12-29-2010 04:59 AM
Hi, community!
I have problem implementing EzVPN hardware client in the network extension mode. The problem is with RRI I think.
This is the configuration of the ios client:
!
crypto isakmp keepalive 10 3 periodic
!
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect auto
group easyvpn key ****
mode network-plus
peer 1.2.3.4
virtual-interface 1
username username password ****
xauth userid mode local
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside
!
interface Vlan2
ip address 10.96.0.55 255.255.254.0
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
!
ip route 0.0.0.0 0.0.0.0 10.96.0.1 2
!
This is configuration of the asa ezvpn server:
!
ip local pool EASYVPN_POOL 10.96.5.1-10.96.5.254 mask 255.255.255.0
!
group-policy easyvpn internal
group-policy easyvpn attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage enable
ipsec-udp enable
tunnel-group easyvpn type remote-access
tunnel-group easyvpn general-attributes
address-pool EASYVPN_POOL
authentication-server-group ACS LOCAL
authentication-server-group (inside) ACS LOCAL
accounting-server-group ACS
default-group-policy easyvpn
tunnel-group easyvpn ipsec-attributes
pre-shared-key *****
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
Client successfully initiates ike sa and starts crypto session.
Here is ios router sh ip route output after connection:
1.2.3.4/32 is subnetted, 1 subnets
S 1.2.3.4 [1/0] via 10.96.0.1
10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C 10.10.10.0/24 is directly connected, Vlan1
C 10.96.0.0/23 is directly connected, Vlan2
C 10.96.5.1/32 is directly connected, Loopback10000
S* 0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access1
Here is asa sh route output:
S 10.96.5.1 255.255.255.255 [1/0] via OFFICE_EXTERNAL, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 213.129.103.241, outside
10.96.5.1/32 - this is RRI-installed static route. The question is how to make asa install 10.10.10.0/24 route from ios router in its routing table.
I have found similar example for Cisco VPN 3000 concentrator, but there was rip used. I can't do the same because asa can't accept route (there is no "no validate-update-source" command). Thanks in advance for help.
12-29-2010 05:13 AM
Hi,
You're using NEM+ and not NEM ;-)
+ DVTI config, remember that RRI works based on remote proxy ID.
What's the point of having DVTI to ASA?
Marcin
12-29-2010 05:26 AM
Hi, Marcin!
You are right, this is NEM+ )
I am planning to use QoS on DVTI.
What does you mean that RRI works based on remote proxy ID?
Crypto session current status
Interface: Virtual-Access1
Session status: UP-ACTIVE
Peer: 213.129.103.246 port 4500
IKE SA: local 10.96.0.55/4500 remote 213.129.103.246/4500 Active
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 10.96.5.1 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
R1#sh crypto ipsec sa
interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr 10.96.0.55
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 213.129.103.246 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.96.0.55, remote crypto endpt.: 213.129.103.246
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0xB44C6081(3024904321)
inbound esp sas:
spi: 0xBB0640D5(3137749205)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 29, flow_id: Motorola SEC 1.0:29, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4427052/28496)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB44C6081(3024904321)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 30, flow_id: Motorola SEC 1.0:30, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4427052/28496)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.96.5.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 213.129.103.246 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.96.0.55, remote crypto endpt.: 213.129.103.246
path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0x2E8B0D74(780864884)
inbound esp sas:
spi: 0x16A7F2A1(380105377)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 31, flow_id: Motorola SEC 1.0:31, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4545659/28496)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2E8B0D74(780864884)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 32, flow_id: Motorola SEC 1.0:32, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4545659/28496)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
12-29-2010 05:38 AM
Hi,
Sorry for not being clear.
RRI works based on "remote ident" as seen in "show crypto ipsec sa" - depending on the platform/config the entry will be always in routing table or in routing table only if the IPSec SA is up.
I was not aware that you're able actually able to establish NEM+ to ASA (I believe I tried it a few years back when studdying for ccie), can you check with NEM and see if the 10.10.10.0/24 will be installed?
Marcin
12-29-2010 06:23 AM
Hi! I have changed asa configuration and relevant ios configuration:
ASA:
group-policy easyvpn attributes
nem enable
IOS router:
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
mode network-extension
Now ASA installs route for 10.10.10.0/24:
S 10.10.10.0 255.255.255.0 [1/0] via OFFICE_EXTERNAL, outside
But now there is no management address assigned for client because lack of support in this extension mode.
12-29-2010 06:42 AM
Oddity of oddities I cannot find it documented anywhere, but I found a message thread involving business unit where the top guys responsible for ASA IPSec mention NEM+ is not supported, this was as the time 8.0.3 was new, but no straigh forward information in external resources or any changes or enhancement requests.
Marcin
01-11-2011 04:16 AM
Thank you for you help... I'll be waiting for dmvpn support on asa.
01-11-2011 05:59 AM
Hey,
Just FYI, there is no plan to introduce any features requiring tunnel/virtual interfaces on ASA.
I guess you will have to stick with NEM.
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide