05-20-2021 02:05 AM
I am trying to configure a Site-to-site VPN between our company and AWS. I entered the Firepower web interface and configured the Tunnel IP, encryption protocols and also the keys (IKEv1). I made sure to follow exactly the instructions from the AWS configuration file, without success.
My goal for the time being is just to connect the Firepower to one of the Tunnels AWS has, but it does not matter what I do, I only see the status DOWN. Previously, I tried to configure a machine inside the network to connect to the tunnels using strongswan and I could see the status as UP. But with our firewall that is not possible.
My question is: where do I find the log files for the VPN, specially the connection between the Firepower device and the Amazon Tunnel?
05-20-2021 02:11 AM
You are using a route based VPN, did you configure a static route or setup BGP in order to route traffic over the VPN?
Has the tunnel established? Login to the CLI and run "show crypto ipsec sa", provide the output for review.
If the tunnel has not established, you can enable debug logs using "debug crypto ikev1 128" provide the output for review.
05-20-2021 02:29 AM
1) I added a static route;
2) The tunnel has not been established. I cannot see it connected from the Amazon side - as I could with the test I did using strongswan installed in a separate machine.
3) debugging crypto gives me the following:
> show crypto ikev1 stats Global IKEv1 Statistics Active Tunnels: 0 Previous Tunnels: 0 In Octets: 58752 In Packets: 306 In Drop Packets: 310 In Notifys: 0 In P2 Exchanges: 0 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Delay Ex Rejects: 0 In P2 Sa Delete Requests: 0 In P2 Dup Remote Proxy: 0 Out Octets: 62424 Out Packets: 306 Out Drop Packets: 0 Out Notifys: 306 Out P2 Exchanges: 0 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 0 Initiator Tunnels: 0 Initiator Fails: 0 Responder Fails: 306 System Capacity Fails: 0 Auth Fails: 0 Decrypt Fails: 0 Hash Valid Fails: 0 No Sa Fails: 0 IKEV1 Call Admission Statistics Max In-Negotiation SAs: 49 In-Negotiation SAs: 0 In-Negotiation SAs Highwater: 1 In-Negotiation SAs Rejected: 0 > show crypto ikev1 sa There are no IKEv1 SAs > show crypto ikev1 ipsec-over-tcp Global IKEv1 IPSec over TCP Statistics -------------------------------- Embryonic connections: 0 Active connections: 0 Previous connections: 0 Inbound packets: 0 Inbound dropped packets: 0 Outbound packets: 0 Outbound dropped packets: 0 RST packets: 0 Recevied ACK heart-beat packets: 0 Bad headers: 0 Bad trailers: 0 Timer failures: 0 Checksum errors: 0 Internal errors: 0
I can see no data has been sent or received, but that must be because the connection has not been established. Is there a way to see the handshake log or something like that?
05-20-2021 02:39 AM
That's not the debug information, as I said before - you can enable debug logs using "debug crypto ikev1 128" provide the output for review.
Provide the output of "show runnning-config" for review and the AWS link you used to configure the VPN so I can compare for you.
05-20-2021 03:43 AM - edited 05-31-2021 01:58 AM
I did enable crypto debug, but I thought the show command would display more useful information.
