01-19-2018 01:24 PM - edited 03-12-2019 04:55 AM
Hi, I have a central ASA that has several L2L IPSec VPNs active. Our company "was" using the phone-proxy on another ASA, but the certs on the phones are expiring and issues are cropping up all over the place, so I am switching to an ASA at every home and just tunnel the phone traffic through.
I ran into several issues configuring the DefaultL2LGroup for this as the DefaultRAGroup was cathing all the traffic. I finally found the culprit and saw ike was now using the L2L group versus RA group.
Now I have an issue where it seems the remote ASA is too smart for it's own good when Nat-T is enabled at the remote end. The central ASA reports:
Jan 19 14:23:23 [IKEv1]Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: Tunnel Cfg'd: UDP Tunnel(NAT-T)
I understand it is doing this because it knows it is behind NAT already, but I do not know how to get NAT ignored for the protected networks as usual on the DefaultL2LGroup's tunnel group.
If I disable Nat-T on the remote ASA, ike/ipsec completes, but I cannot pass traffic through the tunnel even though packet tracer tells me I am able to. I have RR enabled on the central ASA and it adds a route for the remote protected network to it's default gateway and the IPSec SAs appear correct between the 2 systems.
I just tried moving the remote ASA to behind the router with it being DMZ'ed the external IP address of the WAN connection and Nat-T now works as expected, but I still cannot ping the sites from each other, or access resources behind the central ASA from behind the remote ASA.
Any ideas what I might look for to nail this one down.
remote ike success..
Jan 19 15:15:02 [IKEv1]Group = DefaultL2LGroup, IP = x.x.x.x, PHASE 2 COMPLETED (msgid=ea0d643f) Jan 19 15:15:02 [IKEv1]Group = DefaultL2LGroup, IP = x.x.x.x, Adding static route for L2L peer coming in on a dynamic map. address: 10.255.2.0, mask: 255.255.255.0
Central ASA crypto:
asa0-colo# sh crypto ipsec sa peer x.x.x.x peer address: x.x.x.x Crypto map tag: Dynamic-lslate, seq num: 4, local addr: y.y.y.y access-list outside_cryptomap_2 extended permit ip 192.168.5.0 255.255.255.0 10.255.2.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.255.2.0/255.255.255.0/0/0) current_peer: x.x.x.x #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 44, #pkts decrypt: 44, #pkts verify: 44 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: y.y.y.y/0, remote crypto endpt.: x.x.x.x/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: B07D2377 current inbound spi : EC6D68ED inbound esp sas: spi: 0xEC6D68ED (3966593261) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, } slot: 0, conn_id: 46489600, crypto-map: Dynamic-lslate sa timing: remaining key lifetime (sec): 28474 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00001FFF 0xFFFFFFFF outbound esp sas: spi: 0xB07D2377 (2960991095) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, } slot: 0, conn_id: 46489600, crypto-map: Dynamic-lslate sa timing: remaining key lifetime (sec): 28474 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
Remote ASA crypto:
asa-lslate# sh crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x access-list outside_cryptomap extended permit ip 10.255.2.0 255.255.255.0 192.168.5.0 255.255.255.0 local ident (addr/mask/prot/port): (10.255.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0) current_peer: y.y.y.y #pkts encaps: 55, #pkts encrypt: 55, #pkts digest: 55 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 55, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: x.x.x.x/0, remote crypto endpt.: y.y.y.y/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: EC6D68ED current inbound spi : B07D2377 inbound esp sas: spi: 0xB07D2377 (2960991095) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, } slot: 0, conn_id: 12288, crypto-map: outside_map sa timing: remaining key lifetime (sec): 28306 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0xEC6D68ED (3966593261) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, } slot: 0, conn_id: 12288, crypto-map: outside_map sa timing: remaining key lifetime (sec): 28306 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
01-22-2018 01:43 AM
Hi goliver,
NAT traversal comes into play for the peer IPs trying to bring up the vpn tunnel. For example if the branch ASA does not have a public IP on the outside interface and it resides behind a device that performs NAT.
In this case you will need to have NAT traversal enables on the branch ASA as well as central ASA. The NAT will be detected along the transmission path and udp 4500 will be used instead of ESP.
The error you received is indicating that NAT was detected by one of the devices, but the other ASA has NAT traversal disabled, but then you go on to say that you disabled NAT traversal and the phase 2 came up, this is a bit confusing , but as long as phase 2 is working it should be ok.
Looking at the sh crypto ipsec sa peer output it seems that the central ASA is not sending the packets back through the tunnel. This usually indicates a routing or a NAT problem:
- make sure that the branch network is routed to the outside interface
- configure identity NAT for the VPN networks, should look something like this:
nat (inside,outside) source static VPN-NETWORK-CENTRAL VPN-NETWORK-CENTRAL destination static VPN-NETWORK-BRANCH VPN-NETWORK-BRANCH no-proxy-arp route-lookup
Also, you can use packet tracer on the central ASA to make sure the packets are routed and NATed correctly.
HTH
Bogdan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide