cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9346
Views
23
Helpful
47
Replies

VPN IKev2 with NAT Config Help

m.s.rees1
Level 1
Level 1

Hi, I am trying to establish a VPN connection with Ikev2 and just wanted to check if my config is looking correct. I don't have access to the other side of the VPN unfortunaly so just want to check this side is at least not missing anything important, there is also a NAT in place:

name 1.1.1.1 test

object-group network test
network-object host test

object network test_nat
host 192.168.2.1

Object network test_local
Subnet 0.0.0.0 0.0.0.0

Object network test_remote
Subnet 192.168.1.0 255.255.255.224

access-list acl_test extended permit tcp any host 192.168.1.10 eq ssh
access-list acl_test extended permit tcp any host 192.168.1.2 eq https

access-group acl_test interface outside control-plane

route outside 192.168.1.0 255.255.255.252 180.180.180.126

crypto ipsec ikev2 ipsec-proposal p1
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha256
lifetime seconds 86400
Crypto ikev2 enable outside

crypto map outside_tunnels 141 match address acl_test
crypto map outside_tunnels 141 set peer test
crypto map outside_tunnels 141 set ikev2 ipsec-proposal p1
crypto map outside_tunnels 141 set pfs group14

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx

nat (inside,outside) source static test_local test_nat destination static test_remote test_remote

47 Replies 47

@m.s.rees1  applying acl_test ACL to the control plane won't work SSH and HTTP are control separately.

You are also using ACL acl_test for the crypto ACL, this should be based on "ip" not "tcp", crypto ACL based on L4 is not supported. The crypto ACL also needs to use the translated NAT address as the the source.

Thank you for your reply, Ok so would this be correct?

access-list acl_test extended permit ip object test_nat host 192.168.1.2

access-group acl_test interface outside

@m.s.rees1 I would define the destination using the object - " test_remote", less SAs if multiple hosts required later.

access-list acl_test extended permit ip object test_nat object test_remote

 

Hi @m.s.rees1 

 This seems  not to be correct

Object network test_local
Subnet 0.0.0.0 0.0.0.0

You need to put a network here. For VPN interesting traffic you can not use ANY.

I have tried changing that to a specifc IP but still not getting any luck. When I do a sh crpyto isakmp it says:

There are no IKEv2 SAs

I wanted to rule this side of the config out frist, before investigating further with the the 3rd party.


@m.s.rees1 have you made the changes as mentioned previously? If you are NAT translating interesting traffic will come from the NAT address not the real IP address.

Yes I have now added in the ACL as you mentioned:

access-list acl_test extended permit ip object test_nat object test_remote

Still no luck.

access-list acl_test extended permit tcp any host 192.168.1.10 eq ssh
access-list acl_test extended permit tcp any host 192.168.1.2 eq https
access-list acl_test extended permit UDP host 1.1.1.1 eq 500 host <outside interface IP> 
access-list acl_test extended permit UDP host <outside interface IP> eq 500 host 1.1.1.1
access-list acl_test extended permit UDP host 1.1.1.1 eq 4500 host <outside interface IP> 
access-list acl_test extended permit UDP host <outside interface IP> eq 4500 host 1.1.1.1

access-group acl_test interface outside control-plane

these acl NEEDED 

@MHM Cisco World a control-plane ACL is not needed (its optional), if no control-plane is defined traffic is implictly permitted.

 

sorry I see his reply he remove the keyword control-plane from ACL.

OK, using ANY in ACL of policy and NAT is not work sometimes in IPSec

name 1.1.1.1 test

object-group network test
network-object host test

object network test_nat
host 192.168.2.1

Object network test_local
Subnet 0.0.0.0 0.0.0.0

Object network test_remote
Subnet 192.168.1.0 255.255.255.224

access-list acl_test extended permit tcp host 192.168.2.1 host 192.168.1.10 eq ssh
access-list acl_test extended permit tcp host 192.168.2.1 host 192.168.1.2 eq https

access-group acl_test interface outside control-plane

route outside 192.168.1.0 255.255.255.252 180.180.180.126

crypto ipsec ikev2 ipsec-proposal p1
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha256
lifetime seconds 86400
Crypto ikev2 enable outside

crypto map outside_tunnels 141 match address acl_test
crypto map outside_tunnels 141 set peer test
crypto map outside_tunnels 141 set ikev2 ipsec-proposal p1
crypto map outside_tunnels 141 set pfs group14

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx

nat (inside,outside) source static test_local test_nat destination static test_remote test_remote

 

in peer you need mirror ACL and route 
access-list acl_test extended permit tcp  host 192.168.1.10 eq ssh host 192.168.2.1
access-list acl_test extended permit tcp host 192.168.1.2 eq https  host 192.168.2.1

route OUT   192.168.2.1 255.255.255.255 <this ASA outside public IP >

Config is almost identical to this now. Not working though currently. Attaching Debug info below.

@m.s.rees1 can you enable debugs, attempt to establish the VPN and provide the debug output.

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html

Is IKEv2 protocol enabled under the group-policy (possibly DfltGrpPolicy if you do not have a specific policy).

Also check that the crypto map is enabled on the outside interface.

crypto map outside_tunnels interface <outside if>