Re: Site to Site VPN ASA-ISR

nastiakhon · ‎06-27-2024

Hello.
Please help me understand the problem with Site to Site VPN.
We have a cisco ASA on one side and a cisco ISR on the other. The ASA is behind NAT.
When we initiate payload traffic to the ASA side, "show crypto ikev2 sa" shows nothing on either the ASA or the ISR. When we initiate useful traffic from the ISR, the “show crypto ikev2 sa” command on the ASA displays that there is a tunnel, but on the ISR it does not.

When we look at debug on the ISR, we see that it starts looking for a peer using the internal IP address of the ASA, but does not find it in the policies, because the peer is actually configured as 1.1.1.1

*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):Checking NAT discovery
*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):NAT OUTSIDE found
*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):NAT detected float to init port 4500, resp port 4500
*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):Searching policy based on peer's identity '192.168.2.200' of type 'IPv4 address'
*Jun 27 08:28:32.167: IKEv2:% IKEv2 profile not found
*Jun 27 08:28:32.167: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):Failed to locate an item in the database

*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):
*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED

Below is the configuration.

ISR

crypto ikev2 keyring TAIF_IKEv2_Keyring
peer TAIF_IKEv2_Peer
address 1.1.1.1
pre-shared-key cisco

crypto ikev2 proposal TAIF_IKEv2_Proposal
encryption aes-cbc-256
integrity sha256
group 14

crypto ikev2 profile TAIF_IKEv2_Profile
match identity remote address 1.1.1.1 255.255.255.255
identity local address 2.2.2.2
authentication remote pre-share
authentication local pre-share
keyring local TAIF_IKEv2_Keyring

crypto ikev2 policy TAIF_policy
proposal TAIF_IKEv2_Proposal

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel

ip access-list extended TAIF_IKEv2_ACL
permit ip host 10.0.4.77 host 192.168.2.131
permit ip host 10.0.4.77 host 192.168.2.133
permit ip host 10.0.4.77 host 10.50.70.4

crypto map cmTaif 60 ipsec-isakmp
description TAIF_IKEv2_Map
set peer 1.1.1.1
set transform-set TAIF_IKEv2_Transset
set pfs group14
set ikev2-profile TAIF_IKEv2_Profile
match address TAIF_IKEv2_ACL

interface FastEthernet2/0
description Chika2
ip address 2.2.2.2 255.255.255.0
duplex full
crypto map cmTaif

--------------------------------------------------------------
ASA

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy GroupPolicy_2.2.2.2
tunnel-group 2.2.2.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco

crypto ikev2 policy 20
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

crypto ipsec ikev2 ipsec-proposal AES256-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1

access-list cryptomap_avers line 1 extended permit object-group DM_INLINE_PROTOCOL_111 object-group GR_NETWORK_TAIF_AVERS object-group GR_NETWORK_AVERS (hitcnt=32) 0x7c864789
access-list cryptomap_avers line 1 extended permit ip host 192.168.2.133 host 10.0.4.77 (hitcnt=0) 0x88dada7b
access-list cryptomap_avers line 1 extended permit ip host 192.168.2.131 host 10.0.4.77 (hitcnt=0) 0xfaa9f315
access-list cryptomap_avers line 1 extended permit ip host 10.50.70.4 host 10.0.4.77 (hitcnt=85) 0xd1b336b1
access-list cryptomap_avers line 1 extended permit icmp host 192.168.2.133 host 10.0.4.77 (hitcnt=0) 0xbe675db8
access-list cryptomap_avers line 1 extended permit icmp host 192.168.2.131 host 10.0.4.77 (hitcnt=0) 0x6aea9236
access-list cryptomap_avers line 1 extended permit icmp host 10.50.70.4 host 10.0.4.77 (hitcnt=0) 0x122caf2c

crypto ipsec security-association pmtu-aging infinite
crypto map dmz_isa1_map 3 match address cryptomap_avers
crypto map dmz_isa1_map 3 set pfs group14
crypto map dmz_isa1_map 3 set peer 2.2.2.2
crypto map dmz_isa1_map 3 set ikev2 ipsec-proposal AES256-SHA1

crypto map dmz_isa1_map interface dmz_isa1

crypto ikev2 enable dmz_isa1

interface GigabitEthernet0/0.102
vlan 102
nameif dmz_isa1
security-level 10
ip address 192.168.2.200 255.255.255.0

Rob Ingram · ‎06-27-2024

@nastiakhon on the ISR router, it receives the ASA's identity as the real IP address of 192.168.2.200 not the NAT IP address.

*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):Searching policy based on peer's identity '192.168.2.200' of type 'IPv4 address'
*Jun 27 08:28:32.167: IKEv2:% IKEv2 profile not found
*Jun 27 08:28:32.167: ISAKMP:(0):: peer matches *none* of the profiles
*Jun 27 08:28:32.167: IKEv2:(SA ID = 1):Failed to locate an item in the database

Your ISR IKEV2 profile/keyring configuration is matching on the NAT IP address 1.1.1.1, you need to change this to reflect the real IP address of the ASA.

The crypto ipsec peer will still be the public IP address.

nastiakhon · ‎06-27-2024

I understood.
does this mean that the ISR cannot determine it itself, and this must be indicated in the configuration?
It’s just that the ISR is not located in our organization.

Rob Ingram · ‎06-27-2024

@nastiakhon no, the ISR is looking up the identity received by the ASA, as the ASA is behind NAT the identity sent by the ASA to the ISR is it's real IP address. On the ISR you need to match on this identity (real IP address).

MHM Cisco World · ‎06-27-2024

it need some work but it can work
I will run lab and share the step with you

update today

MHM

nastiakhon · ‎06-27-2024

Thanks a lot. I'll be looking forward to it.

I also try it myself, I changed the settings to ISR

crypto ikev2 keyring TAIF_IKEv2_Keyring
peer TAIF_IKEv2_Peer
address 192.168.2.200
identity address 192.168.2.200
pre-shared-key cisco
!
!
!
crypto ikev2 profile TAIF_IKEv2_Profile
match identity remote address 192.168.2.200 255.255.255.255
identity local address 2.2.2.2
authentication remote pre-share
authentication local pre-share
keyring local TAIF_IKEv2_Keyring

When I initiate useful traffic from the ASA side, the tunnel picks up and traffic flows well in both directions.
When I clear the tunnel and initiate traffic from the ISR side, the tunnel does not rise and the traffic does not even try to leave the external interface of the ISR.
Below is the debug from the ISR

*Jun 27 11:28:17.927: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 10.0.4.77/255.255.255.255/256/0,
remote_proxy= 10.50.70.4/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 27 11:28:17.927: IKEv2:% Getting preshared key from profile keyring TAIF_IK Ev2_Keyring
*Jun 27 11:28:17.927: IKEv2:% key not found.
*Jun 27 11:28:17.931: IKEv2:Failed to initiate sa

*Jun 27 11:28:47.927: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 10.0.4.77/255.255.255.255/256/0,
remote_proxy= 10.50.70.4/255.255.255.255/256/0
*Jun 27 11:28:47.927: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 2.2.2.2:500, remote= 1.1.1.1:500,
local_proxy= 10.0.4.77/255.255.255.255/256/0,
remote_proxy= 10.50.70.4/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jun 27 11:28:47.927: IKEv2:% Getting preshared key from profile keyring TAIF_IKEv2_Keyring
*Jun 27 11:28:47.927: IKEv2:% key not found.
*Jun 27 11:28:47.927: IKEv2:Failed to initiate sa

*Jun 27 11:29:17.927: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 10.0.4.77/255.255.255.255/256/0,
remote_proxy= 10.50.70.4/255.255.255.255/256/0

MHM Cisco World · ‎06-27-2024

OK I will update you today with lab
ASA behind NAT
ISR
using IKEv2 policy based VPN not VTI

Thanks

MHM

nastiakhon · ‎06-28-2024

Good afternoon.
Please tell me, was it possible to reproduce the problem in your laboratory?
We have not yet succeeded in ensuring that the tunnel rises from both sides.
Thank you!

MHM Cisco World · ‎06-29-2024

Sorry I have time limit but I start build lab,
what is issue I think two thing
1- the router ID use for IKEv2
2- which is most cause I think the router that do nat have Zone firewall that allow IPsec from Internal to WAN not other side

for point one as I mention I run lab to check all thing that prevent traffic from both side

MHM

Rob Ingram · ‎06-27-2024

@nastiakhon good to hear is works (one way at least) after making the recommended change.

Seems like you have another problem. Is the NAT in front of the ASA a static NAT/PAT or is it dynamic NAT? Provide the configuration of the device translating that traffic to confirm.

nastiakhon · ‎06-27-2024

NAT is used static
Below configuration

interface FastEthernet1/0.102
encapsulation dot1Q 102
ip address 192.168.2.1 255.255.255.0
ip nat inside

interface FastEthernet3/0
description to-INET
ip address 1.1.1.2 255.255.255.0
ip nat outside

ip nat inside source static 192.168.2.200 1.1.1.1
ip route 0.0.0.0 0.0.0.0 FastEthernet3/0

MHM Cisco World · ‎07-02-2024

try for days to match the policies between ASA and vIOS in my lab and I failed.
so any update about the point I mention above
if the NATing device run any zone firewall ?

also can you share the
show crypto session <<-in ISR

MHM

nastiakhon · ‎07-03-2024

Good afternoon.
With this configuration, you can configure it so that the tunnel is created on both sides

crypto ikev2 proposal TAIF_IKEv2_Proposal
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy TAIF_policy
proposal TAIF_IKEv2_Proposal
!
crypto ikev2 keyring TAIF_IKEv2_Keyring
peer TAIF_IKEv2_Peer
address 192.168.4.200
identity address 192.168.4.200
pre-shared-key *****
!
peer TAIF_IKEv2_Peer_Pub
address 1.1.1.1
pre-shared-key local *****
pre-shared-key remote *****
!
!
!
crypto ikev2 profile TAIF_IKEv2_Profile
match identity remote address 1.1.1.1 255.255.255.255
match identity remote address 192.168.4.200 255.255.255.255
identity local address 2.2.2.2
authentication remote pre-share
authentication local pre-share
keyring local TAIF_IKEv2_Keyring
!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
!
crypto map cmTaif 60 ipsec-isakmp
description TAIF_IKEv2_Map
set peer 1.1.1.1
set transform-set TAIF_IKEv2_Transset
set pfs group14
set ikev2-profile TAIF_IKEv2_Profile
match address TAIF_IKEv2_ACL

MHM Cisco World · ‎07-03-2024

sorry you meaning now it work both side ?

i.e. issue is solved ?

MHM

nastiakhon · ‎07-04-2024

Good afternoon.

Yes, when I added two peers to keying, one local and the other public, it worked both ways.