06-04-2024 04:21 AM
Hi All,
i need help.
i have configured a site to site VPN on Cisco ASA with partner who is using openswan. my configuration on ASA is as follows however traffic is not being encrypted to pass through the tunnel:
crypto ikev2 policy 60
encryption aes-256
integrity sha256
group 14
lifetime seconds 86400
----------IPsec Proposal (Transform set)--------------------
crypto ipsec ikev2 ipsec-proposal IB_PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
--------Access-List for traffic to encrypt----------------------------------------------------
access-list ZECHL_IB extended permit ip 192.168.100.0 255.255.255.0 host 192.168.200.215
access-list ZECHL_IB extended permit ip host 192.168.100.18 host 192.168.200.215
--------Crypto map combining ACL, peer and IKEV2 Proposal----------------------------
crypto map TCIB_CRYPTO_MAP 1 match address ZECHL_IB
crypto map TCIB_CRYPTO_MAP 1 set peer public_address
crypto map TCIB_CRYPTO_MAP 1 set ikev2 ipsec-proposal IB_PROPOSAL
crypto map TCIB_CRYPTO_MAP interface OUTSIDE
------------------Tuunel group------------------------------------------
tunnel-group public_address type ipsec-l2l
tunnel-group public_address ipsec-attributes
ikev2 local-authentication pre-shared-key xxxxxxxxxxxxxxx
ikev2 remote-authentication pre-shared-key xxxxxxxxxxxxx
i can see incoming traffic from partner though when they attempt to reach 192.168.100.18
Solved! Go to Solution.
06-04-2024 08:44 AM - edited 06-04-2024 09:00 AM
As suspected, you are hitting this dynamic NAT rule and not a static identity NAT / NAT exempt rule:
nat (Inside,Outside) after-auto source dynamic ZECHL_LAN interface
Additional Information:
Dynamic translate 192.168.100.18/1234 to 41.77.145.66/1234
You need a static NAT rule exempting traffic from 192.168.100.0 255.255.255.0 to the remote host's real IP address.
06-04-2024 07:26 AM
You mentioned that you can see incoming traffic from partner though when they attempt to reach 192.168.100.18. Where do you see this?
Does your VPN come up? "show crypto ikev2 sa" and "show crypto ipsec sa" commands would give useful output.
06-04-2024 07:36 AM
see VPN status below:
06-04-2024 07:40 AM
VPN status:
06-04-2024 07:51 AM - edited 06-04-2024 07:51 AM
The crypto ipsec sa indicates your crypto map match has the remote host address as a public IP (13.246.56.215), not the private 192.168.200.215 address you indicated in the original post.
06-04-2024 07:54 AM
i amended the addresses in the initial post. However the screens show the real addresses configured.
06-04-2024 08:02 AM
Can you share the full output of the following:
packet-tracer input inside tcp 192.168.100.<x> 1234 <real IP of remote host> 1234
(substitute the bracketed values with your actual source and destination host address).
06-04-2024 08:06 AM
Here are the packet tracer results;
06-04-2024 08:13 AM
cli output please - we need to see the NAT details to confirm your NAT exempt is applied and working as intended.
06-04-2024 08:39 AM
06-04-2024 08:44 AM - edited 06-04-2024 09:00 AM
As suspected, you are hitting this dynamic NAT rule and not a static identity NAT / NAT exempt rule:
nat (Inside,Outside) after-auto source dynamic ZECHL_LAN interface
Additional Information:
Dynamic translate 192.168.100.18/1234 to 41.77.145.66/1234
You need a static NAT rule exempting traffic from 192.168.100.0 255.255.255.0 to the remote host's real IP address.
06-04-2024 08:57 AM
Hi Marvin, the solution has worked. Thank you very much.