ā05-26-2023 05:17 PM - edited ā05-26-2023 05:21 PM
Hello Community,
I have put the following IPSEC config together. It must be wrong because the tunnel is not showing up.
ASA1
======
conf t
! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p
! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400
! define tunnel group
tunnel-group 10.244.7.16 type ipsec-l2l
tunnel-group 10.244.7.16 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.12.0 255.255.255.0
! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac
! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.16
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs
! apply crypto map to outside interface
crypto map site-a interface outsideP2p
10:21
==================================================
ASA2
======
conf t
! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p
! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400
! define tunnel group
tunnel-group 10.244.7.15 type ipsec-l2l
tunnel-group 10.244.7.15 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.12.0 255.255.255.0
! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac
! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.15
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs
! apply crypto map to outside interface
crypto map site-a interface outsideP2p
Goal:
1 - Site to Site VPN between 2 ASA firewalls running 9.12.4.58. Outside interface is the management 0/0 interface. I intended to have a virtual interface like a loopback. I know loopbacks aren't supported on ASAs but my goal is to have a logical interface like what a loopback would be. I want to ping between the two logical interfaces on each ASA.
2 - Diagram:
logical interfce 10.10.12.1/24< - > ASA1 10.244.7.15 Management 0/0 < - - IPSEC TUNNEL - - > Management 0/0 10.244.7.16 ASA2 < - > 10.10.12.2/24 logical interface.
Note: "logical interface" is what I used in place of Loopback since Loopbacks aren't supported on ASAs. Any tips here would be greatly appreciated.
3 - The ASA1 and ASA2 devices are on the same subnet and the same switch. (no routing in between)
4 - Any help would be greatly appreciated.
ā05-26-2023 05:27 PM
Hi
Your problem seems to be the traffic of interest be the same on both sides.
In order to the tunnel come up, there might be traffic flowing thrugh the interface where the crypto map is applied.
But, with the same network segment, there will be no traffic.
Use a different subnet instead 10.10.12.0 both sides, use 10.10.13.0 in one side and 10.10.12.0 in the other side.
run shpw crypto ipsec sa and see if there will be hits.
ā05-27-2023 05:59 AM
This did not work as a solution. I think the first hurdle is getting phase 1 to come up which I was not successful at accomplishing.
ā05-27-2023 06:12 AM - edited ā05-27-2023 06:13 AM
Unless you not matching the phase1 parameters, this could pretty well be the problem. No way you could have the same network on both sides.
If you changed that and not worked, fine, lets see something else, but surelly you need to fix that.
Can you share the output of
show crypto ipsec sa
show crypto isamak sa
ā05-27-2023 06:16 AM - edited ā05-27-2023 06:17 AM
asa-cluster-act-pri# show crypto ipsec sa
There are no ipsec sas
asa-cluster-act-pri#
asa-cluster-act-pri#
asa-cluster-act-pri# show vpn-sessiondb summary
No sessions to display.
asa-cluster-act-pri#
asa-cluster-act-pri#
asa-cluster-act-pri#
asa-cluster-act-pri# show crypto isakmp
There are no IKEv1 SAs
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Delay Ex Rejects: 0
In P2 Sa Delete Requests: 0
In P2 Dup Remote Proxy: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 2000
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 3312
In Packets: 92
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 92
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 40664
Out Packets: 92
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 276
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 92
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 10004
Cookie Challenge Threshold: 5002
Active SAs: 0
In-Negotiation SAs: 0
In-Negotiation SAs High water mark: 1
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 92
Outgoing Requests Accepted: 92
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
asa-cluster-act-pri#
ā05-27-2023 06:20 AM - edited ā05-27-2023 06:22 AM
But I dont think you can use management interface for VPN
Management Port Configuration Changes
ā¢ The shared management port cannot be used as a data port. All through-the-box traffic arriving at the management port will be dropped implicitly. This cannot be disabled.
ā¢ The shared management port cannot be used as a part of a high availability configuration.
ā05-27-2023 06:35 AM
There are many issue here
First you use management interface which is not in data plane for vpn, this I think not work
You use same subnet in both Asa that not work, the subnet need to different to make traffic hit acl policy vpn and make Asa initate phase1 and phase2 of ipsec, using same subnet is make Asa not forward traffic through vpn it assume that this IP is direct connect
Also you must initiate traffic using pc connect to ASA not using interface of Asa.
ā05-27-2023 06:51 AM
I did change the subnets on either side and this did not resolve the issue.
ASA1
======
conf t
! create tunnel interface
interface Tunnel1
nameif insTun1
ip address 10.10.12.1 255.255.255.0
tunnel source interface outsideP2p
tunnel destination 10.244.7.16
tunnel mode ipsec ipv4
! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p
! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400
! define tunnel group
tunnel-group 10.244.7.16 type ipsec-l2l
tunnel-group 10.244.7.16 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.13.0 255.255.255.0
access-list 1 extended permit ip 10.10.13.0 255.255.255.0 10.10.12.0 255.255.255.0
! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac
! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.16
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs
! apply crypto map to outside interface
crypto map site-a interface outsideP2p
==================================================
ASA2
======
conf t
! create tunnel interface
interface Tunnel1
nameif insTun1
ip address 10.10.13.1 255.255.255.0
tunnel source interface outsideP2p
tunnel destination 10.244.7.15
tunnel mode ipsec ipv4
conf t
! rename Management nameif to outsideP2p
conf t
int Management 0/0
nameif outsideP2p
! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400
! define tunnel group
tunnel-group 10.244.7.15 type ipsec-l2l
tunnel-group 10.244.7.15 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.10.12.0 255.255.255.0 10.10.13.0 255.255.255.0
access-list 1 extended permit ip 10.10.13.0 255.255.255.0 10.10.12.0 255.255.255.0
! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac
! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.244.7.15
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs
! apply crypto map to outside interface
crypto map site-a interface outsideP2p
I can select a different interface and attempt to use the management interfaces to ping through the tunnel with.
ā05-27-2023 07:42 AM
you config VTI and your ACL is wrong again,
you either use policy based or router based VPN
ā05-27-2023 08:08 AM
Site-to-Site IPSEC VPN between Two Cisco ASA 5520 ā Router Switch Blog (router-switch.com)
this example you can use it as reference
ā05-27-2023 08:15 AM
Ok. I rebuilt the config as shown below. If you see something that is wrong, can you explain why is it wrong so I can make proper modifications?
ASA1
======
conf t
!
interface Management0/0
management-only
nameif management_interface
security-level 100
ip address 10.244.7.15 255.255.255.224
!
interface GigabitEthernet0/0
nameif outsideP2p
security-level 0
ip address 10.10.12.1 255.255.255.0
! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400
! define tunnel group
tunnel-group 10.244.8.16 type ipsec-l2l
tunnel-group 10.244.8.16 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.244.8.16 255.255.255.255 10.244.7.15 255.255.255.255
access-list 1 extended permit ip 10.244.7.15 255.255.255.255 10.244.8.16 255.255.255.255
! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac
! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.10.12.2
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs
! apply crypto map to outside interface
crypto map site-a interface outsideP2p
route outsideP2p 10.244.8.16 255.255.255.255 10.10.12.2 1
==================================================
ASA2
======
conf t
!
interface Management0/0
management-only
nameif management_interface
security-level 100
ip address 10.244.8.16 255.255.255.224
!
interface GigabitEthernet0/0
nameif outsideP2p
security-level 0
ip address 10.10.12.2 255.255.255.0
! enable crypto ikev1
crypto ikev1 enable outsideP2p
crypto ikev1 policy 2
encryption aes-256
hash sha
group 2
authentication pre-share
lifetime 86400
! define tunnel group
tunnel-group 10.244.7.15 type ipsec-l2l
tunnel-group 10.244.7.15 ipsec-attributes
ikev1 pre-shared-key test123
access-list 1 extended permit ip 10.244.8.16 255.255.255.255 10.244.7.15 255.255.255.255
access-list 1 extended permit ip 10.244.7.15 255.255.255.255 10.244.8.16 255.255.255.255
! transform set
crypto ipsec ikev1 transform-set ipsec-vpn esp-aes-256 esp-sha-hmac
! crypto map
crypto map site-a 10 match address 1
crypto map site-a 10 set peer 10.10.12.1
crypto map site-a 10 set ikev1 transform-set ipsec-vpn
crypto map site-a 10 set pfs
! apply crypto map to outside interface
crypto map site-a interface outsideP2p
route outsideP2p 10.244.7.15 255.255.255.255 10.10.12.1 1
ā05-27-2023 08:20 AM
access-list 1 extended permit ip 10.244.8.16 255.255.255.255 10.244.7.15 255.255.255.255 <<- use this only in ASA2
access-list 1 extended permit ip 10.244.7.15 255.255.255.255 10.244.8.16 255.255.255.255<<- use this only in ASA1
interface Management0/0 <<- use any other interface except the mgmt in both ASA
management-only
ā05-27-2023 09:02 AM
Done. IPSEC still isn't working. Is there a way to build a virtual interface that will come up no matter what on the ASA? Any other interface, I'm going to have to cable something up. That was the reason for trying to use a loopback originally.
ā05-27-2023 09:11 AM - edited ā05-27-2023 09:12 AM
share the last config (all config) let me see
ā05-27-2023 09:35 AM
ASA1
======
conf t
! ISAKMP Phase 1
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
crypto ikev1 enable outsideP2p
tunnel-group 10.10.12.2 type ipsec-l2l
tunnel-group 10.10.12.2 ipsec-attributes
ikev1 pre-shared-key pwpw1234
! IPsec Phase 2
access-list RED permit ip 10.244.7.0 255.255.255.0 10.244.8.0 255.255.255.0
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map VPN-MAP 10 match address RED
crypto map VPN-MAP 10 set peer 10.10.12.2
crypto map VPN-MAP 10 set ikev1 transform-set ESP-AES128-SHA
crypto map VPN-MAP interface outsideP2p
route outsideP2p 10.244.8.16 255.255.255.255 10.10.12.2 1
==================================================
==================================================
==================================================
==================================================
==================================================
ASA2
======
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 enable outside
! Define the pre-shared key within the dynamic map tunnel group
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key pwpw1234
!
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
access-list BLUE permit ip 10.244.8.16 255.255.255.255 10.244.7.15 255.255.255.255
! Create a dynamic-map
crypto dynamic-map DYN-MAP 20 match address BLUE
crypto dynamic-map DYN-MAP 20 set ikev1 transform-set ESP-AES128-SHA
! Assign the dynamic-map to crypto map
crypto map VPN-MAP 10 ipsec-isakmp dynamic DYN-MAP
crypto map VPN-MAP interface outsideP2p
route outsideP2p 10.244.7.15 255.255.255.255 10.10.12.1 1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide