Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site to Site VPN multiple subnets

Hi Guys,
I would like to setup a site to stie VPN tunnel with multiple subnets. I could not find a configuration thats fits my problem. I hope you can help me out with the solution.
You can find my network design attach to this topic.
This is my configuration on the ASA:

1) NAT excemption for the network traffic going over the Site to site VPN.
nat (MGMTLAN,INT-STSVPN) source static 192.168.10.0 192.168.10.0 destination static 192.168.31.0 192.168.31.0
nat (INSIDE,INT-STSVPN) source static 192.168.15.0 192.168.15.0 destination static 192.168.38.0 192.168.38.0

2) Accesslist with the traffic to encrypt
object-group network 192.168.10.0
network-object 192.168.10.0 255.255.255.0

object-group network 192.168.15.0
network-object 192.168.15.0 255.255.255.0

object-group network 192.168.38.0
network-object 192.168.38.0 255.255.255.0

object-group network 192.168.31.0
network-object 192.168.31.0 255.255.255.0

object-group network STSVPN-LOCAL
group-object 192.168.10.0
group-object 192.168.15.0

object-group network STSVPN-US
group-object 192.168.38.0
group-object 192.168.31.0

access-list ACL_STSVPN-US extended permit ip object-group STSVPN-LOCAL object-group STSVPN-US

3) Phase 1 Proposal
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14
 prf sha256
 lifetime seconds 86400


4) Phase 2 Proposal
crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-256

5) Tunnel Group
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 general-attributes
 default-group-policy GrpPolicy-STSVPN-US
tunnel-group 14.4.4.4 ipsec-attributes
 ikev2 remote-authentication pre-shared-key abcd
 ikev2 local-authentication pre-shared-key abcd

Grouppolicy
group-policy GrpPolicy-STSVPN-US internal
group-policy GrpPolicy-STSVPN-US attributes
 vpn-filter value STSVPN-US
 vpn-tunnel-protocol ikev2


5) Crypto Map
crypto map CM-STSVPN 10 match address STSVPN-US
crypto map CM-STSVPN 10 set peer 4.4.4.4
crypto map CM-STSVPN 10 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA
crypto map CM-STSVPN interface INT-STSVPN
crypto ikev2 enable INT-STSVPN
 
/////////////////////////////////////////////////////////////////////

Router Configuration:

1) SA part

crypto ikev2 proposal IK2.PROP
 encryption aes-cbc-256
 integrity sha256
 group 14
crypto ikev2 policy IK2.POL
 proposal IK2.PROP
crypto ikev2 keyring KR1
 peer ASALAB
 address 2.2.2.2
 pre-shared-key local abcd
 pre-shared-key remote abcd
crypto ikev2 profile IK2.PROF
 match identity remote address 2.2.2.2 255.255.255.255
 identity local address 4.4.4.4
 authentication remote pre-share
 authentication local pre-share
 keyring local KR1
 
2) Transformset

crypto ipsec transform-set TS.VPN2 esp-aes 256 esp-sha256-hmac
 mode tunnel

3) Access-list

ip access-list extended ACL.VPNIKE2
 permit ip 192.168.31.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.38.0 0.0.0.255 192.168.15.0 0.0.0.255
 
5) Crypto map

crypto map CM.VPN 30 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set TS.VPN2
 set pfs group14
 set ikev2-profile IK2.PROF
 match address ACL.VPNIKE2
 
//////////////////////////////////////////////////////////////////////

 

Is this configuration correct for allowing two subnets at each side of the VPN tunnel to communicate with each other.

subnet 192.168.31.0 can only communicate with 192.168.10.0 
subnet 192.168.38.0 can only communicate with 192.168.15.0

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Hello Jay,I went over the

Hello Jay,

I went over the configuration of both devices and noticed some errors on the ASA configuration. Here the details:

1) The access-list configured for the VPN traffic is named ACL_STSVPN-US, however the match address configured on the crypto map is using an object-group name instead:

crypto map CM-STSVPN 10 match address STSVPN-US

You need to change it to avoid any issues with the traffic negotiation:

no crypto map CM-STSVPN 10 match address STSVPN-US

crypto map CM-STSVPN 10 match address ACL_STSVPN-US

 

2) You also have the same error on the vpn-filter configured. However, you could not either use the ACL_STSVPN-US access-list for the VPN filter since the ASA will filter incoming packets only. In that case the proper ACL will be configured from the remote networks (ROUTER) to Local networks (ASA). It will look something like this:

access-list VPN_filter extended permit ip  object-group STSVPN-US object-group STSVPN-LOCAL

access-list VPN_filter extended permit ip  object-group STSVPN-US object-group STSVPN-LOCAL

group-policy GrpPolicy-STSVPN-US attributes
 vpn-filter value VPN_filter

Remember that the VPN filter consist of rules that determine whether to allow or reject tunneled data packets that come through the security appliance, based on criteria such as source address, destination address, and protocol. If you will use IP protocol, the filter will not make any difference. 

 

3) PFS group 14 is configured on the router crypto map but not on the ASA. You will need to even add it into the ASA crypto map or remove it from the router.

 

ASA:

crypto map CM-STSVPN 10 set pfs group14

Router:

crypto map CM.VPN 30 ipsec-isakmp

no set pfs group14

 

Hope this help you out to bring the tunnel up,

 

Luis.

5 REPLIES
Bronze

Hello Jay,I went over the

Hello Jay,

I went over the configuration of both devices and noticed some errors on the ASA configuration. Here the details:

1) The access-list configured for the VPN traffic is named ACL_STSVPN-US, however the match address configured on the crypto map is using an object-group name instead:

crypto map CM-STSVPN 10 match address STSVPN-US

You need to change it to avoid any issues with the traffic negotiation:

no crypto map CM-STSVPN 10 match address STSVPN-US

crypto map CM-STSVPN 10 match address ACL_STSVPN-US

 

2) You also have the same error on the vpn-filter configured. However, you could not either use the ACL_STSVPN-US access-list for the VPN filter since the ASA will filter incoming packets only. In that case the proper ACL will be configured from the remote networks (ROUTER) to Local networks (ASA). It will look something like this:

access-list VPN_filter extended permit ip  object-group STSVPN-US object-group STSVPN-LOCAL

access-list VPN_filter extended permit ip  object-group STSVPN-US object-group STSVPN-LOCAL

group-policy GrpPolicy-STSVPN-US attributes
 vpn-filter value VPN_filter

Remember that the VPN filter consist of rules that determine whether to allow or reject tunneled data packets that come through the security appliance, based on criteria such as source address, destination address, and protocol. If you will use IP protocol, the filter will not make any difference. 

 

3) PFS group 14 is configured on the router crypto map but not on the ASA. You will need to even add it into the ASA crypto map or remove it from the router.

 

ASA:

crypto map CM-STSVPN 10 set pfs group14

Router:

crypto map CM.VPN 30 ipsec-isakmp

no set pfs group14

 

Hope this help you out to bring the tunnel up,

 

Luis.

Community Member

Hi Luis,

Hi Luis, Thank you for your response. Learned alot from it. especially the VPN filter and pfs groups. I turned off the VPN filter in my configuraton because the whole IP must have access between the subnets. I will test this configuration on Monday and let you know the outcome! If I want to setup another site to site tunnel with a new interface on the ASA. Then I should make a new cryptomap because CM-STSVPN is tight to interface INT-STSVPN? The NAT, Grouppolicy, tunnel groups and object groups will also changed but I am focussing now on the cryptomap, Thank you very much!
Bronze

Hello Jay,Actually, multiple

Hello Jay,

Actually, multiple interfaces can share the same crypto map set if you want to apply the same combination of IPSec/IKE and IPSec/manual entries to different interfaces. However, the tunnels will come up based on the routing. As you mentioned you also would need to consider the NAT rules. Another option will be to create a whole new crypto map. Any should work fine. 

 

I hope this is helps,


Luis.

Community Member

Thanks for your answer Luis.

Thanks for your answer Luis. I was unsure of the fact that multiple interface could share the same cryptomap.

It is all clear now! I will test the VPN tomorrow. Really appreciate your help!

Bronze

Hello Jay,My pleasure! Please

Hello Jay,

My pleasure! 

Please rate the answer to keep helping others as well.

 

Thanks,

 

Luis. 

4155
Views
5
Helpful
5
Replies
CreatePlease to create content