cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2780
Views
50
Helpful
9
Replies

VPN - IPSec Packets decrypting but not encrypting

BHconsultants88
Level 1
Level 1

Hi guys

 

I'm looking for a bit of support on an issue I've come across with a site to site setup.

 

Site A - 10.20.4.0 /24

HQ - Cisco ASA

Site B - 192.168.142.0 /24

 

The general problem is that Site A can ping Site B but Site B is unable to ping Site A. There is an IPSec tunnel between Site A and HQ and between Site B and HQ. The ASA handles all the access lists and NAT rules.

 

I've spent a few days working on this and it appears to come down to routing or a rogue NAT rule.  I've attached the full ASA configuration but also included each tunnel configuration below. You'll see that we are seeing decrypt/encrypt packets in both directions for Calverton, but the Formac tunnel hardly has any encrypted packets.

 

Could someone point me in the right direction please? This is my first VPN setup of this magnitude so keen to understand what I'm missing. I'm thinking of adding a route for 192.168.142.0 /24 but unsure whether this needs to be on the Calverton router or on the ASA.

 

Calverton tunnel

===================================================================================

vpn# show crypto ipsec sa peer 81.149.11.243

peer address: 81.149.11.243

    Crypto map tag: external-vpns, seq num: 320, local addr: 195.12.22.33

 

      access-list 81.149.11.243_Calverton extended permit ip any 10.20.4.0 255.255.255.0

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.20.4.0/255.255.255.0/0/0)

      current_peer: 81.149.11.243

 

 

      #pkts encaps: 1328821, #pkts encrypt: 1328821, #pkts digest: 1328821

      #pkts decaps: 1080096, #pkts decrypt: 1080095, #pkts verify: 1080095

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 1328821, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 1

 

      local crypto endpt.: 195.12.22.33/0, remote crypto endpt.: 81.149.11.243/0

      path mtu 1500, ipsec overhead 74(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 1160007E

      current inbound spi : AE22A2A8

 

    inbound esp sas:

      spi: 0xAE22A2A8 (2921505448)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 3293184, crypto-map: external-vpns

         sa timing: remaining key lifetime (kB/sec): (4373967/26613)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x1160007E (291504254)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 3293184, crypto-map: external-vpns

         sa timing: remaining key lifetime (kB/sec): (4373975/26613)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

===================================================================================

 

 

Formac tunnel

===================================================================================

vpn# show crypto ipsec sa peer 35.176.80.84

peer address: 35.176.80.84

   Crypto map tag: external-vpns, seq num: 600, local addr: 195.12.22.33

 

      access-list Formac extended permit ip any 192.168.142.0 255.255.255.0

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.142.0/255.255.255.0/0/0)

      current_peer: 35.176.80.84

 

 

      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

      #pkts decaps: 202708, #pkts decrypt: 202708, #pkts verify: 202708

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: 195.12.22.33/4500, remote crypto endpt.: 35.176.80.84/4500

      path mtu 1500, ipsec overhead 82(52), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 2F61A8A2

      current inbound spi : E53C5820

 

    inbound esp sas:

      spi: 0xE53C5820 (3845937184)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }

         slot: 0, conn_id: 221884416, crypto-map: external-vpns

         sa timing: remaining key lifetime (kB/sec): (4373827/2522)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x2F61A8A2 (794929314)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }

         slot: 0, conn_id: 221884416, crypto-map: external-vpns

         sa timing: remaining key lifetime (kB/sec): (4374000/2522)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

===================================================================================

 

 

Many thanks in advance.

B

 

9 Replies 9

Where is 192.168.142.0/24 located? is it accessed through the inside interface or on another site-to-site VPN?  If it is accessed through the inside interface then you are missing a route to this subnet.

--
Please remember to select a correct answer and rate helpful posts

Many thanks for the reply.

 

Site A = Calverton 10.20.4.0 /24

Site B = Formac 192.168.142.0 /24

 

Formac subnet is on another site to site VPN. Traffic should tunnel from Formac to ASA, then back to Calverton via its own tunnel on outside interface. 

 

 

Hi,

I quickly saw your configuration and I didn't find NAT 0 (no-proxy-arp) rules for the same. 

Statement will like:

nat (inside,any) source static <local Subnet> destination static <destination> no-proxy-arp

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Philip D'Ath
VIP Alumni
VIP Alumni

Could you post the config for site B as well please.

 

My guess is one (or both) of:

  • Traffic is being NATed on site B which it should be excluded from NAT
  • An ACL is not permitting the traffic.

Thanks very much for the reply. I've attached the Site B tunnel configuration (AWS platform).

 

I will look into the couple of potential issues you pointed out and will feedback shortly.

Could this be being caused by the Site A router not having the Formac subnet defined in its encryption domain?

For starters, you dont seem to have the 10.20.4.0/24 subnet as a local subnet in the crypto ACL for peer 81.49.11.243.  May i suggest consolidating some of these object-groups so that NAT and Crypto ACLs use the same groups for specific VPNs.  Makes it a bit easier to read (just my two cents.)

 

crypto map external-vpns 320 match address 81.49.11.243_Calverton
crypto map external-vpns 320 set peer 81.49.11.243
crypto map external-vpns 320 set ikev1 transform-set ESP-AES-256-SHA
crypto map external-vpns 320 set security-association lifetime seconds 28800
crypto map external-vpns 320 set security-association lifetime kilobytes 4608000

 

access-list 81.49.11.243_Calverton extended permit ip any object-group Calverton-remote
access-list 81.49.11.243_Calverton extended permit ip object-group Calverton-local object-group Calverton-remote

 

object-group network Calverton-local
network-object 10.99.206.0 255.255.255.0
network-object 192.168.142.0 255.255.255.0

 

object-group network Calverton-remote
network-object 10.20.4.0 255.255.255.0

 

object-group network formac-remote
network-object 192.168.142.0 255.255.255.0

 

object-group network DIGI_VPN_SITES
network-object 10.20.3.0 255.255.255.0
network-object 10.20.4.0 255.255.255.0
network-object 10.20.12.0 255.255.255.0
network-object 10.20.5.0 255.255.255.0

 

nat (outside,outside) source static DIGI_VPN_SITES DIGI_VPN_SITES destination static formac-remote formac-remote
nat (outside,outside) source static formac-remote formac-remote destination static DIGI_VPN_SITES DIGI_VPN_SITES

 

--
Please remember to select a correct answer and rate helpful posts

Sorry, I saw that you have an any defined for source and I forgot to edit out the first sentence.  I am now looking at the AWS file and see something odd, the public IP on the ASA (195.112.22.33) doesn't match what I see on the AWS (195.12.22.33) side, is this a typo?

 

on ASA

interface GigabitEthernet0/0
description OUTSIDE
duplex full
nameif outside
security-level 0
ip address 195.112.22.33 255.255.255.224 standby 195.112.22.34

 

on AWS

Outside IP Addresses:
- Customer Gateway : 195.12.22.33
- Virtual Private Gateway : 35.176.80.84

 

--
Please remember to select a correct answer and rate helpful posts

Ah yes that was a typo. Correct IP is 195.12.22.33

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: