04-08-2010 05:49 AM - edited 02-21-2020 04:35 PM
Hi,
I am trying to establish a GER / IPSec VPN connection between two routers. One the VPN end is behind a ASA firewall. I would like to allow the GRE / IPSec VPN packets through the firewall.
i have allowed the following following ports through firewall.
access-list inbound extended permit esp any any
access-list inbound extended permit udp any any eq isakmp
access-list inbound extended permit udp any any eq 4500
access-group inbound in interface outside
I have also tried sysopt connection permit-ipsec
But nothing worked for me. Any suggestions...?
I am aware that this topic has been discussed serveral times. But since, none of them really helped me, i am opening this topic.
Cheers
Nimal
04-08-2010 05:54 AM
you need to permit the gre connection.
see this http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
04-08-2010 07:16 AM
My toplogy has the Firewall at one side only. Means, the router is behind the ASA at one end. At the remote end, the router is directly connected to the internet.
Can i use the same config, for the topolgy i mentioned?
Can i use any other routing protocols than OSPF?
04-08-2010 07:36 AM
The configuration example if for pix 6.3 but then you could use it as template for your configuration. just that the command syntax for the ASA version might be slightly different. Have you tried allow GRE on the ASA between the routers?
04-08-2010 07:46 AM
Yes, I have tried GRE with no luck.
Do i have to open any other ports? Or any other additional commands apart from Access-lists??
04-08-2010 07:47 AM
can you upload you config.
04-08-2010 07:58 AM
Head Office ASA5520
object-group service VPN
service-object udp eq isakmp
service-object esp
service-object udp eq 4500
service-object gre
access-list outside_access_in extended permit object-group VPN host 84.92.192.145 host HubRouter_Public
static (inside,outside) aa.bb.cc.dd w.x.y.z. netmask 255.255.255.255
Head Office Router
crypto isakmp policy 10
encrypt aes 128
auth pre
gro 5
life 86400
crypto isakmp key **** address a.b.c.d
crypto ipsec transform-set 10 esp-aes 128 esp-sha-hmac ah-sha-hmac
crpyto ipsec profile TestProfile
set transform-set 10
int tunnel 10
ip address 192.168.10.1 255.255.255.252
tunnel source w.x.y.z
tunnel destination a.b.c.d
tunnel protection ipsec profile TestProfile
Remote Office Router
crypto isakmp policy 10
encrypt aes 128
auth pre
gro 5
life 86400
crypto isakmp key **** address w.x.y.z
crypto ipsec transform-set 10 esp-aes 128 esp-sha-hmac ah-sha-hmac
crpyto ipsec profile TestProfile
set transform-set 10
int unnel 10
ip address 192.168.10.2 255.255.255.252
tunnel source a.b.c.d
tunnel destination w.x.y.z
tunnel protection ipsec profile TestProfile
For the information, if i remove the ipsec protection on the tunnel, i can ping through the tunnel. Once i enable the protection, I cant.
04-08-2010 08:27 AM
I am going to lab your setup. will come back to you..
04-09-2010 01:11 AM
Any updates about this..?
04-09-2010 01:17 AM
Please include "inspect ipsec-pass-thru" in your global policy-map.
04-09-2010 01:47 AM
I have tried this already with no luck.
For your information, once i applied the ipsec protection to tunnel, "show ip int brief" command shows the tunnel as up/up.
Does that means, IPSec tunnel is up..?
04-09-2010 01:52 AM
Since it's GRE over IPSec, please check if the IPSec is UP.
To check phase 1: show crypto isa sa --> status should be QM_IDLE
To check phase 2: show crypto ipsec sa --> check if there is encrypts and decrypts
I would test to ping the peer tunnel interface from the router and see if you have replies.
04-09-2010 05:47 AM
To answer halijenn's question,
"show crypto isakmp sa" shows the states as QM_IDLE. But the "show crypto ipsec sa" has send errors. Number of Encrypts and decrypts packets are 0. This is the same on both routers.
04-09-2010 03:45 AM
Hi nimalrajphilips,
Sorry for the delay. I worked late yerterday due to some ISP issues i was working on.
See below or attachment for lab results.
Francisco
R1 - R1 Is conencted to FW1 Interface e1
###########################################
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source Ethernet1/0
tunnel destination 2.2.2.2
!
interface Ethernet1/0
ip address 1.1.1.2 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.11.0 255.255.255.0 Tunnel0
R1#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
2.2.2.2 0 FULL/ - 00:00:39 172.16.1.1 Tunnel0
R1#
R1#sh ip int bri
R1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet1/0 1.1.1.2 YES NVRAM up up
Ethernet2/0 unassigned YES NVRAM administratively down down
Loopback0 192.168.10.1 YES manual up up
Tunnel0 172.16.1.2 YES manual up up
R1#
R2 - R1 Is conencted to FW2 Interface e1
#########################################
interface Loopback0
ip address 192.168.11.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source Ethernet1/0
tunnel destination 1.1.1.2
!
interface Ethernet1/0
ip address 2.2.2.2 255.255.255.0
half-duplex
!
router ospf 1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0
network 192.168.11.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 192.168.10.0 255.255.255.0 Tunnel0
R2#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
172.17.1.1 0 FULL/ - 00:00:35 172.16.1.2 Tunnel0
R2#sh ip int bri
R2#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Ethernet1/0 2.2.2.2 YES NVRAM up up
Ethernet2/0 unassigned YES NVRAM administratively down down
Loopback0 192.168.11.1 YES manual up up
Tunnel0 172.16.1.1 YES manual up up
R2#
FW1 - FW1 is connected to another switch between FW1&FW2 (Switch doing routing between Firewalls)
#################################################################################################
hostname FW1
!
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 1.1.1.1 255.255.255.0
!
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list nonat extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
access-list outside_cryptomap_10 extended permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 1.1.1.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.2.1
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 192.168.2.1 type ipsec-l2l
tunnel-group 192.168.2.1 ipsec-attributes
pre-shared-key *
FW1# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 192.168.1.1
access-list outside_cryptomap_10 permit ip 1.1.1.0 255.255.255.0 2.2.2.0 255.255.255.0
local ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
current_peer: 192.168.2.1
#pkts encaps: 85, #pkts encrypt: 85, #pkts digest: 85
#pkts decaps: 92, #pkts decrypt: 92, #pkts verify: 92
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 85, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.1.1, remote crypto endpt.: 192.168.2.1
FW2
###############
interface Ethernet0
nameif outside
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 2.2.2.1 255.255.255.0
!
ftp mode passive
access-list outside_cryptomap_10 extended permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
access-list outside_cryptomap_10 extended permit gre 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
global (outside) 20 interface
nat (inside) 0 access-list nonat
nat (inside) 20 2.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 192.168.2.2 1
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 192.168.1.1
crypto map outside_map 10 set transform-set myset
crypto map outside_map 10 set security-association lifetime seconds 86400
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
pre-shared-key *
!
FW2# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 192.168.2.1
access-list outside_cryptomap_10 permit ip 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
local ident (addr/mask/prot/port): (2.2.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.0/255.255.255.0/0/0)
current_peer: 192.168.1.1
#pkts encaps: 95, #pkts encrypt: 95, #pkts digest: 95
#pkts decaps: 88, #pkts decrypt: 88, #pkts verify: 88
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 95, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.2.1, remote crypto endpt.: 192.168.1.1
04-09-2010 03:54 AM
As you can see R1& R2 have established ospf session via the gre tunnel interfaces over the ipsec tunnel between the firewalls..
Regards
Francisco
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: