Solved: VPN overlapping subnets

steve martin · ‎06-24-2017

I've have an vpn tunnel that works one way, I suspect the problem is overlapping subnets. I've tried added the subnets individually to the acl to avoid this situation but when I do I get the following error and the vpn fails on phase 2. My question is - is this going to work, or is there a better solution. I'm trying to keep the solution simple as ideally I would like the keep the same ip subnets because of the servers all ready there at the remote site.

The error is - rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.31.0.0/255.255.128.0/0/0 local proxy 10.0.0.0/255.128.0.0/0/0 on interface internet

For the ASA I created a new network object that contained the individual subnets that I need on the HQ network and added them in the gui.

10.28.8.0 255.255.248.0

10.30.0.0 255.255.255.0

10.31.130.0 255.255.128.0

On the 887 router I did the same so the original is below

ip access-list extended VPN-TRAFFIC
permit ip 10.31.0.0 0.0.127.255 10.28.0.0 0.3.255.255

and the new one is here

ip access-list extended VPN-TRAFFIC
permit ip 10.31.0.0 0.0.127.255 10.28.8.0 0.127.255.255
permit ip 10.31.0.0 0.0.127.255 10.30.0.0 0.0.255.255
permit ip 10.31.0.0 0.0.127.255 10.31.130.0 0.255.255.255

cisco IOS crypto

crypto map vpn-to-hq 10 ipsec-isakmp
set peer 7.7.7.7
set transform-set TS
match address VPN-TRAFFIC

Rahul Govindan · ‎06-24-2017

Yes, you can use multiple subnets. Just add the right network to additional ACL entries to the following:

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_10.28.0.0_14 object NETWORK_OBJ_10.31.0.0_17

View solution in original post

Rahul Govindan · ‎06-24-2017

Can you paste the ASA crypto ACL also?

There seems to be some differences in the masks. On the IOS side:

10.28.8.0 0.127.255.255
10.30.0.0 0.0.255.255
10.31.130.0 0.255.255.255

ASA side:

10.28.8.0 255.255.248.0

10.30.0.0 255.255.255.0

10.31.130.0 255.255.128.0

The IOS side the wildcard masks should really be:

10.28.8.0 0.0.7.255
10.30.0.0 0.0.0.255
10.31.130.0 0.0.127.255

steve martin · ‎06-24-2017

Thanks for the response Rahul, I think your right about the wildcards, here's the asa side. Can it work with multiple subnets then. The asa is config is the one the correctly works one way.

Cheers

crypto ipsec ikev1 transform-set VPN-TRANS1 esp-3des esp-sha-hmac

crypto ikev1 enable internet
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600

group-policy GP_v1lancaster internal
group-policy GP_v1lancaster attributes
vpn-tunnel-protocol ikev1

tunnel-group 8.8.8.8 type ipsec-l2l
tunnel-group 8.8.8.8 general-attributes
default-group-policy GP_v1lancaster
tunnel-group 8.8.8.8 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive threshold 10 retry 5

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_10.28.0.0_14 object NETWORK_OBJ_10.31.0.0_17

crypto map out_map 1 match address outside_cryptomap
crypto map out_map 1 set peer 8.8.8.8
crypto map out_map 1 set ikev1 transform-set VPN-TRANS1
crypto map out_map 1 set security-association lifetime seconds 3600
crypto map out_map 1 set nat-t-disable
crypto map out_map interface internet

Rahul Govindan · ‎06-24-2017

Yes, you can use multiple subnets. Just add the right network to additional ACL entries to the following:

access-list outside_cryptomap extended permit ip object NETWORK_OBJ_10.28.0.0_14 object NETWORK_OBJ_10.31.0.0_17