Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
20
Helpful
5
Replies

Multiple Site-to-Site VPNs and routing between them and the internet

Go to solution
edman007
Level 1
Level 1

‎06-28-2021 04:40 PM

So I have a 5508 ASA, I want to have two networks VPN into the ASA, one my production environment, and one my development environment. I ultimately want to host services in the production environment such that traffic over various IPs pointed at the ASA routes to servers in the production VPN. The VPNs have strongswan on the other end.

 

Anyways, my VPNs seem to work, strongswan seems to connect, but I can't seem to ping the other VPN or access servers, I can't seem access the internet if I connect with the VPN configured to route all traffic either, I believe I have the nat configuration messed up, but I've tried many different things and still I'm not getting anywhere.

 

My current ASA Config (relevant portions):

 

 

interface GigabitEthernet1/1
 speed 1000
 duplex full
 nameif OUTSIDE
 security-level 0
 ip address 98.x.x.x 255.255.255.192 
!
interface GigabitEthernet1/2.1541
 vlan 1541
 nameif FW-INSIDE
 security-level 100
 ip address 172.24.16.1 255.255.252.0 
!
object network vpn-prod
 subnet 172.24.22.0 255.255.254.0
object network vpn-dev
 subnet 172.24.20.0 255.255.254.0
access-list asa-vpn extended permit ip object vpn-dev object vpn-prod 
access-list asa-vpn extended permit ip object vpn-prod object vpn-dev 
access-list asa-vpn extended permit ip any object vpn-dev
crypto map outside_map 100 match address asa-vpn
crypto map outside_map 100 set peer 68.x.x.x
crypto map outside_map 100 set ikev1 transform-set AES256-SHA
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 110 match address asa-vpn
crypto map outside_map 110 set peer 18.x.x.x
crypto map outside_map 110 set ikev1 transform-set AES256-SHA
crypto map outside_map 110 set security-association lifetime seconds 28800
crypto map outside_map interface OUTSIDE
crypto ca trustpool policy
crypto isakmp identity address 
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 100
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
tunnel-group 68.x.x.x type ipsec-l2l
tunnel-group 68.x.x.x ipsec-attributes
 ikev1 pre-shared-key 8 hunter2
tunnel-group 18.x.x.x type ipsec-l2l
tunnel-group 18.x.x.x ipsec-attributes
 ikev1 pre-shared-key 8 hunter2

 

 

And StrongSwan:

 

config setup
	# strictcrlpolicy=yes
	# uniqueids = no
	charondebug="all"
# Add connections here.
# Sample VPN connections
conn vpn
	keyexchange=ikev1
	aggressive=no
	authby=secret
	esp=aes256-sha1!
	ike=aes256-sha1-modp1536
	ikelifetime=28800
	left=192.168.1.35
	leftid=68.x.x.x
	leftsubnet=172.24.20.0/23
	right=98.x.x.x
	rightsubnet=172.24.22.0/23
	#rightsubnet=0.0.0.0/0
	auto=start
	keyingtries=1

 

 

My google skills tells me I have to exempt traffic from NAT, so I tried that:

 

nat (OUTSIDE,OUTSIDE) source static vpn-prod vpn-prod destination static vpn-dev vpn-dev no-proxy-arp route-lookup
nat (OUTSIDE,OUTSIDE) source static vpn-dev vpn-dev destination static vpn-prod vpn-prod no-proxy-arp route-lookup

But that doesn't seem to do anything. I've tried a bunch of different nat lines, tried switching the OUTSIDE interface for FW-INSIDE and that doesn't seem to do anything either, I've tried without the "no-proxy-arp route-lookup"

 

So what am I doing wrong? For now I'm just trying to get traffic to flow between VPNs, eventually though I'd like to route the internet through (but I think that might be a little easier once I figure out what's going on now)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni
In response to edman007

‎06-30-2021 06:14 AM

For the reference toplology the nat should be like this post 8.4

 

SITE-A
!
object network OBJ-192.168.1.0-24
  subnet 192.168.1.0 255.255.255.0
object network OBJ-192.168.3.0-24
  subnet 192.168.3.0 255.255.255.0
nat (inside,any) 1 source static OBJ-192.168.1.0-24 OBJ-192.168.1.0-24 destination static OBJ-192.168.3.0-24 OBJ-192.168.3.0-24 no-proxy-arp 

=========================
SITE-B
!
object network OBJ-192.168.1.0-24
  subnet 192.168.1.0 255.255.255.0
object network OBJ-192.168.3.0-24
  subnet 192.168.3.0 255.255.255.0
nat (outside,any) 1 source static OBJ-192.168.1.0-24 OBJ-192.168.1.0-24 destination static OBJ-192.168.3.0-24 OBJ-192.168.3.0-24 no-proxy-arp 
===========================
SITE-C
!
object network OBJ-192.168.3.0-24
  subnet 192.168.3.0 255.255.255.0
object network OBJ-192.168.1.0-24
  subnet 192.168.1.0 255.255.255.0
nat (inside,any) 1 source static OBJ-192.168.3.0-24 OBJ-192.168.3.0-24 destination static OBJ-192.168.1.0-24 OBJ-192.168.1.0-24 no-proxy-arp
please do not forget to rate.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎06-29-2021 12:29 AM

Hi @edman007 

If you are hairpinning traffic (routing traffic back out the same interface), you will need the command "same-security-traffic permit intra-interface" configured.

Go to solution
nagrajk1969
Spotlight
Spotlight

‎06-29-2021 06:34 PM

Hi 007,

 

1. Your deployment looks to be like below:

(asa-lan:172.24.16.0/22)---[ASA]wan----internet-----(NATed)[router]-----wan[strongswan-peergw]lan---(172.24.20.0/23)

- As far as the configs you have posted for ASA, There seems to be NO network 172.24.22.0/23 in the lan-side of ASA ????

 

- Becos looking at the ipsec config on the Strongswan peergw:

leftsubnet=172.24.20.0/23
	right=98.x.x.x
	rightsubnet=172.24.22.0/23

 - shouldn't the "rightsubnet" be configured as 172.24.16.0/22 ???? That would make it a correct config on the strongswan peer

 

- Similarly on ASA, the "vpn-prod" network that is defined should be "172.24.16.0/22" rather than "172.24.22.0/23" ?????

 

2. You say that the ipsec tunnel is UP....so can you post the output of the command "ipsec statusall" run on the strongswan peergw?

 

 

  

 

 

 

 

0 Helpful

Go to solution
edman007
Level 1
Level 1
In response to nagrajk1969

‎06-30-2021 04:59 AM

Hi @nagrajk1969 

 

So right now I'm not interested in traffic on the 172.24.16.0/22 subnet, only traffic on the VPNs. I want something like This topology And that shows both Site A & C VPNs are configured without specific rules for the site B network, and that all subnets do not overlap. However the configs are incomplete and seem to be old (single interface NAT doesn't seem to be an option). I don't have strongswan configured with 172.24.16.0/22 as the rightsubnet, because then it wouldn't route traffic for 172. 24.22.0/23 through the VPN.

 

So right now my strongswan on the vpn-dev  side is up:

 

ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.1, Linux 5.12.11, x86_64):
  uptime: 14 hours, since Jun 29 16:59:29 2021
  malloc: sbrk 2994176, mmap 0, used 1151216, free 1842960
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 xcbc cmac hmac drbg curl files sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-simaka-pseudonym eap-simaka-reauth eap-mschapv2 eap-radius eap-tls eap-ttls xauth-generic xauth-eap dhcp lookip unity counters
Listening IP addresses:
  192.168.1.35
  172.24.20.1
Connections:
         vpn:  192.168.1.35...98.x.x.x  IKEv1
         vpn:   local:  [68.x.x.x] uses pre-shared key authentication
         vpn:   remote: [98.x.x.x] uses pre-shared key authentication
         vpn:   child:  172.24.20.0/23 === 172.24.22.0/23 TUNNEL
Security Associations (1 up, 0 connecting):
         vpn[2]: ESTABLISHED 7 hours ago, 192.168.1.35[68.x.x.x]...98.x.x.x[98.x.x.x]
         vpn[2]: IKEv1 SPIs: 0af84b2f3564ead6_i f27e41c667016147_r*, pre-shared key reauthentication in 34 minutes
         vpn[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
         vpn{20}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c045b695_i 6bc83427_o
         vpn{20}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 90972 bytes_o (1083 pkts, 0s ago), rekeying in 28 minutes
         vpn{20}:   172.24.20.0/23 === 172.24.22.0/23

And it is up on the vpn-prod side:

strongswan statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.14.232-176.381.amzn2.aarch64, aarch64):
  uptime: 14 hours, since Jun 29 20:59:43 2021
  malloc: sbrk 2822144, mmap 0, used 932192, free 1889952
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
  loaded plugins: charon pkcs11 tpm aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
  172.31.39.159
  172.24.22.1
Connections:
         vpn:  172.31.39.159...98.129.244.95  IKEv1
         vpn:   local:  [18.x.x.x] uses pre-shared key authentication
         vpn:   remote: [98.x.x.x] uses pre-shared key authentication
         vpn:   child:  172.24.22.0/23 === 172.24.20.0/23 TUNNEL
Security Associations (1 up, 0 connecting):
         vpn[2]: ESTABLISHED 2 seconds ago, 172.31.39.159[18.x.x.x]...98.x.x.x[98.x.x.x]
         vpn[2]: IKEv1 SPIs: 60986a89b8cdaa35_i* c4df864bcafb6b05_r, pre-shared key reauthentication in 7 hours
         vpn[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
         vpn{2}:  INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cdfe88e7_i 1c735002_o
         vpn{2}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 44 minutes
         vpn{2}:   172.24.22.0/23 === 172.24.20.0/23

Adding "same-security-traffic permit intra-interface" didn't seem to make things work either.

0 Helpful

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni
In response to edman007

‎06-30-2021 06:14 AM

For the reference toplology the nat should be like this post 8.4

 

SITE-A
!
object network OBJ-192.168.1.0-24
  subnet 192.168.1.0 255.255.255.0
object network OBJ-192.168.3.0-24
  subnet 192.168.3.0 255.255.255.0
nat (inside,any) 1 source static OBJ-192.168.1.0-24 OBJ-192.168.1.0-24 destination static OBJ-192.168.3.0-24 OBJ-192.168.3.0-24 no-proxy-arp 

=========================
SITE-B
!
object network OBJ-192.168.1.0-24
  subnet 192.168.1.0 255.255.255.0
object network OBJ-192.168.3.0-24
  subnet 192.168.3.0 255.255.255.0
nat (outside,any) 1 source static OBJ-192.168.1.0-24 OBJ-192.168.1.0-24 destination static OBJ-192.168.3.0-24 OBJ-192.168.3.0-24 no-proxy-arp 
===========================
SITE-C
!
object network OBJ-192.168.3.0-24
  subnet 192.168.3.0 255.255.255.0
object network OBJ-192.168.1.0-24
  subnet 192.168.1.0 255.255.255.0
nat (inside,any) 1 source static OBJ-192.168.3.0-24 OBJ-192.168.3.0-24 destination static OBJ-192.168.1.0-24 OBJ-192.168.1.0-24 no-proxy-arp
please do not forget to rate.

Go to solution
edman007
Level 1
Level 1
In response to Sheraz.Salim

‎06-30-2021 04:15 PM

That config worked, plus the "same-security-traffic permit intra-interface" line, plus I had both crypto maps using the same access-list (having both directions), further investigation revealed that seemed to cause some issues too, so split it into two access-lists, and then it worked as expected!

 

Final config is :

 

object network vpn-prod
 subnet 172.24.22.0 255.255.254.0
object network vpn-dev
 subnet 172.24.20.0 255.255.254.0
access-list asa-vpn-prod extended permit ip object vpn-dev object vpn-prod 
access-list asa-vpn-dev extended permit ip object vpn-prod object vpn-dev 
same-security-traffic permit intra-interface
nat (OUTSIDE,any) source static vpn-dev vpn-dev destination static vpn-prod vpn-prod no-proxy-arp
crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set AES256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set AES-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set AES-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set 3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set 3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 100 match address asa-vpn-dev
crypto map outside_map 100 set peer 68.x.x.x
crypto map outside_map 100 set ikev1 transform-set AES256-SHA
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 110 match address asa-vpn-prod
crypto map outside_map 110 set peer 18.x.x.x
crypto map outside_map 110 set ikev1 transform-set AES256-SHA
crypto map outside_map 110 set security-association lifetime seconds 28800
crypto map outside_map interface OUTSIDE
crypto ca trustpool policy
crypto isakmp identity address 
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 100
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
tunnel-group 68.x.x.x type ipsec-l2l
tunnel-group 68.x.x.x ipsec-attributes
 ikev1 pre-shared-key hunter2
tunnel-group 18.x.x.x type ipsec-l2l
tunnel-group 18.x.x.x ipsec-attributes
 ikev1 pre-shared-key hunter2
Customers Also Viewed These Support Documents