Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Dynamic IPSec tunnel between ASA 9.X and IOS15 based router doesn't pass traffic

I have a Cisco ASA5505 running 9.1(1) and a Cisco 892 running 15.2(4)M3 and I'm trying to setup a dynamic VPN tunnel.  The Cisco 892 recieves a dynamic IP address and the ASA5505 has a static IP address.  Both devices can ping eachothers WAN IP addresses (192.168.1.0/24 IP's in this example).  192.168.1.3 is a router on their WAN interface although isn't very relevant to this situation.  For the Cisco ASA5505, 172.16.13.1 is an internal router on the LAN that routes to 172.16.0.0/16.

I can't find any good documentation on how to set this up with ASA 9.X which has been troubling.  I think I may have a problem with my NAT configuration.  The IKEv1 process completes fine and the IPSEC tunnel is created.  However, the Cisco ASA won't decrypt any of the IPSEC ESP packets sent by the 892.  I confirmed this by using a laptop with wireshark and a switch with port mirroring.

Here's the output of the crypto commands

asa# show crypto ipsec sa

interface: outside

    Crypto map tag: mymap, seq num: 1, local addr: 192.168.1.145

      local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

      current_peer: 192.168.1.143

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.1.145/0, remote crypto endpt.: 192.168.1.143/0

      path mtu 1500, ipsec overhead 74(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 98760700

      current inbound spi : 9874DA48

    inbound esp sas:

      spi: 0x9874DA48 (2557794888)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 4096, crypto-map: mymap

         sa timing: remaining key lifetime (kB/sec): (4374000/3174)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x98760700 (2557871872)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 4096, crypto-map: mymap

         sa timing: remaining key lifetime (kB/sec): (4374000/3174)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

endpoint1#show crypto ipsec sa

interface: GigabitEthernet0

    Crypto map tag: crypto-map, local addr 192.168.1.143

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)

   current_peer 192.168.1.145 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 44, #pkts encrypt: 44, #pkts digest: 44

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.1.143, remote crypto endpt.: 192.168.1.145

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0

     current outbound spi: 0x9874DA48(2557794888)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x98760700(2557871872)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: crypto-map

        sa timing: remaining key lifetime (k/sec): (4371277/2839)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x9874DA48(2557794888)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000040, crypto map: crypto-map

        sa timing: remaining key lifetime (k/sec): (4371276/2839)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

###The below is the debug crypto ipsec fromt he endpoint (IOS15 892)

*Sep 23 19:07:57.807: IPSEC(sa_request): ,

  (key eng. msg.) OUTBOUND local= 192.168.1.143:500, remote= 192.168.1.145:500,

    local_proxy= 10.10.10.0/255.255.255.0/256/0,

    remote_proxy= 172.16.0.0/255.255.0.0/256/0,

    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),

    lifedur= 3600s and 4608000kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Sep 23 19:07:57.839: IPSEC(validate_proposal_request): proposal part #1

*Sep 23 19:07:57.839: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 192.168.1.143:0, remote= 192.168.1.145:0,

    local_proxy= 10.10.10.0/255.255.255.0/256/0,

    remote_proxy= 172.16.0.0/255.255.0.0/256/0,

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Sep 23 19:07:57.839: Crypto mapdb : proxy_match

        src addr     : 10.10.10.0

        dst addr     : 172.16.0.0

        protocol     : 0

        src port     : 0

        dst port     : 0

*Sep 23 19:07:57.839: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Sep 23 19:07:57.839: Crypto mapdb : proxy_match

        src addr     : 10.10.10.0

        dst addr     : 172.16.0.0

        protocol     : 256

        src port     : 0

        dst port     : 0

*Sep 23 19:07:57.839: IPSEC(crypto_ipsec_create_ipsec_sas): Map found crypto-map

*Sep 23 19:07:57.839: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.168.1.143, sa_proto= 50,

    sa_spi= 0x98760700(2557871872),

    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 5

    sa_lifetime(k/sec)= (4608000/3600)

*Sep 23 19:07:57.839: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.168.1.145, sa_proto= 50,

    sa_spi= 0x9874DA48(2557794888),

    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 6

    sa_lifetime(k/sec)= (4608000/3600)

*Sep 23 19:07:57.839: IPSEC: Expand action denied, notify RP

Here's the configs

ASA Version 9.1(1)

!

hostname asa

domain-name somehing.testdomain

enable password 9jNfZuG3TC5tCVH0 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 172.16.13.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp

!

ftp mode passive

dns server-group DefaultDNS

domain-name something.testdomain

object network inside-net

subnet 172.16.0.0 255.255.0.0

object network localsubnets

subnet 172.16.0.0 255.255.0.0

object network remotesubnets

subnet 10.10.10.0 255.255.255.0

access-list VPNTRAFFIC extended permit ip object localsubnets object remotesubnets

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static localsubnets remotesubnets destination static remotesubnets localsubnets

!

object network inside-net

nat (inside,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 192.168.1.3 1

route inside 172.16.0.0 255.255.0.0 172.16.13.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 172.16.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map mymap 1 set ikev1 transform-set myset

crypto dynamic-map mymap 1 set reverse-route

crypto map dyn-map 10 ipsec-isakmp dynamic mymap

crypto map dyn-map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password e1z89R3cZe9Kt6Ib encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname endpoint1

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3545941895

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3545941895

revocation-check none

rsakeypair TP-self-signed-3545941895

!

!

crypto pki certificate chain TP-self-signed-3545941895

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33353435 39343138 3935301E 170D3133 30363134 31393230

  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35343539

  34313839 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B7FC 339420BB 96106226 F0D59177 6CDC1EB8 D399AD86 9626C532 937F09A7

  AE3D7B90 07863C66 9BE06529 BA8CEF08 51AD8985 15A3E784 8A8EA1A5 C85207E6

  DAA62B58 ED290AF3 1F567D03 2DC2B3EB C427C048 1A9541AF EDDE0B3D 6E50DA6F

  3BD3A6EA C254F31F 1D9717F3 1EBF2EA8 43789B6E E8B20736 67DFBFA7 8149F012

  AD110203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 145CFE13 F0CD507F 9CEF4B8F B1095E42 AA094E7E 7E301D06

  03551D0E 04160414 5CFE13F0 CD507F9C EF4B8FB1 095E42AA 094E7E7E 300D0609

  2A864886 F70D0101 05050003 818100B3 D4EB4F0C 62BFD31A 32A9B6F1 9812223B

  E31AEE53 580353A2 BE3211FC 7FB8C455 1312F1C0 914FFBA1 D0989440 8388CD1D

  B379FABC 49B54D1A 46171A1D 4B2AFCD2 5B7F276E 4B7B38B2 FB354165 3B151757

  78CC2B62 5DA8C197 10DEFDBF 7A6783D5 6D9CDDD9 DE30B4FB CDE20B2F 66E01A9B

  A17CF719 BC61AEAF 6B0184C3 BDE728

        quit

ip cef

!

!

!

!

!

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

!

!

!

no ip domain lookup

ip domain name remote.something.local

no ipv6 cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

license udi pid CISCO892-K9 sn FGL172320VF

!

!

username cisco privilege 15 password 0 cisco123

!

redundancy

!

!

!

!

!

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 10

crypto isakmp key cisco123 address 192.168.1.145

!

!

crypto ipsec transform-set my-set esp-aes esp-sha-hmac

mode tunnel

!

!

!

crypto map crypto-map 10 ipsec-isakmp

set peer 192.168.1.145

set transform-set my-set

match address 101

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0

description $ETH_LAN$

ip address 192.168.1.143 255.255.255.0

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1452

duplex auto

speed auto

crypto map crypto-map

!

interface Vlan1

description $ETH_LAN$

ip address 10.10.10.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

!

ip nat inside source route-map nonat interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 192.168.1.3

!

access-list 101 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 110 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 110 permit ip 10.10.10.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 110

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

login

transport input all

!

!

end

712
Views
0
Helpful
0
Replies
CreatePlease to create content