Solved: Re: vpn connection problem

born.jason · ‎02-16-2011

Hi,

i have a little problem. I can successful creat a vpn connection to a branch office.

The Client got an IP from this range 192.168.123.0 /24 and can connect to the inside network 192.168.100.0 /24 . This works fine. In the ASA (8.3) is a Site to Site tunnel to another branch office with the IP range 10.10.22.0 /24. The inside network (192.168.100.0 /24) can successfuly make a connection to this network. But if i connect with VPN and try than connect from the VPN pool (192.168.123.0 /24) to the site to site tunnel network (10.10.22.0 /24) this doesn`t work.

I have configured a NAt exemption for the vpn pool:

nat (inside,outside) 7 source static obj-vpnpool obj-vpnpool destination static obj-site-to-site-network obj-site-to-site-network

What do i wrong?

Thanks and regards

Jason

Jennifer Halim · ‎02-18-2011

OK, since it's a dynamic LAN-to-LAN tunnel instead of static LAN-to-LAN tunnel towards the other side, the VPN connection needs to be initiated from the other end first, as the peer address is dynamic, ASA won't be able to initiate the VPN connection towards the other end.

Once you clear the tunnel, the other ends need to initiate the connection first. Once the tunnel is up, then you can access the other side via VPN Client.

As far as the config on the ASA is concern, it is correct.

Just have to make sure that you have added the same mirror image crypto ACL on the other side. Otherwise, it will not work.

View solution in original post

Jennifer Halim · ‎02-16-2011

A few things to configure:

1) If you have split tunnel for the VPN Client, you will also need to add the branch subnet to the split tunnel ACL.

2) You also need to configure "same-security-traffic permit intra-interface" on this ASA that terminates the VPN Client

3) Then on the crypto ACL for the site-to-site VPN, you will need to add the VPN Pool subnet. So on this ASA:

access-list permit ip 192.168.123.0 255.255.255.0 10.10.22.0 255.255.255.0

4) Crypto ACL on the branch site also needs to have the mirror image ACL:

access-list permit ip 10.10.22.0 255.255.255.0 192.168.123.0 255.255.255.0

5) On the branch site, you will need to add NAT exemption, source: 10.10.22.0/24 destination 192.168.123.0/24

Hope that helps.

born.jason · ‎02-16-2011

i have already a crypto access-list. Can add another access.list too?
?

The existing ACL is this:

access-lis outside_cryptomap_65535.12 extended permit ip obj-inside 255.255.255.0 object obj-site-to-site-network

Should i only add this?:

access-list outside_cryptomap_65535.12 extended permit ip obj-vpnpool 255.255.255.0 object obj-site-to-site-network

Jennifer Halim · ‎02-16-2011

Yes, you are correct, you can add the additional 1 line of access-list. Please also add the mirror image access-list on the branch vpn device.

born.jason · ‎02-16-2011

hm do i also need a nat exemption ? If i try to ping a server from vpnpool to site-to-site network i can see nothing in the log.....

Jennifer Halim · ‎02-16-2011

Did you have the "same-security-traffic permit intra-interface" command on the ASA?

Also, did you clear the tunnel SA from both end? "clear cry ipsec sa" and "clear cry isa sa"

born.jason · ‎02-18-2011

Yes, Jen i have configured same-security-traffic permit intra-interface and clear the SA
. Why i see nothing in the ASAs log if i try to ping the site-to-site network?

Any other suggestions ?

Jennifer Halim · ‎02-18-2011

It would be great if you can share the config.

Also the output of:

sh cry ipsec sa

from both end.

born.jason · ‎02-18-2011

Hi, i have send you a pm with the config and output.

Hmm but now i have a message in the asa log if i try to ping:

IKE Initiator unable to find policy: Intf outside, Src: 192.168.123.1, Dst: 10.10.22.100

192.168.123.1 is the vpn client and 10.10.22.100 is the destination on the site-to-site network

Jennifer Halim · ‎02-18-2011

OK, since it's a dynamic LAN-to-LAN tunnel instead of static LAN-to-LAN tunnel towards the other side, the VPN connection needs to be initiated from the other end first, as the peer address is dynamic, ASA won't be able to initiate the VPN connection towards the other end.

Once you clear the tunnel, the other ends need to initiate the connection first. Once the tunnel is up, then you can access the other side via VPN Client.

As far as the config on the ASA is concern, it is correct.

Just have to make sure that you have added the same mirror image crypto ACL on the other side. Otherwise, it will not work.

born.jason · ‎02-21-2011

Hey Jen,

this is exactly the way it works for the inside network.

The VPN tunnel is initiated by the other side (a 3G router) . This works without problems and the inside network (10.10.15.0/24) can make connections to the other side network (10.10.22.0/24).

If a VPN Client initiate a RA ipsec tunnel to the ASA and gets an IP from this range 192.168.123.0 / 24 he is able to communicate with 10.10.15.0 /24 (the inside network of the asa) but not with the 3G router network (10.10.22.0 /24, the tunnel is UP and running between 3G router and ASA) The following error appears in the log:

IKE Initiator unable to find policy: Intf outside, Src: 192.168.123.1, Dst: 10.10.22.100

Do you know what this error message means and how to solve it?

Ok, and you think the config looks correct on the ASA so the failure have to be on the 3G router, right? r you you have any other suggestions?

Is there a special order to get this working?

1. initiate 3G - ASA tunnel ?

2. verify this tunnel works?

3. initiate a RA IPSEC tunnel from a client?

4. try to connect to the 3G inside network?

Regards

Jason

Jennifer Halim · ‎02-21-2011

Would need to run debug to investigate further on the issue.

"debug cry isa"

"debug cry ipsec"

Also, can you please share the config from the router?

BTW, can you please try to ping 192.168.123.1 from the router end, and see if it makes any difference? Since it's dynamic, the first connection needs to be initiate from the router end first to build the SA between 192.168.123.0/24 and 10.10.22.0/24.

born.jason · ‎02-22-2011

here the debugs if i perform a ping:

Feb 22 09:00:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.123.1, sport=4, daddr=10.10.22.100, dport=4
IPSEC(crypto_map_check)-5: Checking crypto map dyn-map 1: skipping because 5-tuple does not match ACL outside_1_cryptomap_1.
IPSEC(crypto_map_check)-5: Checking crypto map dyn-map 65535: skipping dynamic_link.
IPSEC(crypto_map_check)-1: Error: No crypto map matched.
Feb 22 09:00:28 [IKEv1]: IKE Initiator unable to find policy: Intf outside, Src: 192.168.123.1, Dst: 10.10.22.100

For the other router, there is no CLI. I`ll try to check out if i can make a txt file for this.

Do you see anything helpfull in the debugs ?

Jennifer Halim · ‎02-22-2011

Can you please advise which VPN Client tunnel-group you are using? some tunnel-group doesn't seem to have split tunnel configured, so I am just wondering which one you are using.

Also, you will have to add the VPN Client pool to the router crypto ACL, can you please advise if that has been added? plus connection needs to be initiated from the router LAN first towards the VPN Client IP.

born.jason · ‎02-22-2011

The Client using this tunnel group:

su******_vpn

and in the GPO (su******_vpn) there is split tunneling enabled:

group-policy su******_vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value su******_vpn_splitTunnelAcl