Re: ezVPN remote, split tunneling doesn't work

ipovarenkin · ‎01-22-2011

Hello,

Could you please look into my problem and say what is wrong with the ezVPN remote configuration?

Set up is simple:

ASA is the ezVPN server and 10.100.200/24 is the local net behind it.
871 is the ezVPN remote with 10.10.10/28 behind it as a private LAN.

I took the same config for this set up as from CCO
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

As a result tunnel is up and running, 871 gets Split Tunneling list, but all the packets from remote's LAN doesn't go into the tunnel towards ASA, 871 NATs them.

~~~~~~~~~~
dsd#cle crypto session

*Jan 21 21:45:57.379: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=EZuser Group=DefaultEZVPNGroup Client_public_addr=109.13.98.123 Server_public_addr=95.68.19.3
*Jan 21 21:45:59.259: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=EZuser Group=DefaultEZVPNGroup Client_public_addr=109.13.98.123 Server_public_addr=95.68.19.3 NEM_Remote_Subnets=10.10.10.0/255.255.255.240

dsd#deb ip nat

*Jan 21 21:46:41.239: NAT*: s=10.10.10.3->109.13.98.123, d=10.100.200.2 [20324]
*Jan 21 21:46:46.075: NAT*: s=10.10.10.3->109.13.98.123, d=10.100.200.2 [20466]
*Jan 21 21:46:51.079: NAT*: s=10.10.10.3->109.13.98.123, d=10.100.200.2 [20467]
~~~~~~~~~~

There is one additional thing in this scheme which is ASA has a private IP and GW NATs all the packets to ASA (without PAT), public IP-> private IP.

If I add a deny statment into NAT ACL as for NO_NAT traffic on 871, remote starts encrypting the packets towards LAN behind the ASA.

!

ip access-list extended NAT_SCOPE
deny ip 10.10.10.0 0.0.0.15 10.100.200.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.15 any

!

ASA decrypts all the packets but doesn't encrypt this traffic back:)

**************
Remote config, cisco 871 (c870-advipservicesk9-mz.124-24.T1.bin)

ip access-list extended NAT_SCOPE
permit ip 10.10.10.0 0.0.0.15 any
!
ip nat inside source list NAT_SCOPE interface FastEthernet4 overload
!
interface FastEthernet4
ip address 109.13.98.123
ip nat outside
crypto ipsec client ezvpn TEST
!
int vl1
ip address 10.10.10.1 255.255.255.240
ip nat inside
crypto ipsec client ezvpn TEST inside
!
crypto ipsec client ezvpn TEST
connect auto
group DefaultEZVPNGroup key EZvpnKEY
mode network-extension
peer 95.68.19.3
username EZuser password 6 EZpwd
xauth userid mode local

**************

dsd#sh crypto ips sa

interface: FastEthernet4
Crypto map tag: FastEthernet4-head-0, local addr 109.13.98.123

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.240/0/0)
dsd#sh crypto ips sa
   current_peer 95.68.19.3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 109.13.98.123, remote crypto endpt.: 95.68.19.3
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0xA3609E25(2741018149)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x95B42074(2511609972)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map:
FastEthernet4-head-0
        sa timing: remaining key lifetime (k/sec): (4571654/28512)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xA3609E25(2741018149)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map:
FastEthernet4-head-0
        sa timing: remaining key lifetime (k/sec): (4571653/28512)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

**************

dsd#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet4
Uptime: 00:01:19
Session status: UP-ACTIVE
Peer: 95.68.19.3 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.10.40.242
      Desc: (none)
IKE SA: local 109.13.98.123/500 remote 95.68.19.3/500 Active
          Capabilities:CX connid:2002 lifetime:23:58:10
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.240 10.100.200.0/255.255.255.0
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4571654/28710
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4571653/28710

**************
dsd#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
95.68.19.3 109.13.98.123 QM_IDLE 2002 ACTIVE

**************
**************
**************

ezVPN server config ASA (asa706-k8.bin)

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.40.242 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.100.200.1 255.255.255.0
!
object-group network EZVPN-TEST
network-object 10.100.200.0 255.255.255.0
!
access-list SPLIT_TUNNEL extended permit ip object-group EZVPN-TEST 10.10.10.0 255.255.255.240
!
group-policy EZVPN_Grp_Policy internal
group-policy EZVPN_Grp_Policy attributes
vpn-tunnel-protocol IPSec
password-storage enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
nem enable
!
username EZuser password txqzZ00UNLIpykhG encrypted
username EZuser attributes
vpn-group-policy EZVPN_Grp_Policy
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map EZvpn_DYN-MAP 200 set transform-set ESP-DES-MD5
crypto map EZvpnMAP 200 ipsec-isakmp dynamic EZvpn_DYN-MAP
crypto map EZvpnMAP interface outside
!
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
!
tunnel-group DefaultEZVPNGroup type ipsec-ra
tunnel-group DefaultEZVPNGroup general-attributes
default-group-policy EZVPN_Grp_Policy
tunnel-group DefaultEZVPNGroup ipsec-attributes
pre-shared-key *

**************

ciscoasa# sh crypto isa sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 109.13.98.123
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

**************

ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: EZvpn_DYN-MAP, seq num: 200, local addr: 10.10.40.242

      local ident (addr/mask/prot/port): (10.100.200.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.240/0/0)
      current_peer: 109.13.98.123, username: EZuser
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 10.10.40.242, remote crypto endpt.: 109.13.98.123

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BDE9FAE6

    inbound esp sas:
      spi: 0xDEAF049C (3736011932)
         transform: esp-des esp-md5-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: EZvpn_DYN-MAP
         sa timing: remaining key lifetime (sec): 28250
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xBDE9FAE6 (3186227942)
         transform: esp-des esp-md5-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: EZvpn_DYN-MAP
         sa timing: remaining key lifetime (sec): 28230
         IV size: 8 bytes
         replay detection support: Y

Federico Coto Fajardo · ‎01-22-2011

Hi,

If I understand correctly the VPN tunnel comes up, the remote site encrypts the packets, the ASA receives them but won't encrypt them back correct?

This sounds like a problem on the main site (ASA) like not having a route to the remote network or NAT problem (not having a NAT 0 ACL for the VPN traffic).

Federico.

ipovarenkin · ‎01-22-2011

Hi Federico,

You didn't understand correctly:)

The problem is 871 (ezVNP remote) doesn't encrypt the packets it NATs them.

Configuration is almost the same as in the example from CCO and according to configuration guides it should work!

But:

~~~~~

If I add a deny statment into NAT ACL as for NO_NAT traffic on 871, remote starts encrypting the packets towards LAN behind the ASA.

!

ip access-list extended NAT_SCOPE
deny ip 10.10.10.0 0.0.0.15 10.100.200.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.15 any

!

ASA decrypts all the packets but doesn't encrypt this traffic back:)

~~~~~

It's not a problem that ASA doesn't encrypt the packets back because I just did it as an experiment because 871 NATed the interesting traffic.

Briefly the situation is:

- IPsec tunnel is up and running

- remote NATs all traffic from the LAN segment (traffic towards ASA and traffic towards the Internet)

- hence, split tunneling doesn't work at the ezVPN remote

- configuration is good according to examples and configuration guides from CCO

Federico Coto Fajardo · ‎01-23-2011

You want the VPN traffic to not be NATed correct?

You need to bypass NAT on both ends for this to work as you did on your test.

Can you do the following:

1. Explain if you want both LANs to talk to each other bypassing NAT or doing NAT?

2. Post the running-config from both sides.

Federico.

ipovarenkin · ‎01-23-2011

I need to have working ezVPN remote.

According to Cisco's documentation there is no need to configure NO_NAT & interesting ACLs on ezVPN remote manually, it gets this from ezVPN server.

There is no NAT on ASA.

Both running configs in my initial post.

PS: could you please stop asking useless questions?:)

Federico Coto Fajardo · ‎01-23-2011

The ASA is expecting the traffic from the remote to be 10.10.10.0/28 but you're NATing all traffic on the remote site to the public IP.

How do you expect this to work?

Is this an useless question?

Federico.

ipovarenkin · ‎01-25-2011

Hi Federico,

The ASA is expecting the traffic from the remote to be 10.10.10.0/28 but you're NATing all traffic on the remote site to the public IP.

Yeap, but keep in mind that remote is configured properly according to the configuration guide and examples from CCO.

Forget about ASA at the moment, the problem is split tunneling doesn'ts work on ezVPN remote.

There is no need to configure NO-NAT and interesting ACLs on ezVPN remote, this is the key of the ezVPN technology!

Server pushes those rules to a remote and as you can see (I doubt at the moment:)) 871 gets those rules.

I have ~100 remote workers and I don't want to configure L2L VPN for all of them.

If i'm not right just give me a link where Cisco says NO-NAT and interesting ACLs should be configured on ezVPN remote.

How do you expect this to work?

I expect this to work properly according to the documentation:)

Is this an useless question?

Sorry but yes it is:)

Federico Coto Fajardo · ‎01-25-2011

I would try to find a link for you.

Federico.

Federico Coto Fajardo · ‎01-25-2011

You say that besides following the link instructions, if you add:

ip access-list extended NAT_SCOPE

deny ip 10.10.10.0 0.0.0.15 10.100.200.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.15 any

Then the 871 starts encrypting the packets, the ASA receives them, but the ASA won't encrypt them back.

I would say that up to this point all you're missing is:

access-list nonat permit ip ip 10.100.200.0 255.255.255.0 10.10.10.0 255.255.255.240

nat (inside) 0 access-list nonat

If the ASA still won't encrypt after the NAT0, then you can do a Packet-Tracer test to check if the packet is going through the correct NAT rules and

encryption.

Seems that we are almost there.

Federico.

ipovarenkin · ‎01-26-2011

Damn! Could you please stop spamming in this thread?

Read carefully please:

- thread's name is ezVPN remote, split tunneling doesn't work.

- I wrote It's not a problem that ASA doesn't encrypt the packets back because I just did it as an experiment because 871 NATed the interesting traffic.

- I also asked you Forget about ASA at the moment, the problem is split tunneling doesn'ts work on ezVPN remote.

As a summary there is no any problem with ASA!

The problem is in split tunneling on ezVPN remote!

Jennifer Halim · ‎01-26-2011

Base on the explaination so far, there is no problem with split tunneling at all. You are right, split tunnel policy is pushed from the headend (ASA) towards the ezvpn client (router). Base on the output of show cry ipsec sa, the split tunnel has been correctly pushed.

The problem here is with the NAT exemption on the remote end. Traffic from the remote ezvpn towards the headend LAN (ASA LAN) needs to be exempted from NAT, and traffic towards the internet will need to be NATed.

You are also right when you configure the deny statement for traffic between the LAN towards the LAN behind the ASA, that will not NAT the traffic, and will encrypt it because your split tunnel ACL is the one that defines the interesting traffic and it matches when traffic is not NATed. For all other traffic destined to the Internet, it needs to be NATed.

So the NAT ACL should be as follows:

ip access-list extended NAT_SCOPE

deny ip 10.10.10.0 0.0.0.15 10.100.200.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.15 any

The document seems to be missing the "deny" statement on the NAT ACL.

Federico Coto Fajardo · ‎01-26-2011

Wow...

I've being given you the answer in all responses and you just don't want it?

ip access-list extended NAT_SCOPE

deny ip 10.10.10.0 0.0.0.15 10.100.200.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.15 any

This is my last response to the threat so mark it as answered.

Federico.

Federico Coto Fajardo · ‎01-26-2011

This communities are to learn and receive help.

If you come with an aggresive attitude most likely nobody will help you out (as occur in all aspects of life).

I was giving you the answer from the begining and if you don't understand it you could ask instead of insulting.

I am not wasting anymore time with you, as there are many other people who do appreciate the assistance.

Good luck.

Federico.

ipovarenkin · ‎01-30-2011

Hi Federico,

Hope all is well!

Please review the thread and notice that 7 of 13 posts are yours and all of them are useless:)

One suggestion for you. When you read the question be sure that you understand the question.

When you are sure that you are completely understand the question read it again please.

Back to the problem. There was just one mistake, I've reread configuration guide and just added 'nat acl' command into ezVPN remote configuration.

Federico, another one suggestion!

If you are not familiar with the technology people asking about please, PLEASE, don't mislead them!

This communities are to learn and receive help.

If you come with an aggresive attitude most likely nobody will help you out (as occur in all aspects of life).

I was giving you the answer from the begining and if you don't understand it you could ask instead of insulting.

Did I receive any help from you? No.

Did I learn anything from you? No.

Where have you seen aggresive attitude?

In all my answers to your questions I was trying to say "THIS IS A PROBLEM WITH SPLIT TUNNELING ON EZVPN REMOTE"! That's it!

But you always tried to give me wrong answer ans asked useless questions!

Why? Whyyyy? Whhhhhhyyyyyyyyy?:)

Sorry if i offended you someway I didn't want to do that but try to be an engineer. Think before you print:)

Federico Coto Fajardo · ‎01-30-2011

Mate,

My advise to you is.. don't go ahead posting this things.. not a lot of people are going to be willing to help you out next time.

Funny thing is that nobody else shares your point of view since I first start it here.

Hope you solve your issues and I don't mean any technical stuff.

Cheers.

Federico.