03-17-2023 12:59 PM
Am currently trying to test two ASA with route base vpn but am getting these errors. would anyone know what is my issue here?
03-17-2023 01:13 PM
@jebanks the peer device has started to establish a VPN tunnel with your ASA, but your ASA failed to determine the next hop so the IKE requested timed out.
Check your routing to the peer IP address, traceroute and ping to the IP address etc. If you have multiple outside interfaces check IKE/IPSec is enabled on the correct interface and traffic to the peer is routed back via the same interface.
03-17-2023 01:24 PM
username unknown
can you share the config you use ?
please notice that you must use address as identify instead of hostname
03-17-2023 01:31 PM
below config
###Enable IKEv2 on the outside interface ####
crypto ikev2 enable outside
!
###Add an IKEv2 phase 1 policy ###
crypto ikev2 policy 1
encryption aes-192
integrity sha256
group 2
lifetime seconds 28800
prf sha256
!
### Create group-policy and make sure ikev2 is selected as tunnel protocol ###
group-policy 200.32.224.2 internal
group-policy 200.32.224.2 attributes
vpn-tunnel-protocol ikev2
!
### Create tunnel-group, go into general-attributes mode and assign the group-policy created in the previous step ###
tunnel-group 200.32.224.2 type ipsec-l2l
tunnel-group 200.32.224.2 general-attributes
default-group 200.32.224.2
!
!Go into ipsec-attributes mode and set a pre-shared key which will be used for IKEv2 negotiation.
!
tunnel-group 200.32.224.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx
!
!Create an IPsec-proposal. Define encryption and hashing algorithm.
!
crypto ipsec ikev2 ipsec-proposal SET1(MainBranch)
protocol esp encryption aes-192
protocol esp integrity sha-256
!
!Create an IPsec profile and associate the proposal created in the previous step to this profile.
!
crypto ipsec profile PROFILE1
set ikev2 ipsec-proposal SET1
set security-association lifetime seconds 27000
set security-association lifetime kilobytes unlimited
!
! Create a VTI that specifies
!
interface tunnel 100
nameif vti (HQ-VTI)
ip address 10.70.70.2 255.255.255.252
tunnel source interface outside
tunnel destination 200.32.224.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1
!
!Create a static route to point traffic into the tunnel
!
route HQ-VTI 192.168.23.0 255.255.255.0 10.70.70.1
!
!
03-17-2023 01:51 PM
ciscoasa/vpn(config)# crypto isakmp identity ?
configure mode commands/options:
address Use the IP address of the interface for the identity
auto Identity automatically determined by the connection type: IP
address for preshared key and Cert DN for Cert based connections
hostname Use the hostname of the router for the identity
key-id Use the specified key-id for the identity
force the ASA to use address as identity
03-17-2023 02:10 PM
The username would be unknown at the INIT stage.
The error message states routing unable to locate the next hop for the IP address, which is the IP address as defined as the tunnel destination - then the IKE request times out.
So the ASA doesn't know where to respond to.
Use the show asp table routing command to view the routing table details.
03-17-2023 02:21 PM
This is the remote end
HRCU-DR-Firewall# show asp table routing
route table timestamp: 82
in 255.255.255.255 255.255.255.255 identity
in 169.254.1.1 255.255.255.255 identity
in 127.1.0.1 255.255.255.255 identity
in 192.168.24.1 255.255.255.255 identity
in 45.234.88.142 255.255.255.255 identity
in 169.254.1.0 255.255.255.248 nlp_int_tap
in 45.234.88.136 255.255.255.248 OUTSIDE
in 192.168.24.0 255.255.255.0 INSIDE
in 0.0.0.0 0.0.0.0 via 45.234.88.137, OUTSIDE
in ff02::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in ff02::1:ff00:1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fe80::200:1ff:fe00:1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fd00:0:0:1::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fd00:0:0:1:: ffff:ffff:ffff:ffff:: nlp_int_tap
out 255.255.255.255 255.255.255.255 DRSite
out 224.0.0.0 240.0.0.0 DRSite
out 255.255.255.255 255.255.255.255 INSIDE
out 192.168.24.1 255.255.255.255 INSIDE
out 192.168.24.0 255.255.255.0 INSIDE
out 224.0.0.0 240.0.0.0 INSIDE
out 255.255.255.255 255.255.255.255 OUTSIDE
out 45.234.88.142 255.255.255.255 OUTSIDE
out 45.234.88.136 255.255.255.248 OUTSIDE
out 224.0.0.0 240.0.0.0 OUTSIDE
out 0.0.0.0 0.0.0.0 via 45.234.88.137, OUTSIDE
out 255.255.255.255 255.255.255.255 _internal_loopback
out 224.0.0.0 240.0.0.0 _internal_loopback
out 255.255.255.255 255.255.255.255 nlp_int_tap
out 169.254.1.1 255.255.255.255 nlp_int_tap
out 169.254.1.0 255.255.255.248 nlp_int_tap
out 224.0.0.0 240.0.0.0 nlp_int_tap
out fd00:0:0:1::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff nlp_int_tap
out fd00:0:0:1:: ffff:ffff:ffff:ffff:: nlp_int_tap
out fe80:: ffc0:: nlp_int_tap
