cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1472
Views
0
Helpful
8
Replies

S2S VPN Query from Router to Router

ankurs2008
Level 1
Level 1

Hi experts,

I have an issue and i am establishing a S2S VPN between 2 routers with ASA in between them . There is no NAT configuration done on any of the routers however NAT is applied on the ASA .There is "no nat-control " on ASA in addition to the below config , which will turn on the NAT again

nat (inside) 1 0 0

global (outside)1 interface

Also icmp , esp , udp 500 and 4500 is allowed on the ASA outside  interface .The issue is that when i remove the NAT config , S2S tunnel  is established between 2 routers ; however when the above mentioned NAT  is enabled , S2S tunnel is torned down

Topology :

(30.30.30.1) R1(10.10.10.1)-----(Inside-10.10.10.2) ASA (Outside-20.20.20.2)----(20.20.20.1) R2 (40.40.40.1)

==================================================================

R2#ping 30.30.30.1 source lo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.30.30.1, timeout is 2 seconds:
Packet sent with a source address of 40.40.40.1

...........

Working debugs (without NAT on ASA)

03:06:29: ISAKMP: received ke message (1/1)
03:06:29: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
03:06:29: ISAKMP: Created a peer struct for 10.10.10.1, peer port 500
03:06:29: ISAKMP: Locking peer struct 0x82E5E04C, IKE refcount 1 for isakmp_initiator
03:06:29: ISAKMP: local port 500, remote port 500
03:06:29: ISAKMP: set new node 0 to QM_IDLE
03:06:29: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8283DAE8
03:06:29: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
03:06:29: ISAKMP: Looking for a matching key for 10.10.10.1 in default : success
03:06:29: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.10.10.1
03:06:29: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
03:06:29: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
03:06:29: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
03:06:29: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

03:06:29: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
03:06:29: ISAKMP:(0:0:N/A:0): sending packet to 10.10.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
03:06:29: ISAKMP (0:0): received packet from 10.10.10.1 dport 500 sport 500 Global (I) MM_NO_STATE
03:06:29: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
03:06:29: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

===========================================================================================

Non working debugs (NAT on ASA)

02:38:40: ISAKMP: received ke message (1/1)
02:38:40: ISAKMP: set new node 0 to QM_IDLE
02:38:40: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 20.20.20.1, remote 10.10.10.1)
02:38:40: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
02:38:40: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
02:38:40: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
02:38:40: ISAKMP:(0:0:N/A:0): sending packet to 10.10.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
02:38:50: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
02:38:50: ISAKMP:(0:0:N/A:0):incrementing error counter on sa: retransmit phase 1
02:38:50: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
02:38:50: ISAKMP:(0:0:N/A:0): sending packet to 10.10.10.1 my_port 500 peer_port 500 (I) MM_NO_STATE
02:38:55: ISAKMP: quick mode timer expired.
02:38:55: ISAKMP:(0:0:N/A:0):src 20.20.20.1 dst 10.10.10.1, SA is not authenticated
02:38:55: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

02:38:55: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 10.10.10.1)
02:38:55: ISAKMP:(0:0:N/A:0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer 10.10.10.1)
02:38:55: ISAKMP: Unlocking IKE struct 0x8283F5C0 for isadb_mark_sa_deleted(), count 0
02:38:55: ISAKMP: Deleting peer node by peer_reap for 10.10.10.1: 8283F5C0
02:38:55: ISAKMP:(0:0:N/A:0):deleting node -430173282 error FALSE reason "IKE deleted"
02:38:55: ISAKMP:(0:0:N/A:0):deleting node -1682555595 error FALSE reason "IKE deleted"
02:38:55: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
02:38:55: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

================================================================================================

I believe crypto ipsec nat-transparency udp-encapsulation is enabled by default for bypassing the NAT devices in between , Please help me as to if i am missing something over here and guide me to rectify the same

8 Replies 8

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

The NAT rule will force the traffic from inside router to go via Dynamic PAT

process. Please try the following:

access-list nonat permit ip host

nat (inside) 0 access-list nonat

Hope this helps.

Regards,

NT

Jennifer Halim
Cisco Employee
Cisco Employee

Hi Ankur,

Base on your topology, if you have the NAT configured, then the IPSec tunnel can only be initiated from R1 because, you would need to have static NAT configured to be able to initiate the VPN tunnel from the outside (R2). NAT is dynamic translation and it's not bidirectional (it's only for outbound connection).

With NAT configured, the peer address for R2 also changes to the ASA outside interface.

Can you advise what is the status of Phase 1 (show cry isa sa), and status of Phase 2 (if there is, show cry ipsec sa).

Lastly, you would also need to enable "inspect ipsec-pass-thru" on the ASA to pass through IPSec tunnel that is associated to the IKE connection:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721168

Hi halijenn / NT

thanks for looking into this .

In the output of "sh cry isa sa " , i get MM_NO_STATE . i have already tried enabling inspect ipsec-pass-thru  in ASA ; however no success .In addition to that i thought that the traffic from R1 to R2 will be encrypted once it reaches ASA inside (considering i initiate the traffic from R1) , hence there is no requirement of "NAT 0 with ACL " Do i have to do a NONAT between the External IP Addresses of R1 and R2 in the ASA ? Also i can understand that the traffic from R2 to R1 will be initiated only , if i put a static NAT in the ASA ; however can you tell me what static i need to apply ?

I have one more query . In the practical environment where there are 2 organizations / branches who are trying to set up a S2S Tunnel between Routers and they encounter large no. of NATTING devices as the intermediate hops between those 2 routers , do we need to configure NONAT ACL and inspect ipsec-pass-thru in all  those devices ? I dont think so , as thats the reason NAT Traversal is there . Due to this reason , i didnt applied NONAT with ACL . According to my thought process , crypto ipsec nat-transparency udp-encapsulation  in the R1 and R2 will accomplish the same .

Please let me know regarding my query .

The NONAT ACL will not be for the actual traffic that you would like to encrypt (ie: it's not for the local and remote subnets), but it would be the router external ip address (vpn termination interface ip address), where you normally define as "set peer" ip address).

If R1 external interface private ip address or public ip address. If R1 is already public ip address, then on the ASA, you just configure NONAT between R1 external ip address to R2 external ip address. However, if R1 is private ip address, then you would need to NAT it (using either static NAT or PAT (nat/global pair) to it is routable on the internet. If R1 is already running on public ip address, there is no need to PAT it again on the ASA hence you would configure NAT exemption (NONAT) on the ASA.

As far as the ASA is concern, it will not see the router local and remote subnets because by the time the traffic gets to the ASA, it would already be encrypted. So on the ASA, it will only see UDP/500 and ESP/UDP/4500.

hi halijenn

thanks for the reply . If R1 and R2 is running on public ip address, why would we even require to configure NAT exemption (NONAT) in the ASA between R1 and R2 public IP ? i have understood everything except one .In the practical scenario (consider my example above was from a usual lab environment) if there are hundreds of intermediate hops which are L3 and NATTING devices as well ; will we give NONAT on each and every intermediate hop coming in the way ? Isnt it like that we should only be requiring crypto ipsec nat-transparency udp-encapsulation  on R1 and R2 and it should auto detect the NAT devices in between , encapuslate the ESP in UDP packet due to which an administrator should only open the UDP 4500 to let the IPSEC pass through traffic in ?

In normal circumstance, out on the Internet, the Internet routers themselves will not be performing any NAT at all. The only place where NAT will be performed is normally at customer's network, or devices which is connecting to the ISP, therefore, internet routers can pass through ESP with no problem.

The reason why you need to configure NONAT on the ASA is because you advise earlier that you have the following configured:

nat (inside) 1 0 0

global (outside) 1 interface

When you have the above configured, if you don't want to NAT traffic from inside outbound, you would need to explicitly configure NAT exemption (NONAT), otherwise, it will get PATed to the ASA outside interface.

Please remember the ASA firewall concept with NATing So even if you have public ip address, the ASA wouldn't understand that concept once you configure the above PAT, unless you explicitly configure NAT exemption to exempt it from being NATed.


Same goes for router, if you have router instead of ASA, and if you configure ACL that determine which traffic needs to be NATed and if the ACL is permit ip any any, anything will be NATed unless you configure exemption to not NAT the traffic.

Hope it makes sense.

hi halijenn

my issue is not NATTING , i have already understood the concept of NO NAT with ACL and that it is required to be there in ASA from Public of R1 to R2  , my issue is what exactly is the role "crypto ipsec nat-transparency udp-encapsulation " playing over here ? whether it is playing any role or not . If not , whether it is an ideal scenario for the NAT Traversal to play a role over here ?

"crypto ipsec nat-transparency udp-encapsulation" definitely plays a role, ie: during the IKE (Phase 1) negotiation, it will detect to see if there is any NAT device in between the path. If it does detect that there is NAT in between, it will negotitate so that the ESP packet (Phase 2) is encapsulated in UDP. By default, it will use UDP/4500.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: