By defining a VPN tunnel-group the ASA allows the remote peer in the outside interface and get to where its going as defined in your ACL. IKE negotiation happens over UDP port 4500 and that is allowed without having to edit your outside ACL. You can change this with no sysopt connection permit-vpn. If you do that you will need entries in your from_outside ACL. Protocol 50 is esp.
Show all the tunnel-groups
sh run all tunnel-group
L2L (S2S) IP address
RA VPN group
The tunnel group sets the peer and calls the group policy
Show the group policy
sh run all group-policy
Normally if you don't change anything the default group policy will be used
Make sure ikev1 is enabled in the default or what ever group policy you are using
group-policy DfltGrpPolicy attributes
ISAKMP policy (Phase 1)
Use IKEv1 because only newest versions of code support IKEv2
Encryption
Authentication
Hashing
Diffie Hellman group
Phase 2
Who is the tunnel going to (outside interface of ASA)?
What traffic do we want to encrypt (ACL) ?
How are we going to encrypt (transform set) ?
Show isakmp policy
sh run | section isakmp
ACLs need to match on both sides for the VPN to come up.
The pre-shared key needs to match on both sides in IKEv1
We want to make sure there is a matching transform set on both sides too (aes sha etc)
ASDM config
Configuration -> Site to Site VPN
Add connection profile
Uncheck IKEv2
Show all the ikev1 policies and transform sets
sh run crypto
The ASA will go from top down in the transform sets until it finds one that matches. Common reason for the VPN not coming up is that there is no matching transform set. Often its a security best practice to remove transform-sets that we are not using. Having a large number of transform sets adds processing time too.
Its possible to define more than one tranform set in the crypto map but not advised.
crypto map S2SMAP 10 set ikev1 tranforset esp-aes esp-sha esp-aes-123 esp-des-sha
Sh the tunnel-group
sh run tunnel-group
Turn logging on, enable logging to the console at level 7
Or tail your syslog
conf t
logging on
logging con 7
end
no logging on to switch off
Initiate the tunnel
Send a ping (or what ever traffic is allowed from one end of the VPN to the other)
Check if phase 1 is up
sh crypto isakmp sa
QM_IDLE is good, it means phase 1 went into quick mode and moved on to phase 2
Status should be ACTIVE
Check phase 2
show crypto ipsec sa
show crypto ipsec sa peer 100.100.100.100
you should see pkts encaps and decaps increasing at the same rate.
There should be a separate sa for each network in the ACL
Look for the spi (security parameter index)
Its the sequence number for the tunnel inbound and outbound
If we don't have an SPI the tunnel is not up, we can see the transform used here)
Tunnel negotiation
Packed recieved on 20.0.0.254:5000 (UDP IKE)
IKE SA Proposal acceptable Matches global IKE entry
Connection landed on tunnel_group xx.xx.xx.xx
L2LPOLICY
Phase 1 completed
IPSec SA Proposal acceptable
Security nego is complete
Phase 2 complete
Built inbound ICMP/TCP connection for
SPIs should match on both ends
sh crypto ipsec sa peer xx.xx.xx.xx | i spi
Each entry in the ACL gets a separate SPI created
If we look at connections
show local-host all
show connection detail
We see traffic is still subject to inspection. ASA does decryption then inspection.
