isakmp vpn phase

Answered Question
Sep 13th, 2010

test for lan to lan vpn connection was established between 2 asa 5540. both ends used local lan interface
to ping lan ip of other asa.isakmp phase gets up fast , but ping test fails on both.
asa-1 outside - 72.65.34.89 ; lan - 172.16.0.2
asa -2 outside - 45.133.24.54 ; lan - 172.18.1.10

1. crypto output for both asa's:-

s cryp isak sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 72.65.34.89
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

----------

asa-2:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 45.133.24.54
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

2. ipsec results:-
  
s cryp ipse sa
interface: outside
    Crypto map tag: test, seq num: 10, local addr: 72.65.34.89

      access-list 175 permit ip 172.1.0.2 255.255.255.248 host 172.18.1.10
      local ident (addr/mask/prot/port): (172.1.0.2 /255.255.255.248/0/0)
      remote ident (addr/mask/prot/port): (172.18.1.10/255.255.255.255/0/0)
      current_peer: 45.133.24.54

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 72.65.34.89, remote crypto endpt.: 45.133.24.54

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 20A271F1

    inbound esp sas:
      spi: 0x409E6F13 (1084124947)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 180224, crypto-map: test
         sa timing: remaining key lifetime (kB/sec): (3914999/28643)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x20A271F1 (547516913)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 180224, crypto-map: test
         sa timing: remaining key lifetime (kB/sec): (3915000/28643)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

--------------

interface: outside
    Crypto map tag: test, seq num: 10, local addr: 45.133.24.54

      access-list 175 permit ip host 172.18.1.10 172.1.0.2 255.255.255.248
      local ident (addr/mask/prot/port): (172.18.1.10/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (172.1.0.2 /255.255.255.248/0/0)
      current_peer: 72.65.34.89

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 45.133.24.54, remote crypto endpt.: 72.65.34.89

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 409E6F13

    inbound esp sas:
      spi: 0x20A271F1 (547516913)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 22179840, crypto-map: test
         sa timing: remaining key lifetime (kB/sec): (4374000/28665)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001
    outbound esp sas:
      spi: 0x409E6F13 (1084124947)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 22179840, crypto-map: test
         sa timing: remaining key lifetime (kB/sec): (4373999/28665)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

Please help what is wrong and why ipsec is not working. Thank you for all help.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 2 months ago

I assume that you remove both the inside and outside route specific for 172.18.1.10 255.255.255.255.

The following line needs to be removed:

route outside 172.18.1.10 255.255.255.255 45.133.24.54

Also, can you please confirm that there is no route that might cover 172.18.1.10 that might be routed to inside? If there is, you might want to add the following route:

route outside 172.18.1.10 255.255.255.255 72.65.34.85

Can you please clear the tunnel, and test the ping again, and pls send through the output of "show cry ipsec sa".

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.6 (5 ratings)
Loading.
Jennifer Halim Mon, 09/13/2010 - 05:39

Assuming that you already have "management-access inside" configured for both ASA (and assuming that you are trying to ping the inside interface from

both ASA.

From the output of sh cry ipsec sa, on ASA-2: decaps: 4 means that packets are coming inbound towards this ASA and it's being decrypted, however, there is no reply back from this ASA since there is no packet being encrypted.

On ASA-1: encaps: 4 means that traffic is being encrypted and sent outbound towards ASA-2, however, this ASA does not receive the reply since there is no decaps packets.

You would need to check on ASA-2 on the following:

- If "management-access " is configured.

- If NAT exemption is correctly configured.

- Check the output of "sh run icmp" to check if there is any restriction on ICMP towards the ASA interface.

