cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6927
Views
0
Helpful
17
Replies

GRE/IPSec connection through ASA

nimalrajphilips
Level 1
Level 1

Hi,

I am trying to establish a GER / IPSec VPN connection between two routers. One the VPN end is behind a ASA firewall. I would like to allow the GRE / IPSec VPN packets through the firewall.

i have allowed the following following ports through firewall.

access-list inbound extended permit esp any any
access-list inbound  extended permit udp any any eq isakmp
access-list inbound  extended permit udp any any eq 4500

access-group inbound in interface outside

I have also tried sysopt connection permit-ipsec

But nothing worked for me. Any suggestions...?

I am aware that this topic has been discussed serveral times. But since, none of them really helped me, i am opening this topic.

Cheers

Nimal

17 Replies 17

francisco_1
Level 7
Level 7

My toplogy has the Firewall at one side only. Means, the router is behind the ASA at one end. At the remote end, the router is directly connected to the internet.

Can i use the same config, for the topolgy i mentioned?

Can i use any other routing protocols than OSPF?

The configuration example if for pix 6.3 but then you could use it as template for your configuration. just that the command syntax for the ASA version might be slightly different. Have you tried allow GRE on the ASA between the routers?

Yes, I have tried GRE with no luck.

Do i have to open any other ports? Or any other additional commands apart from Access-lists??

can you upload you config.

Head Office ASA5520

object-group service VPN
service-object udp eq isakmp
service-object esp
service-object udp eq 4500
service-object gre

access-list outside_access_in extended permit object-group VPN host 84.92.192.145 host HubRouter_Public

static (inside,outside) aa.bb.cc.dd w.x.y.z. netmask 255.255.255.255

Head Office Router

crypto isakmp policy 10
    encrypt aes 128
    auth pre
    gro 5
    life 86400

crypto isakmp key **** address a.b.c.d

crypto ipsec transform-set 10 esp-aes 128 esp-sha-hmac ah-sha-hmac

crpyto ipsec profile TestProfile
    set transform-set 10

int tunnel 10
    ip address 192.168.10.1 255.255.255.252
    tunnel source w.x.y.z
    tunnel destination a.b.c.d
    tunnel protection ipsec profile TestProfile

Remote Office Router

crypto isakmp policy 10
    encrypt aes 128
    auth pre
    gro 5
    life 86400

crypto isakmp key **** address w.x.y.z

crypto ipsec transform-set 10 esp-aes 128 esp-sha-hmac ah-sha-hmac

crpyto ipsec profile TestProfile
    set transform-set 10

int unnel 10
    ip address 192.168.10.2 255.255.255.252
    tunnel source a.b.c.d
    tunnel destination w.x.y.z
    tunnel protection ipsec profile TestProfile

For the information, if i remove the ipsec protection on the tunnel, i can ping through the tunnel. Once i enable the protection, I cant.

I am going to lab your setup. will come back to you..

Any updates about this..?

Please include "inspect ipsec-pass-thru" in your global policy-map.

I have tried this already with no luck.

For your information, once i applied the ipsec protection to tunnel, "show ip int brief" command shows the tunnel as  up/up.

Does that means, IPSec tunnel is up..?

Since it's GRE over IPSec, please check if the IPSec is UP.

To check phase 1: show crypto isa sa   --> status should be QM_IDLE

To check phase 2: show crypto ipsec sa --> check if there is encrypts and decrypts

I would test to ping the peer tunnel interface from the router and see if you have replies.

To answer halijenn's question,

"show crypto isakmp sa" shows the states as QM_IDLE. But the "show crypto ipsec sa" has send errors. Number of Encrypts and decrypts packets are 0. This is the same on both routers.

Hi nimalrajphilips,

Sorry for the delay. I worked late yerterday due to some ISP issues i was working on.

See below or attachment for lab results.

Francisco

R1   - R1 Is conencted to FW1 Interface e1
###########################################

interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source Ethernet1/0
tunnel destination 2.2.2.2
!
interface Ethernet1/0
ip address 1.1.1.2 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.11.0 255.255.255.0 Tunnel0

R1#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
2.2.2.2           0   FULL/  -        00:00:39    172.16.1.1      Tunnel0
R1#
R1#sh ip int bri
R1#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet1/0                1.1.1.2         YES NVRAM  up                    up
Ethernet2/0                unassigned      YES NVRAM  administratively down down
Loopback0                  192.168.10.1    YES manual up                    up
Tunnel0                    172.16.1.2      YES manual up                    up
R1#

R2  - R1 Is conencted to FW2 Interface e1
#########################################


interface Loopback0
ip address 192.168.11.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source Ethernet1/0
tunnel destination 1.1.1.2
!
interface Ethernet1/0
ip address 2.2.2.2 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.11.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 192.168.10.0 255.255.255.0 Tunnel0

R2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
172.17.1.1        0   FULL/  -        00:00:35    172.16.1.2      Tunnel0

R2#sh ip int bri
R2#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet1/0                2.2.2.2         YES NVRAM  up                    up
Ethernet2/0                unassigned      YES NVRAM  administratively down down
Loopback0                  192.168.11.1    YES manual up                    up
Tunnel0                    172.16.1.1      YES manual up                    up
R2#


FW1 - FW1 is connected to another switch between FW1&FW2 (Switch doing routing between Firewalls)
#################################################################################################


hostname FW1

!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
!
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nonat extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0


global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 1.1.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.2.1
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *

FW1# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.168.1.1

      access-list outside_cryptomap_10 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
      current_peer: 192.168.2.1

      #pkts encaps: 85, #pkts encrypt: 85, #pkts digest: 85
      #pkts decaps: 92, #pkts decrypt: 92, #pkts verify: 92
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 85, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1


FW2
###############

interface Ethernet0
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 2.2.2.1 255.255.255.0
!
ftp mode passive
access-list outside_cryptomap_10 extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
access-list outside_cryptomap_10 extended permit gre 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0

global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 2.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.1.1
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *
!

FW2# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 10, local addr: 192.168.2.1

      access-list outside_cryptomap_10 permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
      current_peer: 192.168.1.1

      #pkts encaps: 95, #pkts encrypt: 95, #pkts digest: 95
      #pkts decaps: 88, #pkts decrypt: 88, #pkts verify: 88
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 95, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.1.1

As you can see R1& R2 have established ospf session via the gre tunnel interfaces over the ipsec tunnel between the firewalls..

Regards

Francisco

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: