GRE/IPSec connection through ASA

Unanswered Question
Apr 8th, 2010

Hi,


I am trying to establish a GER / IPSec VPN connection between two routers. One the VPN end is behind a ASA firewall. I would like to allow the GRE / IPSec VPN packets through the firewall.


i have allowed the following following ports through firewall.


access-list inbound extended permit esp any any
access-list inbound  extended permit udp any any eq isakmp
access-list inbound  extended permit udp any any eq 4500

access-group inbound in interface outside


I have also tried sysopt connection permit-ipsec


But nothing worked for me. Any suggestions...?


I am aware that this topic has been discussed serveral times. But since, none of them really helped me, i am opening this topic.


Cheers

Nimal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nimalrajphilips Thu, 04/08/2010 - 07:16

My toplogy has the Firewall at one side only. Means, the router is behind the ASA at one end. At the remote end, the router is directly connected to the internet.

Can i use the same config, for the topolgy i mentioned?


Can i use any other routing protocols than OSPF?

francisco_1 Thu, 04/08/2010 - 07:36

The configuration example if for pix 6.3 but then you could use it as template for your configuration. just that the command syntax for the ASA version might be slightly different. Have you tried allow GRE on the ASA between the routers?

nimalrajphilips Thu, 04/08/2010 - 07:46

Yes, I have tried GRE with no luck.


Do i have to open any other ports? Or any other additional commands apart from Access-lists??

nimalrajphilips Thu, 04/08/2010 - 07:58

Head Office ASA5520



object-group service VPN
service-object udp eq isakmp
service-object esp
service-object udp eq 4500
service-object gre


access-list outside_access_in extended permit object-group VPN host 84.92.192.145 host HubRouter_Public


static (inside,outside) aa.bb.cc.dd w.x.y.z. netmask 255.255.255.255


Head Office Router



crypto isakmp policy 10
    encrypt aes 128
    auth pre
    gro 5
    life 86400


crypto isakmp key **** address a.b.c.d


crypto ipsec transform-set 10 esp-aes 128 esp-sha-hmac ah-sha-hmac


crpyto ipsec profile TestProfile
    set transform-set 10


int tunnel 10
    ip address 192.168.10.1 255.255.255.252
    tunnel source w.x.y.z
    tunnel destination a.b.c.d
    tunnel protection ipsec profile TestProfile


Remote Office Router


crypto isakmp policy 10
    encrypt aes 128
    auth pre
    gro 5
    life 86400


crypto isakmp key **** address w.x.y.z


crypto ipsec transform-set 10 esp-aes 128 esp-sha-hmac ah-sha-hmac


crpyto ipsec profile TestProfile
    set transform-set 10


int unnel 10
    ip address 192.168.10.2 255.255.255.252
    tunnel source a.b.c.d
    tunnel destination w.x.y.z
    tunnel protection ipsec profile TestProfile


For the information, if i remove the ipsec protection on the tunnel, i can ping through the tunnel. Once i enable the protection, I cant.

nimalrajphilips Fri, 04/09/2010 - 01:47

I have tried this already with no luck.


For your information, once i applied the ipsec protection to tunnel, "show ip int brief" command shows the tunnel as  up/up.


Does that means, IPSec tunnel is up..?

Jennifer Halim Fri, 04/09/2010 - 01:52

Since it's GRE over IPSec, please check if the IPSec is UP.


To check phase 1: show crypto isa sa   --> status should be QM_IDLE

To check phase 2: show crypto ipsec sa --> check if there is encrypts and decrypts


I would test to ping the peer tunnel interface from the router and see if you have replies.

nimalrajphilips Fri, 04/09/2010 - 05:47

To answer halijenn's question,


"show crypto isakmp sa" shows the states as QM_IDLE. But the "show crypto ipsec sa" has send errors. Number of Encrypts and decrypts packets are 0. This is the same on both routers.

francisco_1 Fri, 04/09/2010 - 03:45

Hi nimalrajphilips,


Sorry for the delay. I worked late yerterday due to some ISP issues i was working on.


See below or attachment for lab results.


Francisco



R1   - R1 Is conencted to FW1 Interface e1
###########################################

interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source Ethernet1/0
tunnel destination 2.2.2.2
!
interface Ethernet1/0
ip address 1.1.1.2 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.11.0 255.255.255.0 Tunnel0


R1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -        00:00:39    172.16.1.1      Tunnel0
R1#
R1#sh ip int bri
R1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet1/0                1.1.1.2         YES NVRAM  up                    up
Ethernet2/0                unassigned      YES NVRAM  administratively down down
Loopback0                  192.168.10.1    YES manual up                    up
Tunnel0                    172.16.1.2      YES manual up                    up
R1#


R2  - R1 Is conencted to FW2 Interface e1
#########################################


interface Loopback0
ip address 192.168.11.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source Ethernet1/0
tunnel destination 1.1.1.2
!
interface Ethernet1/0
ip address 2.2.2.2 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.11.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 192.168.10.0 255.255.255.0 Tunnel0


R2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.17.1.1        0   FULL/  -        00:00:35    172.16.1.2      Tunnel0

R2#sh ip int bri
R2#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet1/0                2.2.2.2         YES NVRAM  up                    up
Ethernet2/0                unassigned      YES NVRAM  administratively down down
Loopback0                  192.168.11.1    YES manual up                    up
Tunnel0                    172.16.1.1      YES manual up                    up
R2#


FW1 - FW1 is connected to another switch between FW1&FW2 (Switch doing routing between Firewalls)
#################################################################################################


hostname FW1

!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
!
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nonat extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0


global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 1.1.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.2.1
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *



FW1# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.168.1.1

      access-list outside_cryptomap_10 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
      current_peer: 192.168.2.1

      #pkts encaps: 85, #pkts encrypt: 85, #pkts digest: 85
      #pkts decaps: 92, #pkts decrypt: 92, #pkts verify: 92
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 85, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1



FW2
###############

interface Ethernet0
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 2.2.2.1 255.255.255.0
!
ftp mode passive
access-list outside_cryptomap_10 extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
access-list outside_cryptomap_10 extended permit gre 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 2.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.1.1
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *
!



FW2# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.168.2.1

      access-list outside_cryptomap_10 permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
      current_peer: 192.168.1.1

      #pkts encaps: 95, #pkts encrypt: 95, #pkts digest: 95
      #pkts decaps: 88, #pkts decrypt: 88, #pkts verify: 88
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 95, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.1.1

francisco_1 Fri, 04/09/2010 - 03:54

As you can see R1& R2 have established ospf session via the gre tunnel interfaces over the ipsec tunnel between the firewalls..


Regards


Francisco

nimalrajphilips Fri, 04/09/2010 - 05:59

Fransisco,  My network design is like this and my intention is to encrpt the packets between the routers.


My entire GRE/IPSec configuration is done at the Routers and I dont have any configuration regarding the VPN in the firewall. Firewall has the configuration to allow the GRE & IPSec related packets only.


Can i still acheive the results what i am intending to get??


francisco_1 Fri, 04/09/2010 - 06:01

I have realised that. I am buidling your config now in the lab to test.

Actions

This Discussion