> show running-config : Saved : : Diagnostic interface mode: BRIDGE : : : Serial Number: J******** : Hardware: FPR-1120, 5274 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (12 cores) : NGFW Version 6.7.0.1 ! hostname firewall01 enable password ***** encrypted service-module 0 keepalive-timeout 4 service-module 0 keepalive-counter 6 names no mac-address auto ! interface Ethernet1/1 nameif outside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 8.51.12.13 255.255.255.248 ! interface Ethernet1/2 nameif inside cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 ip address 180.10.0.254 255.255.0.0 ! interface Ethernet1/3 shutdown no nameif no security-level no ip address ! interface Ethernet1/4 shutdown no nameif no security-level no ip address ! interface Ethernet1/5 shutdown no nameif no security-level no ip address ! interface Ethernet1/6 shutdown no nameif no security-level no ip address ! interface Ethernet1/7 shutdown no nameif no security-level no ip address ! interface Ethernet1/8 shutdown no nameif no security-level no ip address ! interface Ethernet1/9 shutdown no nameif no security-level no ip address ! interface Ethernet1/10 shutdown no nameif no security-level no ip address ! interface Ethernet1/11 shutdown no nameif no security-level no ip address ! interface Ethernet1/12 shutdown no nameif no security-level no ip address ! interface Management1/1 management-only nameif diagnostic cts manual propagate sgt preserve-untag policy static sgt disabled trusted security-level 0 no ip address ! ftp mode passive ngips conn-match vlan-id dns domain-lookup inside dns domain-lookup outside dns server-group CiscoUmbrellaDNSServerGroup name-server 208.67.222.222 name-server 208.67.220.220 dns server-group GoogleDNSGroup name-server 8.8.8.8 name-server 8.8.4.4 dns server-group ProviderDNSServerGroup name-server 9.101.85.1 name-server 9.101.85.2 dns-group GoogleDNSGroup object network any-ipv4 subnet 0.0.0.0 0.0.0.0 object network any-ipv6 subnet ::/0 object network git.wok.intranet host 180.10.0.92 object network any-ipv4-network subnet 0.0.0.0 0.0.0.0 object network intranet-ipv4 subnet 180.10.0.0 255.255.0.0 object network provider.gateway host 200.13.55.89 object network openswan.wok.intranet host 180.10.0.34 object network firewall01.wok.intranet host 180.10.0.254 object network site.office host 200.13.50.23 object network www2.wok.com host 4.4.12.11 object network external.wok.intranet host 180.10.0.33 object network svaneke.wok.intranet host 180.10.0.67 object network aws-intranet-eu-1a subnet 162.16.0.0 255.255.0.0 object network lnx1.wok.intranet host 180.10.25.74 object network aws-tun-1 host 3.2.7.127 object network aws-tun-2 host 3.2.7.128 object service _|NatOrigSvc_awb8145a-1179-11ac-78cd-11cwef2a3a16 service tcp source eq https object service _|NatMappedSvc_cef8067a-8180-11eb-83cd-35c7ef2f3a56 service tcp source eq https object service _|NatOrigSvc_81aa647a-8195-11eb-83cd-712a1b510398 service udp source eq 1194 object service _|NatMappedSvc_81aa647a-8195-11eb-17fd-774f0b510398 service udp source eq 1194 object service _|NatOrigSvc_67a5011b-8191-11eb-23cd-01d66cca9234 service tcp source eq ssh object service _|NatMappedSvc_12a8161aa-8191-88af-83cd-01d66cca9234 service tcp source eq 15126 object service _|NatOrigSvc_2d2ff540-8195-11eb-83cd-47d867e5e435 service tcp source eq ssh object service _|NatMappedSvc_2d2ff540-8195-11eb-83cd-47d867e5e435 service tcp source eq 15445 object-group service |acSvcg-268435469 service-object tcp destination eq https service-object udp destination eq 1194 object-group service |acSvcg-268435473 service-object tcp destination eq ssh object-group service |acSvcg-268435472 service-object tcp destination eq ssh object-group service |acSvcg-268435466 service-object ip object-group network |s2sAclSrcNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 network-object object intranet-ipv4 object-group network |s2sAclDestNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 network-object object aws-intranet-eu-1a access-list NGFW_ONBOX_ACL remark rule-id 268435469: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435469: L5 RULE: Out_In_remoteX access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435469 ifc outside any ifc inside object external.wok.intranet rule-id 268435469 access-list NGFW_ONBOX_ACL remark rule-id 268435473: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435473: L5 RULE: Atom_In_git access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435473 ifc outside object www2.wok.com ifc inside object git.wok.intranet rule-id 268435473 access-list NGFW_ONBOX_ACL remark rule-id 268435472: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435472: L5 RULE: Out_In_remoteO access-list NGFW_ONBOX_ACL advanced deny object-group |acSvcg-268435472 ifc outside any ifc inside object openswan.wok.intranet rule-id 268435472 access-list NGFW_ONBOX_ACL remark rule-id 268435466: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 268435466: L5 RULE: In_Out_Traffic access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435466 ifc inside any ifc outside any rule-id 268435466 access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 access-list |s2sAcl|e31bda2d-b880-11eb-9410-a3592e1b7dd5 extended permit ip object-group |s2sAclSrcNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 object-group |s2sAclDestNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 pager lines 24 logging enable logging timestamp logging list debugging_filter level debugging class ip logging list debugging_filter level debugging class np logging list debugging_filter level debugging class ospf logging buffer-size 20000 logging console debugging logging buffered critical logging permit-hostdown mtu diagnostic 1500 mtu inside 1500 mtu outside 1500 no failover no monitor-interface service-module icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected arp rate-limit 16384 nat (inside,outside) source static |s2sAclSrcNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 |s2sAclSrcNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 destination static |s2sAclDestNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 |s2sAclDestNwgV4|e31bda2d-b880-11eb-9410-a3592e1b7dd5 no-proxy-arp route-lookup nat (inside,outside) source static external.wok.intranet interface service _|NatOrigSvc_awb8145a-1179-11ac-78cd-11cwef2a3a16 _|NatMappedSvc_cef8067a-8180-11eb-83cd-35c7ef2f3a57 nat (inside,outside) source static external.wok.intranet interface service _|NatOrigSvc_81aa647a-8195-11eb-83cd-774f0b510398 _|NatMappedSvc_81aa647a-8195-11eb-83cd-774f0b510398 nat (inside,outside) source static openswan.wok.intranet interface service _|NatOrigSvc_12a8161aa-8191-88af-83cd-01d66cca9234 _|NatMappedSvc_12a8161aa-8191-88af-83cd-01d66cca9234 nat (inside,outside) source static git.wok.intranet interface service _|NatOrigSvc_2d2ff540-8195-11eb-83cd-47d867e5e435 _|NatMappedSvc_2d2ff540-8195-11eb-83cd-47d867e5e435 nat (inside,outside) source static any interface nat (outside,inside) source static aws-intranet-eu-1a intranet-ipv4 nat (inside,outside) source static intranet-ipv4 aws-intranet-eu-1a access-group NGFW_ONBOX_ACL global route outside 0.0.0.0 0.0.0.0 200.13.55.89 1 route outside 162.16.0.0 255.255.0.0 3.2.7.127 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 timeout conn-holddown 0:00:15 timeout igp stale-route 0:01:10 user-identity default-domain LOCAL aaa authentication login-history http server enable http ::/0 inside http 0.0.0.0 0.0.0.0 inside ip-client outside ipv6 ip-client outside ip-client inside ipv6 ip-client inside ip-client diagnostic ipv6 ip-client diagnostic snmp-server group AUTH v3 auth snmp-server group PRIV v3 priv snmp-server group NOAUTH v3 noauth snmp-server location null snmp-server contact null snmp-server community ***** sysopt connection tcpmss 0 no sysopt connection permit-vpn crypto ipsec ikev1 transform-set AWS-IPSEC-VPN esp-aes-256 esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map s2sCryptoMap 1 match address |s2sAcl|e31bda2d-b880-11eb-9410-a3592e1b7dd5 crypto map s2sCryptoMap 1 set pfs crypto map s2sCryptoMap 1 set peer 3.2.7.127 crypto map s2sCryptoMap 1 set ikev1 transform-set AWS-IPSEC-VPN crypto map s2sCryptoMap 1 set security-association lifetime seconds 28800 crypto map s2sCryptoMap 1 set security-association lifetime kilobytes 4608000 crypto map s2sCryptoMap interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 policy 4 authentication pre-share encryption aes-256 hash sha group 14 lifetime 28800 telnet timeout 5 ssh 0.0.0.0 0.0.0.0 inside ssh ::/0 inside console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy DfltGrpPolicy attributes vpn-tunnel-protocol ssl-client webvpn anyconnect ssl dtls none group-policy |s2sGP|3.2.7.127 internal group-policy |s2sGP|3.2.7.127 attributes vpn-tunnel-protocol ikev1 dynamic-access-policy-record DfltAccessPolicy tunnel-group 3.2.7.127 type ipsec-l2l tunnel-group 3.2.7.127 general-attributes default-group-policy |s2sGP|3.2.7.127 tunnel-group 3.2.7.127 ipsec-attributes ikev1 pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no tcp-inspection policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect sqlnet inspect skinny inspect sunrpc inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp inspect icmp error inspect snmp inspect xdmcp ! service-policy global_policy global prompt hostname context app-agent heartbeat interval 1000 retry-count 3 snort preserve-connection no dp-tcp-proxy Cryptochecksum:a67ff12b89e324a1123ee6fe4179e126 : end
05-21-2021 05:01 AM
Doesn't say much, to be fair.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide