Re: IPsec VPN by ASA

valter.tibaldi1 · ‎02-13-2011

Hello to everybody,

I have a big issue to connect two or more i-devices using Cisco VPN client by IPsec VPN to Cisco ASA. I have to connect more i-devices by VPN from the same site, in other words I have to support these types of connection from the same LAN behind NAT; everything works fine at the first connection but if I try to connect another device to ASA, debug shows "Duplicate phase 2 packet detected" error and then it fails. Is it possible to use IPsec VPN with authentication by certificate to connect more devices from the same network (same source NAT IP) to ASA concentrator?

Many thanks,

Valter

Jennifer Halim · ‎02-13-2011

Do you have NAT-T enabled on the ASA firewall? that will encapsulate the ESP packet into UDP/4500.

Also what is the device that NAT and pass through the VPN connections? Does it support pass through for more than 1 VPN connections?

valter.tibaldi1 · ‎02-14-2011

Yes, of course... I have already enabled NAT-T on ASA to manage IPsec VPN connections by NAT device. I-devices are connected to the Internet by Checkpoint UTM firewall and it should be able to manage pass through for more than one IPsec VPN connection, although ASA wan link is managed (only for test purpose) by Cisco SOHO 827H which I read is able to manage multiple VPN pass through. As showed in the following schema i-devices are natted by the same CP's public IP and the destination of VPN connections is the ASA's public IP.

I-devices (WiFi LAN) <----> CheckPoint FW (NAT with public IP) <----> INTERNET <----> (public IP) Cisco 827H <----> (public IP) ASA

Which other checks I can do to troubleshoot this configuration?

Many thanks for your support.

Jennifer Halim · ‎02-15-2011

Can you please share the config of 827H router.

Also, can you check where the second VPN is actually failing at? It uses UDP/500, so if you can track where it's actually failing that would help to concentrate on that particular device.

valter.tibaldi1 · ‎02-15-2011

Hello Jennifer,

this is my Cisco 827H configuration:

version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
!
hostname XXXXXXXX
!
logging queue-limit 100
!
ip subnet-zero
no ip source-route
ip domain name XXXXXXXX
ip name-server 151.99.125.2
ip dhcp excluded-address x.x.x.245
!
ip dhcp pool Prova
   import all
   network x.x.x.244 255.255.255.252
   default-router x.x.x.245
   dns-server 151.99.125.2
   lease 0 0 1
!
!
!
!
!
!
!
!
!
interface Ethernet0
ip address x.x.x.245 255.255.255.252
ip access-group 102 out
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
bandwidth 128
ip address x.x.x.x 255.255.255.0
ip access-group 104 in
ip access-group 103 out
pvc 8/35
oam-pvc manage
oam retry 5 5 1
encapsulation aal5snap
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route x.x.x.0 255.255.255.0 ATM0.1
ip route 151.99.0.0 255.255.0.0 ATM0.1
ip http server
no ip http secure-server
!

access-list 103 permit ip x.x.x.244 0.0.0.3 any
access-list 104 permit ip any any

Now I'm checking on our FW's log to understand where the second VPN fails, but I don't see any drops.

Thanks.

Jennifer Halim · ‎02-15-2011

What is the actual version of the router?

Jennifer Halim · ‎02-15-2011

Just gone through the router config, and doesn't seem that the router is doing any NAT, and the IPSec traffic is just pass through without any NATing. Shouldn't be a problem with the router i would think.

valter.tibaldi1 · ‎02-15-2011

Actual router version is 12.2(4)YA3...

Yes, of course... router doesn't do any NAT, as I explained in the connection schema in the previous post, router is only used as ADSL interface to connect ASA's wan interface with its public/static IP, so it should only permit multiple IPsec pass through.

valter.tibaldi1 · ‎02-15-2011

Hello Jennifer,

this afternoon I have done some other tests using Cisco VPN Client installed on two PC connected to the same WiFi which I use for i-devices and everything has worked fine, in other words these two PC were connected in IPsec VPN to the ASA at the same time without problem. Now I think that described issue should be due to the Cisco IPsec client installed on i-devices which are no able to manage NAT-T correctly; do you have any feedback about that?

Thanks.

Jennifer Halim · ‎02-15-2011

Great findings, Valter.

I assume that it is built-in IPSec client on this i-devices, not a Cisco IPSec VPN Client as I don't believe Cisco IPSec VPN Client can be installed on an i-devices.

Since it's an in-built ipsec vpn client, I will recommend that you get in touch with the i-devices vendor to check with them if NAT-T is supported, and if it does, to further investigate/troubleshoot why it's not working.

PS: is there any settings within the i-devices itself to use/choose NAT-T or encapsulation of some sort?

valter.tibaldi1 · ‎02-16-2011

Hello Jennifer,

yes, it is a built-in Cisco VPN client on i-devices and I read it's able to manage standard NAT-T encapsulation, but to be sure I will ask to Apple support.

Unfortunately I didn't see something related to NAT-T encapsulation on i-devices but I will ask to the support.

Many thanks for your support.

manish arora · ‎02-16-2011

Hi Valter,

The i-devices with built-in vpn client works fine with NAT-T but I have tested and used it with PSK. I have seen this same problem on the forums itself about using certificates + NAT-T that makes clients use only one connection at a time.

If you get any updates from the Apple, please update us about it too.

Manish