Clear P2 (clear a specific p2 sa)
clear crypto ipsec sa peer xx.xx.xx.xx
Clear P1 (clears all P1)
clear crypto isakmp sa
MM_WAIT_MSG_6
Usually means PSK mismatch
group-policy DfltGrpPolicy attributes
Enable it on outside interface
crypto ikev1 enable outside
Create a name so you know who it is
Transform set
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
Objects for use ACLs
object-group network DMZ-10.255.1.16s-28
network-object 10.255.1.16 255.255.255.240
ACL to match traffic for the VPN
access-list gby-crypto-200 extended permit ip object DMZ-10.255.1.16-28 10.55.1.0 255.255.255.0
Phase2 Crypto map
crypto map MAP-OUTSIDE 20 match address gby-crypto-200
crypto map MAP-OUTSIDE 20 set peer 172.19.140.200
crypto map MAP-OUTSIDE 20 set ikev1 transform-set ESP-AES-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
crypto map needs to be applied to outside interface
crypto map MAP-OUTSIDE interface outside
Tunnel Group
tunnel-group 172.19.140.200 type ipsec-l2l
tunnel-group 172.19.140.200 ipsec-attributes
ikev1 pre-shared-key secretpw
No Nat
Show all the tunnel-groups
sh run all tunnel-group
L2L (S2S) IP address
RA VPN group
The tunnel group sets the peer and calls the group policy
Show the group policy
sh run all group-policy
Normally if you don't change anything the default group policy will be used
Make sure ikev1 is enabled in the default or what ever group policy you are using
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
ISAKMP policy (Phase 1)
Use IKEv1 because only newest versions of code support IKEv2
Encryption
Authentication
Hashing
Diffie Hellman group
Phase 2
Who is the tunnel going to (outside interface of ASA)?
What traffic do we want to encrypt (ACL) ?
How are we going to encrypt (transform set) ?
Show isakmp policy
sh run | section isakmp
ACLs need to match on both sides for the VPN to come up.
The pre-shared key needs to match on both sides in IKEv1
We want to make sure there is a matching transform set on both sides too (aes sha etc)
ASDM config
Configuration -> Site to Site VPN
Add connection profile
Uncheck IKEv2
Show all the ikev1 policies and transform sets
sh run crypto
The ASA will go from top down in the transform sets until it finds one that matches. Common reason for the VPN not coming up is that there is no matching transform set. Often its a security best practice to remove transform-sets that we are not using. Having a large number of transform sets adds processing time too.
Its possible to define more than one tranform set in the crypto map but not advised.
crypto map S2SMAP 10 set ikev1 tranforset esp-aes esp-sha esp-aes-123 esp-des-sha
Sh the tunnel-group
sh run tunnel-group
Turn logging on, enable logging to the console at level 7
Or tail your syslog
conf t
logging on
logging con 7
end
no logging on to switch off
Initiate the tunnel
Send a ping (or what ever traffic is allowed from one end of the VPN to the other)
Check if phase 1 is up
sh crypto isakmp sa
QM_IDLE is good, it means phase 1 went into quick mode and moved on to phase 2
Status should be ACTIVE
Check phase 2
show crypto ipsec sa
show crypto ipsec sa peer 100.100.100.100
you should see pkts encaps and decaps increasing at the same rate.
There should be a separate sa for each network in the ACL
Look for the spi (security parameter index)
Its the sequence number for the tunnel inbound and outbound
If we don't have an SPI the tunnel is not up, we can see the transform used here)
Tunnel negotiation
Packed recieved on 20.0.0.254:5000 (UDP IKE)
IKE SA Proposal acceptable Matches global IKE entry
Connection landed on tunnel_group xx.xx.xx.xx
L2LPOLICY
Phase 1 completed
IPSec SA Proposal acceptable
Security nego is complete
Phase 2 complete
Built inbound ICMP/TCP connection for
SPIs should match on both ends
sh crypto ipsec sa peer xx.xx.xx.xx | i spi
Each entry in the ACL gets a separate SPI created
If we look at connections
show local-host all
show connection detail
We see traffic is still subject to inspection. ASA does decryption then inspection.
