Re: Unalbe to establish VPN between ASA and IBM cloud

Moti A · ‎08-29-2021

Hi,

I am trying to build a site-to-site VPN between ASA running 9.8(2) and IBM Cloud.

The ASA is behind NAT device so the outside interface has a private IP 10.0.0.1, for this question the NAT address is 2.2.2.2

Phase 1 has come up:

(I removed the remote peer real public IP and set it to 1.1.1.1)

ASA(config)# sh crypto isakmp sa

IKEv2 SAs:

Session-id:51532, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
2250475783 10.0.0.1/4500 1.1.1.1/4500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/25 sec

Phase 2 does not come up and the logs on the IBM cloud shows that there is a problem with the identity:

Aug 29 13:26:02 is.vpn crn:v1:bluemix:public:is:eu-de:a/6e6cb9cff65f495a92ce7c8e5cea8f41::vpn:02d7-d41b07f9-43df-4171-8845-ace28a864636 {"message":"UTC 2021-08-29 10:26:01 05[CFG] <peer_2.2.2.2_02d7-d8600613-c9c1-471d-a9c3-c41ca15e6608|2> constraint check failed: identity '2.2.2.2' required ", "saveServiceCopy":false, "logSourceCRN":"crn:v1:bluemix:public:is:eu-de:a/6e6cb9cff65f495a92ce7c8e5cea8f41::vpn:02d7-d41b07f9-43df-4171-8845-ace28a864636"}

I tried to change the ISAKMP identity to the NATed IP address but it did not help and affected other VPNs.

Milos_Jovanovic · ‎08-29-2021

Hi @Moti A,

As you already notice, your logs show that you have no identity for public 2.2.2.2. This is because in IPSec, ASA embeds its IP inside packets, so simple NAT comes with consequences.

As you already noticed, you could change ISAKMP idenitity, but that is a global command, affecting all VPN profiles.

Since your phase 1 output shows that you are using 10.0.0.1, have you tried to create identity on remote end for this IP instead of 2.2.2.2?

BR,

Milos

Moti A · ‎08-31-2021

Hi Milos,

The other end has no ability to modify any parameter that is related to the identity.

when you say "simple NAT comes with consequences" what do you mean?

Sheraz.Salim · ‎08-31-2021

By default ASA is configured with command

crypto isakmp identity auto
address Use the IP address of the interface for the identity
auto Identity automatically determined by the connection type: IP
address for preshared key and Cert DN for Cert based connections
hostname Use the hostname of the router for the identity
key-id Use the specified key-id for the identity

in your case you see the phase 1 is up but you see the logs on the Strongswan firewall. could you also get the logs on the ASA too.

run these command

logging buffered debug
logging buffered size 1024
logging class vpn buffered debug 
debug crypto condition peer x.x.x.x.
debug crypto ipsec 127
debug crypto ikev1 127 (ideally we do not need this as Phase1 is already up).

could you also show the phase two setup setting on both side? also could you please check if PFS group is enable on both end?

please do not forget to rate.

Moti A · ‎08-31-2021

We did some workaround by terminating the VPN on a firewall that has its outside interface configured with public IP so there is no NAT taking place and the ID remains as is.

If the setup will move back, I'll perform the tests that you asked.

Thanks.

Milos_Jovanovic · ‎08-31-2021

Once you hide ASA behind NAT, protocols which are not relying on simple L3 header re-write and which embeds it's IP inside payload (such as IKE), you can always expect more complex implementation. Scenario in which you placed ASA directly with public IP, you effectivelly resolved this issue, but I would assume that same change should be done on remote side. In this setup, n remote side, you shuld configure identity with it's public IP (I believe it was 2.2.2.2) for both phases.

BR,

Milos