Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2174
Views
20
Helpful
7
Replies

EzVPN server on ASA and IOS client with RRI in NEM problem.

Eugene Khabarov
Level 7
Level 7

‎12-29-2010 04:59 AM

Hi, community!

I have problem implementing EzVPN hardware client in the network extension mode. The problem is with RRI I think.

This is the configuration of the ios client:

!

crypto isakmp keepalive 10 3 periodic
!
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
connect auto
group easyvpn key ****
mode network-plus
peer 1.2.3.4
virtual-interface 1
username username password  ****
xauth userid mode local
!

interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside
!
interface Vlan2
ip address 10.96.0.55 255.255.254.0
crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
!

ip route 0.0.0.0 0.0.0.0 10.96.0.1 2

!

This is configuration of the asa ezvpn server:

!

ip local pool EASYVPN_POOL 10.96.5.1-10.96.5.254 mask 255.255.255.0

!

group-policy easyvpn internal
group-policy easyvpn attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage enable
ipsec-udp enable

tunnel-group easyvpn type remote-access
tunnel-group easyvpn general-attributes
address-pool EASYVPN_POOL
authentication-server-group ACS LOCAL
authentication-server-group (inside) ACS LOCAL
accounting-server-group ACS
default-group-policy easyvpn
tunnel-group easyvpn ipsec-attributes
pre-shared-key *****

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

Client successfully initiates ike sa and starts crypto session.

Here is ios router sh ip route output after connection:


      1.2.3.4/32 is subnetted, 1 subnets
S        1.2.3.4 [1/0] via 10.96.0.1
     10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C       10.10.10.0/24 is directly connected, Vlan1
C       10.96.0.0/23 is directly connected, Vlan2
C       10.96.5.1/32 is directly connected, Loopback10000
S*   0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access1


Here is asa sh route output:

S    10.96.5.1 255.255.255.255 [1/0] via OFFICE_EXTERNAL, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 213.129.103.241, outside

10.96.5.1/32 - this is RRI-installed static route. The question is how to make asa install  10.10.10.0/24 route from ios router in its routing table.

I have found similar example for Cisco VPN 3000 concentrator, but there was rip used. I can't do the same because asa can't accept route (there is no "no validate-update-source" command). Thanks in advance for help.

Labels:
0 Helpful
7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-29-2010 05:13 AM

Hi,

You're using NEM+ and not NEM ;-)

+ DVTI config, remember that RRI works based on remote proxy ID.

What's the point of having DVTI to ASA?

Marcin

Eugene Khabarov
Level 7
Level 7
In response to Marcin Latosiewicz

‎12-29-2010 05:26 AM

Hi, Marcin!

You are right, this is NEM+ )

I am planning to use QoS on DVTI.

What does you mean that RRI works based on remote proxy ID?

Crypto session current status

Interface: Virtual-Access1
Session status: UP-ACTIVE    
Peer: 213.129.103.246 port 4500
  IKE SA: local 10.96.0.55/4500 remote 213.129.103.246/4500 Active
  IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip host 10.96.5.1 0.0.0.0/0.0.0.0
        Active SAs: 2, origin: crypto map

R1#sh crypto ipsec sa

interface: Virtual-Access1
    Crypto map tag: Virtual-Access1-head-0, local addr 10.96.0.55

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 213.129.103.246 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.96.0.55, remote crypto endpt.: 213.129.103.246
     path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
     current outbound spi: 0xB44C6081(3024904321)

     inbound esp sas:
      spi: 0xBB0640D5(3137749205)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 29, flow_id: Motorola SEC 1.0:29, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4427052/28496)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB44C6081(3024904321)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 30, flow_id: Motorola SEC 1.0:30, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4427052/28496)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.96.5.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 213.129.103.246 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.96.0.55, remote crypto endpt.: 213.129.103.246
     path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
     current outbound spi: 0x2E8B0D74(780864884)

     inbound esp sas:
      spi: 0x16A7F2A1(380105377)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 31, flow_id: Motorola SEC 1.0:31, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4545659/28496)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2E8B0D74(780864884)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 32, flow_id: Motorola SEC 1.0:32, crypto map: Virtual-Access1-head-0
        sa timing: remaining key lifetime (k/sec): (4545659/28496)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Eugene Khabarov

‎12-29-2010 05:38 AM

Hi,

Sorry for not being clear.

RRI works based on "remote ident" as seen in "show crypto ipsec sa" - depending on the platform/config the entry will be always in routing table or in routing table only if the IPSec SA is up.

I was not aware that you're able actually able to establish NEM+ to ASA (I believe I tried it a few years back when studdying for ccie), can you check with NEM and see if the 10.10.10.0/24 will be installed?

Marcin

Eugene Khabarov
Level 7
Level 7
In response to Marcin Latosiewicz

‎12-29-2010 06:23 AM

Hi! I have changed asa configuration and relevant ios configuration:

ASA:

group-policy easyvpn attributes

  nem enable


IOS router:

crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
mode network-extension

Now ASA installs route for 10.10.10.0/24:

S    10.10.10.0 255.255.255.0 [1/0] via OFFICE_EXTERNAL, outside

But now there is no management address assigned for client because lack of support in this extension mode.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Eugene Khabarov

‎12-29-2010 06:42 AM

Oddity of oddities I cannot find it documented anywhere, but I found a message thread involving business unit where the top guys responsible for ASA IPSec mention NEM+ is not supported, this was as the time 8.0.3 was new, but no straigh forward information in external resources or any changes or enhancement requests.

Marcin

Eugene Khabarov
Level 7
Level 7
In response to Marcin Latosiewicz

‎01-11-2011 04:16 AM

Thank you for you help... I'll be waiting for dmvpn support on asa.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Eugene Khabarov

‎01-11-2011 05:59 AM

Hey,

Just FYI, there is no plan to introduce any features requiring tunnel/virtual interfaces on ASA.

I guess you will have to stick with NEM.


Marcin

Customers Also Viewed These Support Documents