Hope that helps.

suthomas1 Mon, 09/13/2010 - 09:22

thank you. Yes, mgmt access is on inside for both and icmp is not blocked on asa-2.

however on asa-1 , there wasnt any icmp configured manually.i.e it should be default. (unless if this is wrong ).

exemption is in asa-2 , but it is a bit different and seems it will not work for existing ip. please take a look on existing one.

   access-list inside_nat0_out extended permit ip object-group secure_Group1_adm object-group networks_seg
   nat (inside) 0 access-list inside_nat0_out


secure_Group1_adm : network-object 172.16.4.0 255.255.255.0   ( belongs to another partner )
object-group networks_seg : network-object 172.16.20.0 255.255.255.0 (belongs to Vpn pool that is given for vpn users)

this asa-2 is also used as an secure vpn box, above nat are related to those. however not clear on their purpose as it is existing long before i joined.

I dont seem to get an idea how to put another exemption here.

All help is highly appreciated.

Jennifer Halim Mon, 09/13/2010 - 19:02

Adding another line of ACL for the NAT exemption as follows:


access-list inside_nat0_out permit ip 172.1.0.0 255.255.255.0 172.18.1.0 255.255.255.0

I believe that 172.1.0.0/24 is ASA-2 LAN, and 172.18.1.0/24 is ASA-1 LAN.

If you just have ICMP default policy, there is no need to add another ICMP policy as by default, it would be allowed. Unless if you have 1 ICMP policy, then you would need to explicitly configure the other interfaces too.

suthomas1 Mon, 09/13/2010 - 19:18

still does not ping across. I have added exemption rule on asa-2.

Jennifer Halim Mon, 09/13/2010 - 19:20

Please share the output of "show cry ipsec sa" from ASA-2, and if you can share the config as well, that would help. Thanks.

suthomas1 Mon, 09/13/2010 - 20:45

thank you. crypto ipse sa and relevant configuration is -

asa-2 / interface: outside

    Crypto map tag: test, seq num: 10, local addr: 72.65.34.89

      access-list 175 permit ip 172.1.0.2 255.255.255.248 host 172.18.1.10
      local ident (addr/mask/prot/port): (172.1.0.2 /255.255.255.248/0/0)
      remote ident (addr/mask/prot/port): (172.18.1.10/255.255.255.255/0/0)
      current_peer: 45.133.24.54

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 72.65.34.89, remote crypto endpt.: 45.133.24.54

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 20A271F1

    inbound esp sas:
      spi: 0x409E6F13 (1084124947)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 180224, crypto-map: test
         sa timing: remaining key lifetime (kB/sec): (3914999/28643)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x0000001F
    outbound esp sas:
      spi: 0x20A271F1 (547516913)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 180224, crypto-map: test
         sa timing: remaining key lifetime (kB/sec): (3915000/28643)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

_____________________

Config -

access-list inside_nat0_out extended permit ip object-group secure_Group1_adm object-group networks_seg
access-list inside_nat0_out permit ip 172.1.0.0 255.255.255.0 172.18.1.0 255.255.255.0

  nat (inside) 0 access-list inside_nat0_out
network-acl inside_nat0_out

interface GigabitEthernet0/0
description To Public Network
nameif outside
security-level 0
ip address 72.65.34.89 255.255.255.248
!
interface GigabitEthernet0/1
description To secure vpn lan
nameif inside
security-level 100
ip address 172.1.0.2 255.255.255.248

access-list 175 line 1 extended permit ip host 172.1.0.2 172.18.1.10 255.255.255.248

icmp permit any inside
icmp permit 172.18.1.0 255.255.255.0 Management
route outside 172.18.1.10 255.255.255.255 45.133.24.54
route outside 0.0.0.0 0.0.0.0 72.65.34.85
crypto ipsec transform-set test_remote esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map test 10 match address 175
crypto map test 10 set peer 45.133.24.54
crypto map test 10 set transform-set test_remote
crypto map test 10 set security-association lifetime seconds 28800
crypto map test 10 set security-association lifetime kilobytes 4608000
crypto map test 20 set security-association lifetime seconds 28800
crypto map test 20 set security-association lifetime kilobytes 4608000
crypto map test interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha    
group 2     
lifetime 86400
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha    
group 2     
lifetime 86400
tunnel-group 45.133.24.54 type ipsec-l2l
tunnel-group 45.133.24.54 ipsec-attributes
pre-shared-key *

__________________________

i have altered some information  & produced the relevant ones. if you need any other output, please let me know.

Thanks in advance.

Jennifer Halim Tue, 09/14/2010 - 00:29

Please kindly remove the following static route as it is not correct:

route outside 172.18.1.10 255.255.255.255 45.133.24.54

I also do not see "management-access inside", however, I assume that you already have that command in this ASA as per your previous advise.

suthomas1 Tue, 09/14/2010 - 00:52

management-access inside is there , it may have got off while copying.

i knew the route was incorrect, but it was in place as this segment of  172.18.1.10 canbe reached by another way. this is the second entry point, which as i had said earlier is because this asa is also being used assecure vpn box with ssl.

this segment can be contacted via the lan path of this asa-2.

kindly advise. thank you.

Jennifer Halim Tue, 09/14/2010 - 01:13

Unfortunately you can't have 2 different routes pointing towards 2 different interfaces as it is not supported. The ASA will have no idea where to route it as there is 2 route entries. The specific route outside is also incorrectly configured, hence will not work.

I would suggest that you try removing the route inside for the route via the inside interface to test the VPN tunnel connectivity.

In summary, you can't have 2 same routes pointing towards 2 different interfaces (ie: inside and outside) as it will not work. ASA does not know whether it should route it towards the inside or outside as they are exactly the same routes.

suthomas1 Tue, 09/14/2010 - 01:27

that is good piece of information , thanks for that input.

I did try removing the inside route to test the tunnel, but it still doesnt ping across.

thank you.

Correct Answer
Jennifer Halim Tue, 09/14/2010 - 01:38

I assume that you remove both the inside and outside route specific for 172.18.1.10 255.255.255.255.

The following line needs to be removed:

route outside 172.18.1.10 255.255.255.255 45.133.24.54

Also, can you please confirm that there is no route that might cover 172.18.1.10 that might be routed to inside? If there is, you might want to add the following route:

route outside 172.18.1.10 255.255.255.255 72.65.34.85

Can you please clear the tunnel, and test the ping again, and pls send through the output of "show cry ipsec sa".

suthomas1 Tue, 09/14/2010 - 09:11

if i remove that line , it doesnt work. however tunnel comes up if second route outside is put.below is the output:

interface: outside

     Crypto map tag: test, seq num: 20, local addr: 72.65.34.89

     access-list 175 permit ip 172.1.0.2 255.255.255.248 host 172.18.1.10

      local ident (addr/mask/prot/port): (172.1.0.2 /255.255.255.248/0/0)
      remote ident (addr/mask/prot/port): (172.18.1.10/255.255.255.255/0/0)
      current_peer: 45.133.24.54

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 72.65.34.89, remote crypto endpt.: 45.133.24.54

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: EBC93B5D

   inbound esp sas:

      spi: 0xCB18BE32 (3407396402)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 22458368, crypto-map: test
         sa timing: remaining key lifetime (kB/sec): (4374000/28778)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xEBC93B5D (3955833693)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 22458368, crypto-map: test
         sa timing: remaining key lifetime (kB/sec): (4373999/28778)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

_______-

previous configuration had 2 group policy , 10 & 20. I have edited them and kept as 20 only now.

Thank You

Jennifer Halim Tue, 09/14/2010 - 18:17

The issue is still the same, ie: no encaps. As you are only pinging the ASA inside interface, it seems to be configuration error, or overlapping subnet for ACL, etc etc.

Please kindly share the ASA configuration. If you don't want to post it on the forum, please feel free to send me a private message, and I can go through the configuration to see if there is any overlaps. Please kindly send the latest/current configuration. Thanks.

Actions

This Discussion