Friday 29 January 2016

cisco ASA site to site VPN config

By defining  a VPN tunnel-group the ASA allows the remote peer in the outside interface and get to where its going as defined in your ACL. IKE negotiation happens over UDP port 4500 and that is allowed without having to edit your outside ACL. You can change this with no sysopt connection permit-vpn. If you do that you will need entries in your from_outside ACL. Protocol 50 is esp.

Show all the tunnel-groups
sh run all tunnel-group

L2L (S2S) IP address
RA VPN group

The tunnel group sets the peer and calls the group policy

Show the group policy
sh run all group-policy

Normally if you don't change anything the default group policy will be used

Make sure ikev1 is enabled in the default or what ever group policy you are using
     group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol ikev1 ikev2 ssl-clientless

ISAKMP policy (Phase 1)
Use IKEv1 because only newest versions of code support IKEv2
Encryption
Authentication
Hashing
Diffie Hellman group

Phase 2
Who is the tunnel going to (outside interface of ASA)?
What traffic do we want to encrypt (ACL) ?
How are we going to encrypt (transform set) ?

Show isakmp policy
sh run | section isakmp

ACLs need to match on both sides for the VPN to come up.
The pre-shared key needs to match on both sides in IKEv1
We want to make sure there is a matching transform set on both sides too (aes sha etc)

ASDM config
Configuration -> Site to Site VPN
Add connection profile
Uncheck IKEv2

Show all the ikev1 policies and transform sets
sh run crypto

The ASA will go from top down in the transform sets until it finds one that matches. Common reason for the VPN not coming up is that there is no matching transform set. Often its a security best practice to remove transform-sets that we are not using. Having a large number of transform sets adds processing time too.

Its possible to define more than one tranform set in the crypto map but not advised.
crypto map S2SMAP 10 set ikev1 tranforset esp-aes esp-sha esp-aes-123 esp-des-sha

Sh the tunnel-group
sh run tunnel-group

Turn logging on, enable logging to the console at level 7
Or tail your syslog
conf t
logging on
logging con 7
end
no logging on to switch off

Initiate the tunnel
Send a ping (or what ever traffic is allowed from one end of the VPN to the other)

Check if phase 1 is up
sh crypto isakmp sa

QM_IDLE is good, it means phase 1 went into quick mode and moved on to phase 2
Status should be ACTIVE

Check phase 2
show crypto ipsec sa
show crypto ipsec sa peer 100.100.100.100

you should see pkts encaps and decaps increasing at the same rate.
There should be a separate sa for each network in the ACL

Look for the spi (security parameter index)
Its the sequence number for the tunnel inbound and outbound
If we don't have an SPI the tunnel is not up, we can see the transform used here)

Tunnel negotiation
Packed recieved on 20.0.0.254:5000 (UDP IKE)
IKE SA Proposal acceptable Matches global IKE entry
Connection landed on tunnel_group xx.xx.xx.xx
L2LPOLICY
Phase 1 completed
IPSec SA Proposal acceptable
Security nego is complete
Phase 2 complete
Built inbound ICMP/TCP connection for

SPIs should match on both ends
sh crypto ipsec sa peer xx.xx.xx.xx | i spi
Each entry in the ACL gets a separate SPI created

If we look at connections
show local-host all
show connection detail
We see traffic is still subject to inspection. ASA does decryption then inspection.

Clear P2 (clear a specific p2 sa)
clear crypto ipsec sa peer xx.xx.xx.xx

Clear P1 (clears all P1)
clear crypto isakmp sa

MM_WAIT_MSG_6
Usually means PSK mismatch

CLI Config

Make sure ikev1 is enabled in the default or what ever group policy you are using
     group-policy DfltGrpPolicy attributes
     vpn-tunnel-protocol ikev1 ikev2 ssl-clientless

Enable it on outside interface
crypto ikev1 enable outside

Create a name so you know who it is
name 172.19.140.200 Remote_Peer

Transform set
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

Objects for use ACLs
object-group network DMZ-10.255.1.16s-28
  network-object 10.255.1.16 255.255.255.240

object-group network REMOTE_NETS
  network-object 192.168.24.0 255.255.255.0

ACL to match traffic for the VPN
access-list gby-crypto-200 extended permit ip object DMZ-10.255.1.16-28 10.55.1.0 255.255.255.0

Phase2 Crypto map
crypto map MAP-OUTSIDE 20 match address gby-crypto-200
crypto map MAP-OUTSIDE 20 set peer 172.19.140.200
crypto map MAP-OUTSIDE 20 set ikev1 transform-set ESP-AES-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000

crypto map needs to be applied to outside interface
crypto map MAP-OUTSIDE interface outside

Tunnel Group
tunnel-group 172.19.140.200 type ipsec-l2l
tunnel-group 172.19.140.200 ipsec-attributes
 ikev1 pre-shared-key secretpw

No Nat
nat (DMZ,OUTSIDE) source static DMZ-10.255.1.16-28 DMZ-10.255.1.16-28 destination static REMOTE_NETS REMOTE_NETS no-proxy-arp route-lookup

Make sure the source/destination interfaces are correct. Use show route to see. You may need to add more than one NAT statement for different interfaces

Routes
There must be a route to your peer (usually 0.0.0.0 default GW) and to the destination network you want to reach usually directly connected (inside/lan/etc) but not always.

Troubleshooting


WAIT_MSG2 = We can't reach the other side or no matching ike p1 policy


Whats the problem ? Host A can't reach Host B. Is it a problem for all hosts or just one host ?
If a VPN won't come up its usually a settings problem. PSK mismatch, missing NAT, ACL mismatch etc. If a VPN has been up and goes down its usually because something has changed. Write ALL settings down for both peers side by side and compare. Check the encryption domain on both sides is traffic being generated to bring the VPN up ?

Use ping to make sure the host has network connectivity and can reach the default GW
Check out device and confirm is has internet connectivity
Traceroute between the two ASA's to rule out internet routing issue
Check logging on the console or tail/grep your syslog for any errors

On the client
ipconfig (have we got an IP)
ping 8.8.8.8 (have we got internet access)
try to reach host on other side

On ASA
ping other ASA 192.168.1.171

tail/grep your syslog, or use ASDM event viewer, you can also use console logging (cpu intensive)
logging enable
logging console 7

Try again on the client, watch the log for errors and denies.

You should see details why the connectivity is failing.

Debug commands
Setup the debugs and then try the traffic
ikev1
debug crypto condition peer x.x.x.x
debug crypto ikev1 platform 250
debug crypto ikev1 protocol 250

ikev2
debug crypto condition peer x.x.x.x
debug crypto ikev2 platform 250
debug crypto ikev2 protocol 250

No comments:

Post a Comment