Clear P2 (clear a specific p2 sa)
clear crypto ipsec sa peer xx.xx.xx.xx
Clear P1 (clears all P1)
clear crypto isakmp sa
MM_WAIT_MSG_6
Usually means PSK mismatch
CLI Config
Make sure ikev1 is enabled in the default or what ever group policy you are usinggroup-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
Enable it on outside interface
crypto ikev1 enable outside
Create a name so you know who it is
name 172.19.140.200 Remote_Peer
Transform set
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
Objects for use ACLs
object-group network DMZ-10.255.1.16s-28
network-object 10.255.1.16 255.255.255.240
object-group
network REMOTE_NETS
network-object 192.168.24.0 255.255.255.0ACL to match traffic for the VPN
access-list gby-crypto-200 extended permit ip object DMZ-10.255.1.16-28 10.55.1.0 255.255.255.0
Phase2 Crypto map
crypto map MAP-OUTSIDE 20 match address gby-crypto-200
crypto map MAP-OUTSIDE 20 set peer 172.19.140.200
crypto map MAP-OUTSIDE 20 set ikev1 transform-set ESP-AES-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
crypto map needs to be applied to outside interface
crypto map MAP-OUTSIDE interface outside
Tunnel Group
tunnel-group 172.19.140.200 type ipsec-l2l
tunnel-group 172.19.140.200 ipsec-attributes
ikev1 pre-shared-key secretpw
No Nat
nat
(DMZ,OUTSIDE) source static DMZ-10.255.1.16-28 DMZ-10.255.1.16-28 destination
static REMOTE_NETS REMOTE_NETS no-proxy-arp route-lookup
Make sure the source/destination interfaces are correct. Use show route to see. You may need to add more than one NAT statement for different interfaces
Routes
There must be a route to your peer (usually 0.0.0.0 default GW) and to the destination network you want to reach usually directly connected (inside/lan/etc) but not always.
Make sure the source/destination interfaces are correct. Use show route to see. You may need to add more than one NAT statement for different interfaces
Routes
There must be a route to your peer (usually 0.0.0.0 default GW) and to the destination network you want to reach usually directly connected (inside/lan/etc) but not always.
Troubleshooting
WAIT_MSG2 = We can't reach the other side or no matching ike p1 policy
Whats the problem ? Host A can't reach Host B. Is it a problem for all hosts or just one host ?
If a VPN won't come up its usually a settings problem. PSK mismatch, missing NAT, ACL mismatch etc. If a VPN has been up and goes down its usually because something has changed. Write ALL settings down for both peers side by side and compare. Check the encryption domain on both sides is traffic being generated to bring the VPN up ?
Use ping to make sure the host has network connectivity and can reach the default GW
Check out device and confirm is has internet connectivity
Traceroute between the two ASA's to rule out internet routing issue
Check logging on the console or tail/grep your syslog for any errors
On the client
ipconfig (have we got an IP)
ping 8.8.8.8 (have we got internet access)
try to reach host on other side
On ASA
ping other ASA 192.168.1.171
tail/grep your syslog, or use ASDM event viewer, you can also use console logging (cpu intensive)
logging enable
logging console 7
Try again on the client, watch the log for errors and denies.
You should see details why the connectivity is failing.
Debug commands
Setup the debugs and then try the traffic
ikev1
debug crypto condition peer x.x.x.x
debug crypto ikev1 platform 250
debug crypto ikev1 protocol 250
ikev2
debug crypto condition peer x.x.x.x
debug crypto ikev2 platform 250
debug crypto ikev2 protocol 250
If a VPN won't come up its usually a settings problem. PSK mismatch, missing NAT, ACL mismatch etc. If a VPN has been up and goes down its usually because something has changed. Write ALL settings down for both peers side by side and compare. Check the encryption domain on both sides is traffic being generated to bring the VPN up ?
Use ping to make sure the host has network connectivity and can reach the default GW
Check out device and confirm is has internet connectivity
Traceroute between the two ASA's to rule out internet routing issue
Check logging on the console or tail/grep your syslog for any errors
On the client
ipconfig (have we got an IP)
ping 8.8.8.8 (have we got internet access)
try to reach host on other side
On ASA
ping other ASA 192.168.1.171
tail/grep your syslog, or use ASDM event viewer, you can also use console logging (cpu intensive)
logging enable
logging console 7
Try again on the client, watch the log for errors and denies.
You should see details why the connectivity is failing.
Debug commands
Setup the debugs and then try the traffic
ikev1
debug crypto condition peer x.x.x.x
debug crypto ikev1 platform 250
debug crypto ikev1 protocol 250
ikev2
debug crypto condition peer x.x.x.x
debug crypto ikev2 platform 250
debug crypto ikev2 protocol 250
No comments:
Post a Comment