DMVPN HUB INTERFACE **
bandwidth 1000
ip address 10.110.109.25 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication PBI_DR
ip nhrp map multicast 75.124.79.50
ip nhrp map 10.110.109.2 75.124.79.50
ip nhrp network-id 200
ip nhrp holdtime 900
ip nhrp nhs 10.110.109.2
ip tcp adjust-mss 1360
tunnel source FastEthernet4
tunnel mode gre multipoint
tunnel key 200
tunnel vrf INTERNET
tunnel protection ipsec profile PBI_DR
!
interface FastEthernet4
description ** INTERNET **
ip vrf forwarding INTERNET
ip address 192.168.0.100 255.255.255.0
duplex auto
speed auto
!
router eigrp 100
network 10.0.0.0
passive-interface default
no passive-interface Tunnel120
no passive-interface Tunnel200
eigrp stub connected summary
!
ip route vrf INTERNET 0.0.0.0 0.0.0.0 192.168.0.1
!
end

I'm not thinking it's a configuration issue, I'm leaning towards something not likeing the NAT-T, but any help would be appreciated.

Aaron Mayson · ‎02-03-2014

I know this one is old, but what I don't see on your Firewall is AH and ESP, I only see GRE. Also are you trying to offload the IPSEC protection to this firewall?