IPSEC VPN (l2l) not coming up

cstn · ‎05-26-2023

Hello Community,

I have put the following IPSEC config together. It must be wrong because the tunnel is not showing up.

ASA1
======

conf t
! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p

! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400

! define tunnel group
tunnel-group 10.244.7.16 type ipsec-l2l
tunnel-group 10.244.7.16 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.12.0 255.255.255.0

! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac

! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.16
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs

! apply crypto map to outside interface
crypto map site-a interface outsideP2p

10:21

==================================================

ASA2
======

conf t
! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p

! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400

! define tunnel group
tunnel-group 10.244.7.15 type ipsec-l2l
tunnel-group 10.244.7.15 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.12.0 255.255.255.0

! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac

! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.15
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs

! apply crypto map to outside interface
crypto map site-a interface outsideP2p

Goal:

1 - Site to Site VPN between 2 ASA firewalls running 9.12.4.58. Outside interface is the management 0/0 interface. I intended to have a virtual interface like a loopback. I know loopbacks aren't supported on ASAs but my goal is to have a logical interface like what a loopback would be. I want to ping between the two logical interfaces on each ASA.

2 - Diagram:

logical interfce 10.10.12.1/24< - > ASA1 10.244.7.15 Management 0/0 < - - IPSEC TUNNEL - - > Management 0/0 10.244.7.16 ASA2 < - > 10.10.12.2/24 logical interface.

Note: "logical interface" is what I used in place of Loopback since Loopbacks aren't supported on ASAs. Any tips here would be greatly appreciated.

3 - The ASA1 and ASA2 devices are on the same subnet and the same switch. (no routing in between)

4 - Any help would be greatly appreciated.

Flavio Miranda · ‎05-26-2023

Hi

Your problem seems to be the traffic of interest be the same on both sides.

In order to the tunnel come up, there might be traffic flowing thrugh the interface where the crypto map is applied.

But, with the same network segment, there will be no traffic.

Use a different subnet instead 10.10.12.0 both sides, use 10.10.13.0 in one side and 10.10.12.0 in the other side.

run shpw crypto ipsec sa and see if there will be hits.

cstn · ‎05-27-2023

This did not work as a solution. I think the first hurdle is getting phase 1 to come up which I was not successful at accomplishing.

Flavio Miranda · ‎05-27-2023

Unless you not matching the phase1 parameters, this could pretty well be the problem. No way you could have the same network on both sides.

If you changed that and not worked, fine, lets see something else, but surelly you need to fix that.

Can you share the output of

show crypto ipsec sa

show crypto isamak sa

cstn · ‎05-27-2023

asa-cluster-act-pri# show crypto ipsec sa

There are no ipsec sas

asa-cluster-act-pri#

asa-cluster-act-pri# show vpn-sessiondb summary

No sessions to display.

asa-cluster-act-pri#

asa-cluster-act-pri# show crypto isakmp

There are no IKEv1 SAs

There are no IKEv2 SAs

Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Delay Ex Rejects: 0
In P2 Sa Delete Requests: 0
In P2 Dup Remote Proxy: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 2000
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0

Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 3312
In Packets: 92
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 92
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 40664
Out Packets: 92
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 276
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 92
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0

IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 10004
Cookie Challenge Threshold: 5002
Active SAs: 0
In-Negotiation SAs: 0
In-Negotiation SAs High water mark: 1
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 92
Outgoing Requests Accepted: 92
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0

Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0

asa-cluster-act-pri#

Flavio Miranda · ‎05-27-2023

But I dont think you can use management interface for VPN

Management Port Configuration Changes

The ASA 5500-X Series introduced a shared management port for firewall and IPS services.,There are certain caveats to follow during migration from the ASA 5500 Series.

• The shared management port cannot be used as a data port. All through-the-box traffic arriving at the management port will be dropped implicitly. This cannot be disabled.

• The shared management port cannot be used as a part of a high availability configuration.

If the ASA management port (M0/0) on the ASA 5500 Series appliance was being used as a data port, the configuration associated with that port should be moved to one of the gigabit data ports numbered above G0/3.

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/guide_c07-727453.html

MHM Cisco World · ‎05-27-2023

There are many issue here

First you use management interface which is not in data plane for vpn, this I think not work

You use same subnet in both Asa that not work, the subnet need to different to make traffic hit acl policy vpn and make Asa initate phase1 and phase2 of ipsec, using same subnet is make Asa not forward traffic through vpn it assume that this IP is direct connect

Also you must initiate traffic using pc connect to ASA not using interface of Asa.

cstn · ‎05-27-2023

I did change the subnets on either side and this did not resolve the issue.

ASA1
======

conf t
! create tunnel interface
interface Tunnel1
nameif insTun1
ip address 10.10.12.1 255.255.255.0
tunnel source interface outsideP2p
tunnel destination 10.244.7.16
tunnel mode ipsec ipv4

! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p

! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400

! define tunnel group
tunnel-group 10.244.7.16 type ipsec-l2l
tunnel-group 10.244.7.16 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.13.0 255.255.255.0
access-list 1 extended permit ip 10.10.13.0 255.255.255.0 10.10.12.0 255.255.255.0

! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac

! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.16
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs

! apply crypto map to outside interface
crypto map site-a interface outsideP2p

==================================================

ASA2
======

conf t
! create tunnel interface
interface Tunnel1
nameif insTun1
ip address 10.10.13.1 255.255.255.0
tunnel source interface outsideP2p
tunnel destination 10.244.7.15
tunnel mode ipsec ipv4

conf t
! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p

! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400

! define tunnel group
tunnel-group 10.244.7.15 type ipsec-l2l
tunnel-group 10.244.7.15 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.13.0 255.255.255.0
access-list 1 extended permit ip 10.10.13.0 255.255.255.0 10.10.12.0 255.255.255.0

! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac

! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.15
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs

! apply crypto map to outside interface
crypto map site-a interface outsideP2p

I can select a different interface and attempt to use the management interfaces to ping through the tunnel with.

MHM Cisco World · ‎05-27-2023

you config VTI and your ACL is wrong again,
you either use policy based or router based VPN

MHM Cisco World · ‎05-27-2023

Site-to-Site IPSEC VPN between Two Cisco ASA 5520 – Router Switch Blog (router-switch.com)

this example you can use it as reference

cstn · ‎05-27-2023

Ok. I rebuilt the config as shown below. If you see something that is wrong, can you explain why is it wrong so I can make proper modifications?

ASA1
======

conf t
!
interface Management0/0
management-only
nameif management_interface
security-level 100
ip address 10.244.7.15 255.255.255.224

!
interface GigabitEthernet0/0
nameif outsideP2p
security-level 0
ip address 10.10.12.1 255.255.255.0

! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400

! define tunnel group
tunnel-group 10.244.8.16 type ipsec-l2l
tunnel-group 10.244.8.16 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.244.8.16 255.255.255.255 10.244.7.15 255.255.255.255
access-list 1 extended permit ip 10.244.7.15 255.255.255.255 10.244.8.16 255.255.255.255

! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac

! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.10.12.2
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs

! apply crypto map to outside interface
crypto map site-a interface outsideP2p

route outsideP2p 10.244.8.16 255.255.255.255 10.10.12.2 1

==================================================

ASA2
======

conf t

!
interface Management0/0
management-only
nameif management_interface
security-level 100
ip address 10.244.8.16 255.255.255.224

!
interface GigabitEthernet0/0
nameif outsideP2p
security-level 0
ip address 10.10.12.2 255.255.255.0

! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400

! define tunnel group
tunnel-group 10.244.7.15 type ipsec-l2l
tunnel-group 10.244.7.15 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.244.8.16 255.255.255.255 10.244.7.15 255.255.255.255
access-list 1 extended permit ip 10.244.7.15 255.255.255.255 10.244.8.16 255.255.255.255

! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac

! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.10.12.1
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs

! apply crypto map to outside interface
crypto map site-a interface outsideP2p

route outsideP2p 10.244.7.15 255.255.255.255 10.10.12.1 1

MHM Cisco World · ‎05-27-2023

access-list 1 extended permit ip 10.244.8.16 255.255.255.255 10.244.7.15 255.255.255.255 <<- use this only in ASA2
access-list 1 extended permit ip 10.244.7.15 255.255.255.255 10.244.8.16 255.255.255.255<<- use this only in ASA1

interface Management0/0 <<- use any other interface except the mgmt in both ASA
management-only

cstn · ‎05-27-2023

Done. IPSEC still isn't working. Is there a way to build a virtual interface that will come up no matter what on the ASA? Any other interface, I'm going to have to cable something up. That was the reason for trying to use a loopback originally.

MHM Cisco World · ‎05-27-2023

share the last config (all config) let me see

cstn · ‎05-27-2023

ASA1
======

conf t
! ISAKMP Phase 1

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
crypto ikev1 enable outsideP2p
tunnel-group 10.10.12.2 type ipsec-l2l
tunnel-group 10.10.12.2 ipsec-attributes
ikev1 pre-shared-key pwpw1234

! IPsec Phase 2

access-list RED permit ip 10.244.7.0 255.255.255.0 10.244.8.0 255.255.255.0
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map VPN-MAP 10 match address RED
crypto map VPN-MAP 10 set peer 10.10.12.2
crypto map VPN-MAP 10 set ikev1 transform-set ESP-AES128-SHA
crypto map VPN-MAP interface outsideP2p

route outsideP2p 10.244.8.16 255.255.255.255 10.10.12.2 1

==================================================
==================================================
==================================================
==================================================
==================================================

ASA2
======

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 enable outside

! Define the pre-shared key within the dynamic map tunnel group

tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key pwpw1234
!
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

access-list BLUE permit ip 10.244.8.16 255.255.255.255 10.244.7.15 255.255.255.255

! Create a dynamic-map

crypto dynamic-map DYN-MAP 20 match address BLUE
crypto dynamic-map DYN-MAP 20 set ikev1 transform-set ESP-AES128-SHA

! Assign the dynamic-map to crypto map

crypto map VPN-MAP 10 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outsideP2p

route outsideP2p 10.244.7.15 255.255.255.255 10.10.12.1 1