Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1252
Views
0
Helpful
4
Replies

Site to Site with remote Strongswan not passing traffic

Go to solution
rgrue
Cisco Employee
Cisco Employee

‎04-15-2017 08:46 PM

ASA 5506-X with 9.6(1) connecting to remote strongswan, attempting to route all traffic on specific subnet over the VPN and out.

I know pretty much nothing about this, so it's been a struggle, but I've managed to get the tunnel itself established. However, I can't pass traffic though it.

Running a packet tracer using a source on the subnet in question to an external IP shows the packet being allowed over the VPN, but then being dropped by some ACL:

Phase: 8
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac0c8f660, priority=12, domain=filter-aaa, deny=true
hits=3782, user_data=0x2aaabb918c40, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0

Full running config and packet trace are attached. 

For the life of me, I can't figure out what ACL is dropping this. I've attempted the following to no effect:

1. Removing the vpn-filter from the 'strongswan' group-policy completely

2. Creating a vpn-filter allowing any any

3. Creating a global ACL to allow any any

4. Creating an outbound ACL on my outside interface to allow any any

I'm pretty certain that I'm just missing something that would be obvious to someone who knows what their doing, but my Google-foo has failed me on this one, so I'd appreciate any help.

Thanks!

Labels:
Preview file
6 KB
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to rgrue

‎04-18-2017 01:11 AM

You don't need vpn-filter at all.  You can delete that.

The issue is the NAT.  You are NATing your private IP addresses to the outside IP of your ASA, but the VPN is only for the inside private IP addresses.

If you delete all three "nat" lines it will be happy.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎04-15-2017 09:49 PM

This would normally specify the destination encryption domain.

access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 any

What is the remote subnet you are wanting to access?

0 Helpful

Go to solution
rgrue
Cisco Employee
Cisco Employee
In response to Philip D'Ath

‎04-17-2017 09:07 AM

Hi Philip,

I'm trying to backhaul all traffic from that subnet over the VPN, so the destination is 0.0.0.0/0. Is there a more proper way to do that?

From the packet tracer, it seems that encryption is getting triggered as expected, but the traffic is being dropped from an ACL (which _seems_ to be the vpn-filter judging from where it happens, but I've attempted both removing the vpn-filter and creating an ACL that allows any any).

Thanks!

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to rgrue

‎04-18-2017 01:11 AM

You don't need vpn-filter at all.  You can delete that.

The issue is the NAT.  You are NATing your private IP addresses to the outside IP of your ASA, but the VPN is only for the inside private IP addresses.

If you delete all three "nat" lines it will be happy.

0 Helpful

Go to solution
rgrue
Cisco Employee
Cisco Employee
In response to Philip D'Ath

‎04-18-2017 09:16 AM

YESSSSSSS

That was it, thanks so much Philip!!!

0 Helpful
Customers Also Viewed These Support Documents