out ff00:: ff00:: nlp_int_tap
out 0.0.0.0 0.0.0.0 via 0.0.0.0, identity
out :: :: via 0.0.0.0, identity
HQ end:
shadowgate# show asp table routing
route table timestamp: 1017
in 255.255.255.255 255.255.255.255 identity
in 169.254.1.1 255.255.255.255 identity
in 127.1.0.1 255.255.255.255 identity
in 200.32.224.2 255.255.255.255 identity
in 192.168.23.1 255.255.255.255 identity
in 192.168.0.1 255.255.255.255 identity
in 192.168.43.1 255.255.255.255 identity
in 192.168.38.1 255.255.255.255 identity
in 192.168.97.100 255.255.255.255 Outside
in 45.234.88.138 255.255.255.255 identity
in 190.197.41.163 255.255.255.255 via 45.234.88.137, SMART_NET
in 169.254.1.0 255.255.255.248 nlp_int_tap
in 200.32.224.0 255.255.255.248 Outside
in 192.168.38.0 255.255.255.248 SMART_PBX
in 45.234.88.136 255.255.255.248 SMART_NET
in 186.65.88.208 255.255.255.240 via 45.234.88.137, SMART_NET
in 192.168.23.0 255.255.255.0 inside_1
in 192.168.0.0 255.255.255.0 DMZ_6
in 192.168.43.0 255.255.255.0 Wi-Fi_8
in 0.0.0.0 0.0.0.0 via 200.32.224.1, Outside
in ff02::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in ff02::1:ff00:1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fe80::200:1ff:fe00:1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fd00:0:0:1::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fd00:0:0:1:: ffff:ffff:ffff:ffff:: nlp_int_tap
out 255.255.255.255 255.255.255.255 HQ-VTI
out 224.0.0.0 240.0.0.0 HQ-VTI
out 255.255.255.255 255.255.255.255 Wi-Fi_8
out 192.168.43.1 255.255.255.255 Wi-Fi_8
out 192.168.43.0 255.255.255.0 Wi-Fi_8
out 224.0.0.0 240.0.0.0 Wi-Fi_8
out 255.255.255.255 255.255.255.255 DMZ_6
out 192.168.0.1 255.255.255.255 DMZ_6
out 192.168.0.0 255.255.255.0 DMZ_6
out 224.0.0.0 240.0.0.0 DMZ_6
out 255.255.255.255 255.255.255.255 SMART_PBX
out 192.168.38.1 255.255.255.255 SMART_PBX
out 192.168.38.0 255.255.255.248 SMART_PBX
out 224.0.0.0 240.0.0.0 SMART_PBX
out 255.255.255.255 255.255.255.255 SMART_NET
out 45.234.88.138 255.255.255.255 SMART_NET
out 190.197.41.163 255.255.255.255 via 45.234.88.137, SMART_NET
out 45.234.88.136 255.255.255.248 SMART_NET
out 186.65.88.208 255.255.255.240 via 45.234.88.137, SMART_NET
out 224.0.0.0 240.0.0.0 SMART_NET
out 0.0.0.0 0.0.0.0 via 45.234.88.137, SMART_NET
out 255.255.255.255 255.255.255.255 inside_1
out 192.168.23.1 255.255.255.255 inside_1
out 192.168.23.0 255.255.255.0 inside_1
out 224.0.0.0 240.0.0.0 inside_1
out 255.255.255.255 255.255.255.255 Outside
out 200.32.224.2 255.255.255.255 Outside
out 192.168.97.100 255.255.255.255 Outside
out 200.32.224.0 255.255.255.248 Outside
out 224.0.0.0 240.0.0.0 Outside
out 0.0.0.0 0.0.0.0 via 200.32.224.1, Outside
out 255.255.255.255 255.255.255.255 _internal_loopback
out 224.0.0.0 240.0.0.0 _internal_loopback
out 255.255.255.255 255.255.255.255 nlp_int_tap
out 169.254.1.1 255.255.255.255 nlp_int_tap
out 169.254.1.0 255.255.255.248 nlp_int_tap
out 224.0.0.0 240.0.0.0 nlp_int_tap
out fd00:0:0:1::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff nlp_int_tap
out fd00:0:0:1:: ffff:ffff:ffff:ffff:: nlp_int_tap
out fe80:: ffc0:: nlp_int_tap
out ff00:: ff00:: nlp_int_tap
out 0.0.0.0 0.0.0.0 via 0.0.0.0, identity
out :: :: via 0.0.0.0, identity
03-17-2023 02:52 PM - edited 03-17-2023 02:53 PM
@jebanks The HQ end has an interface called SMART_NET which is the same network as HRCU-DR-Firewall's OUTSIDE interface, which explains the issue why the IKE packet times out - you need to remove the SMART_NET interface, traffic would then egress via the outside interface.
HRCU-DR-Firewall
in 45.234.88.136 255.255.255.248 OUTSIDE
HQ
in 200.32.224.0 255.255.255.248 Outside
in 45.234.88.136 255.255.255.248 SMART_NET
03-17-2023 02:22 PM
where in the ikev2 configuration i would add the crypto isakmp identity?
03-17-2023 02:26 PM
This command add in global mode of asa
03-17-2023 03:50 PM
This wont affect other VPNs if i do that command. Would it be an issue that I have the firewall doing policy base vpn and now adding route base vpn?
03-17-2023 04:19 PM
Yes sure it effect especially if other vpn using cert for auth.
Let me check other solution which can config per vpn not in global.
03-18-2023 07:12 AM
crypto ikev2 enable outside <<-
I run lab same config and without crypto ikev2 enable in outside and success.
can you config that you run IKEv2 only for VTI tunnel and other VPN use IKEv1?
03-18-2023 08:54 AM
that one will be hard cause there is one vpn that is using ikev2 . All others are using ikev1. Hmm. let me see what i can do here
03-18-2023 09:03 AM
@jebanks did you check your SMART_NET interface on HQ Firewall? this interface is the same network as the HRCU-DR-Firewall that you are attempting to establish a VPN with. It will fail as that remote peer network is directly connected.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide