Re: Route-based IPSec VPN with IKEv2

jebanks · ‎03-17-2023

Am currently trying to test two ASA with route base vpn but am getting these errors. would anyone know what is my issue here?

Rob Ingram · ‎03-17-2023

@jebanks the peer device has started to establish a VPN tunnel with your ASA, but your ASA failed to determine the next hop so the IKE requested timed out.

Check your routing to the peer IP address, traceroute and ping to the IP address etc. If you have multiple outside interfaces check IKE/IPSec is enabled on the correct interface and traffic to the peer is routed back via the same interface.

MHM Cisco World · ‎03-17-2023

username unknown
can you share the config you use ?

please notice that you must use address as identify instead of hostname

jebanks · ‎03-17-2023

below config

###Enable IKEv2 on the outside interface ####
crypto ikev2 enable outside
!
###Add an IKEv2 phase 1 policy ###
crypto ikev2 policy 1
encryption aes-192
integrity sha256
group 2
lifetime seconds 28800
prf sha256
!
### Create group-policy and make sure ikev2 is selected as tunnel protocol ###
group-policy 200.32.224.2 internal
group-policy 200.32.224.2 attributes
vpn-tunnel-protocol ikev2
!
### Create tunnel-group, go into general-attributes mode and assign the group-policy created in the previous step ###
tunnel-group 200.32.224.2 type ipsec-l2l
tunnel-group 200.32.224.2 general-attributes
default-group 200.32.224.2
!
!Go into ipsec-attributes mode and set a pre-shared key which will be used for IKEv2 negotiation.
!
tunnel-group 200.32.224.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx
!
!Create an IPsec-proposal. Define encryption and hashing algorithm.
!
crypto ipsec ikev2 ipsec-proposal SET1(MainBranch)
protocol esp encryption aes-192
protocol esp integrity sha-256
!
!Create an IPsec profile and associate the proposal created in the previous step to this profile.
!
crypto ipsec profile PROFILE1
set ikev2 ipsec-proposal SET1
set security-association lifetime seconds 27000
set security-association lifetime kilobytes unlimited
!
! Create a VTI that specifies
!
interface tunnel 100
nameif vti (HQ-VTI)
ip address 10.70.70.2 255.255.255.252
tunnel source interface outside
tunnel destination 200.32.224.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE1
!
!Create a static route to point traffic into the tunnel
!
route HQ-VTI 192.168.23.0 255.255.255.0 10.70.70.1
!
!

MHM Cisco World · ‎03-17-2023

ciscoasa/vpn(config)# crypto isakmp identity ?
 configure mode commands/options:
  address   Use the IP address of the interface for the identity
  auto      Identity automatically determined by the connection type: IP
            address for preshared key and Cert DN for Cert based connections
  hostname  Use the hostname of the router for the identity
  key-id    Use the specified key-id for the identity

force the ASA to use address as identity

Rob Ingram · ‎03-17-2023

The username would be unknown at the INIT stage.

The error message states routing unable to locate the next hop for the IP address, which is the IP address as defined as the tunnel destination - then the IKE request times out.

So the ASA doesn't know where to respond to.

Use the show asp table routing command to view the routing table details.

jebanks · ‎03-17-2023

This is the remote end

HRCU-DR-Firewall# show asp table routing
route table timestamp: 82
in 255.255.255.255 255.255.255.255 identity
in 169.254.1.1 255.255.255.255 identity
in 127.1.0.1 255.255.255.255 identity
in 192.168.24.1 255.255.255.255 identity
in 45.234.88.142 255.255.255.255 identity
in 169.254.1.0 255.255.255.248 nlp_int_tap
in 45.234.88.136 255.255.255.248 OUTSIDE
in 192.168.24.0 255.255.255.0 INSIDE
in 0.0.0.0 0.0.0.0 via 45.234.88.137, OUTSIDE
in ff02::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in ff02::1:ff00:1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fe80::200:1ff:fe00:1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fd00:0:0:1::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fd00:0:0:1:: ffff:ffff:ffff:ffff:: nlp_int_tap
out 255.255.255.255 255.255.255.255 DRSite
out 224.0.0.0 240.0.0.0 DRSite
out 255.255.255.255 255.255.255.255 INSIDE
out 192.168.24.1 255.255.255.255 INSIDE
out 192.168.24.0 255.255.255.0 INSIDE
out 224.0.0.0 240.0.0.0 INSIDE
out 255.255.255.255 255.255.255.255 OUTSIDE
out 45.234.88.142 255.255.255.255 OUTSIDE
out 45.234.88.136 255.255.255.248 OUTSIDE
out 224.0.0.0 240.0.0.0 OUTSIDE
out 0.0.0.0 0.0.0.0 via 45.234.88.137, OUTSIDE
out 255.255.255.255 255.255.255.255 _internal_loopback
out 224.0.0.0 240.0.0.0 _internal_loopback
out 255.255.255.255 255.255.255.255 nlp_int_tap
out 169.254.1.1 255.255.255.255 nlp_int_tap
out 169.254.1.0 255.255.255.248 nlp_int_tap
out 224.0.0.0 240.0.0.0 nlp_int_tap
out fd00:0:0:1::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff nlp_int_tap
out fd00:0:0:1:: ffff:ffff:ffff:ffff:: nlp_int_tap
out fe80:: ffc0:: nlp_int_tap
out ff00:: ff00:: nlp_int_tap
out 0.0.0.0 0.0.0.0 via 0.0.0.0, identity
out :: :: via 0.0.0.0, identity

HQ end:

shadowgate# show asp table routing
route table timestamp: 1017
in 255.255.255.255 255.255.255.255 identity
in 169.254.1.1 255.255.255.255 identity
in 127.1.0.1 255.255.255.255 identity
in 200.32.224.2 255.255.255.255 identity
in 192.168.23.1 255.255.255.255 identity
in 192.168.0.1 255.255.255.255 identity
in 192.168.43.1 255.255.255.255 identity
in 192.168.38.1 255.255.255.255 identity
in 192.168.97.100 255.255.255.255 Outside
in 45.234.88.138 255.255.255.255 identity
in 190.197.41.163 255.255.255.255 via 45.234.88.137, SMART_NET
in 169.254.1.0 255.255.255.248 nlp_int_tap
in 200.32.224.0 255.255.255.248 Outside
in 192.168.38.0 255.255.255.248 SMART_PBX
in 45.234.88.136 255.255.255.248 SMART_NET
in 186.65.88.208 255.255.255.240 via 45.234.88.137, SMART_NET
in 192.168.23.0 255.255.255.0 inside_1
in 192.168.0.0 255.255.255.0 DMZ_6
in 192.168.43.0 255.255.255.0 Wi-Fi_8
in 0.0.0.0 0.0.0.0 via 200.32.224.1, Outside
in ff02::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in ff02::1:ff00:1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fe80::200:1ff:fe00:1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fd00:0:0:1::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff identity
in fd00:0:0:1:: ffff:ffff:ffff:ffff:: nlp_int_tap
out 255.255.255.255 255.255.255.255 HQ-VTI
out 224.0.0.0 240.0.0.0 HQ-VTI
out 255.255.255.255 255.255.255.255 Wi-Fi_8
out 192.168.43.1 255.255.255.255 Wi-Fi_8
out 192.168.43.0 255.255.255.0 Wi-Fi_8
out 224.0.0.0 240.0.0.0 Wi-Fi_8
out 255.255.255.255 255.255.255.255 DMZ_6
out 192.168.0.1 255.255.255.255 DMZ_6
out 192.168.0.0 255.255.255.0 DMZ_6
out 224.0.0.0 240.0.0.0 DMZ_6
out 255.255.255.255 255.255.255.255 SMART_PBX
out 192.168.38.1 255.255.255.255 SMART_PBX
out 192.168.38.0 255.255.255.248 SMART_PBX
out 224.0.0.0 240.0.0.0 SMART_PBX
out 255.255.255.255 255.255.255.255 SMART_NET
out 45.234.88.138 255.255.255.255 SMART_NET
out 190.197.41.163 255.255.255.255 via 45.234.88.137, SMART_NET
out 45.234.88.136 255.255.255.248 SMART_NET
out 186.65.88.208 255.255.255.240 via 45.234.88.137, SMART_NET
out 224.0.0.0 240.0.0.0 SMART_NET
out 0.0.0.0 0.0.0.0 via 45.234.88.137, SMART_NET
out 255.255.255.255 255.255.255.255 inside_1
out 192.168.23.1 255.255.255.255 inside_1
out 192.168.23.0 255.255.255.0 inside_1
out 224.0.0.0 240.0.0.0 inside_1
out 255.255.255.255 255.255.255.255 Outside
out 200.32.224.2 255.255.255.255 Outside
out 192.168.97.100 255.255.255.255 Outside
out 200.32.224.0 255.255.255.248 Outside
out 224.0.0.0 240.0.0.0 Outside
out 0.0.0.0 0.0.0.0 via 200.32.224.1, Outside
out 255.255.255.255 255.255.255.255 _internal_loopback
out 224.0.0.0 240.0.0.0 _internal_loopback
out 255.255.255.255 255.255.255.255 nlp_int_tap
out 169.254.1.1 255.255.255.255 nlp_int_tap
out 169.254.1.0 255.255.255.248 nlp_int_tap
out 224.0.0.0 240.0.0.0 nlp_int_tap
out fd00:0:0:1::1 ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff nlp_int_tap
out fd00:0:0:1:: ffff:ffff:ffff:ffff:: nlp_int_tap
out fe80:: ffc0:: nlp_int_tap
out ff00:: ff00:: nlp_int_tap
out 0.0.0.0 0.0.0.0 via 0.0.0.0, identity
out :: :: via 0.0.0.0, identity

Rob Ingram · ‎03-17-2023

@jebanks The HQ end has an interface called SMART_NET which is the same network as HRCU-DR-Firewall's OUTSIDE interface, which explains the issue why the IKE packet times out - you need to remove the SMART_NET interface, traffic would then egress via the outside interface.

HRCU-DR-Firewall
in 45.234.88.136 255.255.255.248 OUTSIDE

HQ
in 200.32.224.0 255.255.255.248 Outside
in 45.234.88.136 255.255.255.248 SMART_NET

jebanks · ‎03-17-2023

where in the ikev2 configuration i would add the crypto isakmp identity?

MHM Cisco World · ‎03-17-2023

This command add in global mode of asa

jebanks · ‎03-17-2023

This wont affect other VPNs if i do that command. Would it be an issue that I have the firewall doing policy base vpn and now adding route base vpn?

MHM Cisco World · ‎03-17-2023

Yes sure it effect especially if other vpn using cert for auth.

Let me check other solution which can config per vpn not in global.

MHM Cisco World · ‎03-18-2023

crypto ikev2 enable outside <<-
I run lab same config and without crypto ikev2 enable in outside and success.

can you config that you run IKEv2 only for VTI tunnel and other VPN use IKEv1?

jebanks · ‎03-18-2023

that one will be hard cause there is one vpn that is using ikev2 . All others are using ikev1. Hmm. let me see what i can do here

Rob Ingram · ‎03-18-2023

@jebanks did you check your SMART_NET interface on HQ Firewall? this interface is the same network as the HRCU-DR-Firewall that you are attempting to establish a VPN with. It will fail as that remote peer network is directly connected.