P2P VPN Tunnel Giving Me Nightmares
darkerz
Member Posts: 431 ■■■■□□□□□□
We have 50 of these, boiler plate configs. On this ASA, I have the tunnel UP and RUNNING.
Phase 1 good, Phase 2 good.
Traffic will not cross once the tunnel is up for internet connectivity nor VPN/LAN connectivity.
See configs below;
//////////
Asa 5505 config:
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
access-list encrypt_acl extended permit ip 10.250.37.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 10.250.37.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
tunnel-group xxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key xxxxxxx
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer xxxx
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp enable outside
VPN Gate relevant configuration:
VPN Gate ( 50 + working connections just like this one )
name 10.250.37.0 xxxxx
object-group network xxxx
description xxxx
network-object 10.250.37.0 255.255.255.0
access-list Outside_cryptomap_82 extended permit ip any 10.250.37.0 255.255.255.0
route Outside 10.250.37.0 255.255.255.0 x.x.x.x 1
crypto map Outside_map0 82 match address Outside_cryptomap_82
crypto map Outside_map0 82 set pfs
crypto map Outside_map0 82 set peer x.x.x.x
crypto map Outside_map0 82 set transform-set xxxxx
crypto map Outside_map0 82 set phase1-mode aggressive
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
Since the tunnel is up I'm positive I'm destroying an ACL or NAT setting somewhere, but for the life of me I can't find it. The only thing I can think of is replacing the any statements on the ACL's and NAT to match to specific objects and object groups on both sites.
Help?
Phase 1 good, Phase 2 good.
Traffic will not cross once the tunnel is up for internet connectivity nor VPN/LAN connectivity.
See configs below;
//////////
Asa 5505 config:
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
access-list encrypt_acl extended permit ip 10.250.37.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 10.250.37.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
tunnel-group xxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key xxxxxxx
crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer xxxx
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside
crypto isakmp enable outside
VPN Gate relevant configuration:
VPN Gate ( 50 + working connections just like this one )
name 10.250.37.0 xxxxx
object-group network xxxx
description xxxx
network-object 10.250.37.0 255.255.255.0
access-list Outside_cryptomap_82 extended permit ip any 10.250.37.0 255.255.255.0
route Outside 10.250.37.0 255.255.255.0 x.x.x.x 1
crypto map Outside_map0 82 match address Outside_cryptomap_82
crypto map Outside_map0 82 set pfs
crypto map Outside_map0 82 set peer x.x.x.x
crypto map Outside_map0 82 set transform-set xxxxx
crypto map Outside_map0 82 set phase1-mode aggressive
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
Since the tunnel is up I'm positive I'm destroying an ACL or NAT setting somewhere, but for the life of me I can't find it. The only thing I can think of is replacing the any statements on the ACL's and NAT to match to specific objects and object groups on both sites.
Help?
:twisted:
Comments
-
darkerz
Member Posts: 431 ■■■■□□□□□□
Here is the VPN Gate ( far end ) show commands:
VPN GATE
28 IKE Peer: 777777
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400
VPNgate3# sh isakmp sa detail
Active SA: 29
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 29
VPNgate3# sh ipsec sa peer 777777
peer address: 777777
Crypto map tag: Outside_map0, seq num: 8, local addr: 66666666
access-list Outside_cryptomap_3 extended permit ip any 10.250.37.0 255.255.255.0
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.250.37.0/255.255.255.0/0/0)
current_peer: 777777
#pkts encaps: 226, #pkts encrypt: 226, #pkts digest: 226
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 226, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 66666666, remote crypto endpt.: 777777
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 9071E74C
current inbound spi : F5863D5C
inbound esp sas:
spi: 0xF5863D5C (4119215452)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 200077312, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (3915000/28419)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x9071E74C (2423383884)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 200077312, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (3914986/28419)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Here is the ASA5505 show commands
ASA 5505
sdfsdfsdfsdf# show isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 66666666
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
gsdgsdfsdfsdf# sh ipsec sa peer 66666666
peer address: 66666666
Crypto map tag: IPSec_map, seq num: 10, local addr: 777777
access-list encrypt_acl extended permit ip 10.250.37.0 255.255.255.0 any
local ident (addr/mask/prot/port): (10.250.37.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 66666666
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 126, #pkts decrypt: 126, #pkts verify: 126
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 777777, remote crypto endpt.: 66666666
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: F5863D5C
current inbound spi : 9071E74C
inbound esp sas:
spi: 0x9071E74C (2423383884)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: IPSec_map
sa timing: remaining key lifetime (kB/sec): (4373992/28582)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF5863D5C (4119215452)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: IPSec_map
sa timing: remaining key lifetime (kB/sec): (4374000/28582)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001:twisted: -
darkerz
Member Posts: 431 ■■■■□□□□□□
Problem solved.
Apparently Cisco ASA 8.2 needs a management-access inside command to work with P2P VPN tunnels.
I knew it was something stupidly simple. Working with enterprise-class Sonicwall and Fortinet firewall products and doing IPSec tunnels with IOS and ASA platforms, this was driving ME INSANE.
All works now
:twisted: