Solved: Re: IPSec AWS Site-to-Site VPN w/ dynamic source interface (WAN failov

judu · ‎06-15-2023

I have a Tunnel interface establishing an IPSec VPN to AWS. The VPN uses certificate authentication so it is not bound to an IP address. In the event of WAN failover, I would like the tunnel to come back up using a secondary WAN interface (such as cellular). How can I achieve this since I have to specify "tunnel source {interface}" in the tunnel interface configuration?

interface Tunnel1
 ip address 169.254.X.X 255.255.255.252
 ip tcp adjust-mss 1379
 tunnel source GigabitEthernet0/0/0
 tunnel mode ipsec ipv4
 tunnel destination 18.218.X.X
 tunnel protection ipsec profile ipsec-vpn-X-0
 ip virtual-reassembly

Rob Ingram · ‎06-26-2023

@judu it looks like you must define "tunnel destination dynamic" if you use a dynamic source under the tunnel interface. You've already defined the peer (destination IP) in the flexvpn client AWS-VPN-CLIENT configuration, so the destination is known.

interface Tunnel10
 tunnel source dynamic
 tunnel destination dynamic

In your configuration change the "connect track 1" to "connect auto", which is default and doesn't not show up in the configuration and track each interface (with a unique track). Example:

crypto ikev2 client flexvpn FLEX-CLIENT
 peer 1 2.2.2.1
 peer reactivate
 connect auto
 source 1 GigabitEthernet0/0 track 1
 source 2 GigabitEthernet0/1 track 2
 client connect Tunnel0

If source 1 goes down, the tunnel will automatically establish via source 2. Source 1 is preferred, so when the track for source 1 is up again, the VPN will automatically fail back.

View solution in original post

Rob Ingram · ‎06-15-2023

@judu if using FlexVPN you can define tunnel source dynamic and use the FlexVPN client configuration. Example:

interface Tunnel10
ip address negotiated
tunnel source dynamic

crypto ikev2 client flexvpn FLEX
source 1 Ethernet0/0 track 1
source 2 Ethernet0/1 track 2

judu · ‎06-20-2023

Do you have more information on how I can make this work? I tried what you have listed above, but the tunnels do not come up even when the SLA is OK.

IPSLAs Latest Operation Summary
Codes: * active, ^ inactive, ~ pending
All Stats are in milliseconds. Stats with u are in microseconds

ID Type Destination Stats Return Last
Code Run
-----------------------------------------------------------------------
*1 icmp-echo 8.8.8.8 RTT=75 OK 0 seconds ago

Rob Ingram · ‎06-20-2023

@judu review the Configuring the Flexvpn Client section - https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-cfg-flex-clnt.html

and if you still cannot get it working provide the relevant configuration for review.

judu · ‎06-26-2023

Hello @Rob Ingram . Thank you for this information. I have tried several different variations of this using the example you provided and the documentation. When I remove Gi0/0/0 interface from the tunnel source-interface (changing it to dynamic), I see "Jun 26 13:36:10.545: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF". This does not turn back on no matter what combination of flexvpn client settings I use.

I have done this only for the primary inteface for now. I figured it would be simpler to get that working before adding the alternate. The track shows Up and OK.

Updated configuration with FlexVPN client and SLA/Track is attached.

Thank you again for taking the time to assist. It is greatly appreciated.

----

C12345R1#show track
Track 1
IP SLA 1 reachability
Reachability is Up
1 change, last change 00:00:29
Latest operation return code: OK
Latest RTT (millisecs) 20
Tracked by:
FlexVPN 0

Rob Ingram · ‎06-26-2023

@judu it looks like you must define "tunnel destination dynamic" if you use a dynamic source under the tunnel interface. You've already defined the peer (destination IP) in the flexvpn client AWS-VPN-CLIENT configuration, so the destination is known.

interface Tunnel10
 tunnel source dynamic
 tunnel destination dynamic

In your configuration change the "connect track 1" to "connect auto", which is default and doesn't not show up in the configuration and track each interface (with a unique track). Example:

crypto ikev2 client flexvpn FLEX-CLIENT
 peer 1 2.2.2.1
 peer reactivate
 connect auto
 source 1 GigabitEthernet0/0 track 1
 source 2 GigabitEthernet0/1 track 2
 client connect Tunnel0

If source 1 goes down, the tunnel will automatically establish via source 2. Source 1 is preferred, so when the track for source 1 is up again, the VPN will automatically fail back.

judu · ‎06-26-2023

OMG OMG OMG OMG !!! @Rob Ingram You are amazing! THANK YOU! I have been banging my head against the wall!

Jun 26 18:38:22.670: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Jun 26 18:38:23.074: %CRYPTO-6-IKMP_NO_ID_CERT_DN_MATCH: (NOT ERROR BUT WARNING ONLY)ID of cn=vpn-A.endpoint-0 (type 9) and certificate DN with cn=vpn-A.endpoint-0
Jun 26 18:38:23.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to up
C12345R1#
Jun 26 18:38:23.109: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEX-CLIENT) Client_public_addr = 192.168.1.155 Server_public_addr = 18.218.X.X
C12345R1#
Jun 26 18:38:24.073: %SYS-5-CONFIG_I: Configured from console by console
C12345R1#
Jun 26 18:38:28.820: %BGP-5-ADJCHANGE: neighbor 169.254.221.169 Up
C12345R1#

!!!!! UNPLUG CABLE

Jun 26 18:39:05.828: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/0, changed state to down
C12345R1#
Jun 26 18:39:09.413: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/0, changed state to down
C12345R1#
Jun 26 18:39:09.414: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEX-CLIENT) Client_public_addr = 192.168.1.155 Server_public_addr = 18.218.X.X
Jun 26 18:39:09.463: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
Jun 26 18:39:09.463: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Jun 26 18:39:10.417: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to down
C12345R1#
Jun 26 18:39:10.419: %BGP-5-NBR_RESET: Neighbor 169.254.221.169 reset (Interface flap)
Jun 26 18:39:10.421: %BGP-5-ADJCHANGE: neighbor 169.254.221.169 Down Interface flap
Jun 26 18:39:10.421: %BGP_SESSION-5-ADJCHANGE: neighbor 169.254.221.169 IPv4 Unicast topology base removed from session Interface flap
C12345R1#
Jun 26 18:39:20.133: %TRACK-6-STATE: 1 ip sla 1 reachability Up -> Down
Jun 26 18:40:06.607: %CRYPTO-6-IKMP_NO_ID_CERT_DN_MATCH: (NOT ERROR BUT WARNING ONLY)ID of cn=vpn-X.endpoint-0 (type 9) and certificate DN with cn=vpn-X.endpoint-0
Jun 26 18:40:06.636: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel10, changed state to up
C12345R1#
Jun 26 18:40:06.641: %FLEXVPN-6-FLEXVPN_CONNECTION_UP: FlexVPN(FLEX-CLIENT) Client_public_addr = 192.168.4.148 Server_public_addr = 18.218.X.X
C12345R1#
Jun 26 18:40:15.416: %BGP-5-ADJCHANGE: neighbor 169.254.221.169 Up
C12345R1#ping 172.25.0.242
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.25.0.242, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/33/44 ms

MHM Cisco World · ‎06-15-2023

if you can use LO as source of tunnel

judu · ‎06-20-2023

Do you have more information on how I can make this work?

MHM Cisco World · ‎06-20-2023

What is platform is this ASA FPR or router?

judu · ‎06-20-2023

ISR 1100 Series

MHM Cisco World · ‎06-20-2023

Friend instead of using interface connect to any of ISP as tunnel source

Use LO as tunnel source

This make tunnel always UP and when path via ISP 1 down the router will use other patg via ISP2.

judu · ‎06-26-2023

Hi @MHM Cisco World . I have added a loopback interface, 10.10.10.1/32 and changed the tunnel source-interface to the new loopback interface. The tunnels do not come up (they are UP prior to this change).

Looking at the log, I see packets being sent to the peer from the loopback IP. No response is received (I would assume because there is no route back to this IP on the network). Do I need to do some form of NAT?

Updated configuration with loopback interface is attached.

Thank you again for taking the time to assist. It is greatly appreciated.

----

Jun 26 13:12:27.381: IKEv2-INTERNAL:(SESSION ID = 3,SA ID = 1):SM Trace-> SA: I_SPI=DB53A124A0D57541 R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_WAIT_INIT Event: EV_RE_XMT
Jun 26 13:12:27.381: IKEv2:(SESSION ID = 3,SA ID = 1):Retransmitting packet

Jun 26 13:12:27.381: IKEv2:(SESSION ID = 3,SA ID = 1):Sending Packet [To 18.218.X.X:500/From 10.10.10.1:500/VRF i0:f0]
Initiator SPI : DB53A124A0D57541 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Jun 26 13:12:27.381: IKEv2-PAK:(SESSION ID = 3,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 414
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 40
last proposal: 0x0, reserved: 0x0, length: 36
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
KE Next payload: N, reserved: 0x0, length: 140
DH group: 21, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 36
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: VID, reserved: 0x0, length: 19
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) Next payload: VID, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
VID Next payload: NONE, reserved: 0x0, length: 20

Aref Alsouqi · ‎06-20-2023

As far as I know there is no preemption mechanism on the ASA. Please take a look at this post of mine and see if it helps, essentially you can inject a fake next hop that would end up bringing down the established tunnel and reestablish it with the previous one:

https://bluenetsec.com/cisco-asa-ipsec-site-to-site-vpn-preemption/

IPSec AWS Site-to-Site VPN w/ dynamic source interface (WAN failover)