Announcement

Collapse
No announcement yet.

New Site to Site VPN Issues - IKEv2

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New Site to Site VPN Issues - IKEv2

    I am currently trying to get a site to site VPN set up between two Cisco ASA devices, 5505 (8.4) and 5512-x (8.6).

    The tunnel is built and traffic initiated from the network where the 5505 is located is able to build a tunnel and get to the host behind the 5512-x. However, the 5512-x is not able to initiate a tunnel build or send traffic over the tunnel initiated from the 5505 side. Any suggestions on what this may be or where to look?

    Crypto Map
    bidirectional - enabled on both
    NAT-T - enabled on both
    RRI - disabled on both


    Using IKEv2.


    IKEv2 SA from 5505 Peer

    Tunnel-id Local Remote Status Role
    1375033097 <IP REMOVED>/500 <IP REMOVED>/500 READY INITIATOR
    Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
    Life/Active Time: 86400/273 sec
    Child sa: local selector 192.168.6.3/0 - 192.168.6.3/65535
    remote selector 192.168.2.233/0 - 192.168.2.233/65535
    ESP spi in/out: 0xb1766115/0xcfef1634




    IPSec SA from the 5505 Peer

    interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: <ip_removed>

    access-list outside_cryptomap_1 extended permit ip host 192.168.6.3 host 192.168.2.233
    local ident (addr/mask/prot/port): (192.168.6.3/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (192.168.2.233/255.255.255.255/0/0)
    current_peer: <ip_removed>

    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: <ip_removed>/500, remote crypto endpt.: <ip_removed>/500
    path mtu 1500, ipsec overhead 58, media mtu 1500
    current outbound spi: CFEF1634
    current inbound spi : B1766115

    inbound esp sas:
    spi: 0xB1766115 (2977325333)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 65536, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (4101119/2847
    IV size: 8 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x0000001F
    outbound esp sas:
    spi: 0xCFEF1634 (3488552500)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 65536, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (3962879/2847
    IV size: 8 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001


    5512-x Peer ikev2 SA

    IKEv2 SAs:

    Session-id:22, Status:UP-ACTIVE, IKE count:1, CHILD count:1

    Tunnel-id Local Remote Status Role
    47074695 <IP REMOVED>/500 <IP REMOVED>/500 READY RESPONDER
    Encr: 3DES, Hash: MD596, DH Grp:2, Auth sign: PSK, Auth verify: PSK
    Life/Active Time: 86400/9 sec
    Child sa: local selector 192.168.2.233/0 - 192.168.2.233/65535
    remote selector 192.168.6.3/0 - 192.168.6.3/65535
    ESP spi in/out: 0xcfef1634/0xb1766115


    5512-x Peer IPSec SA

    interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: <ip_removed>

    access-list outside_cryptomap_1 extended permit ip host 192.168.2.233 host 192.168.6.3
    local ident (addr/mask/prot/port): (192.168.2.233/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (192.168.6.3/255.255.255.255/0/0)
    current_peer: <ip_removed>

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: <ip_removed>/500, remote crypto endpt.: <ip_removed>/500
    path mtu 1500, ipsec overhead 58, media mtu 1500
    current outbound spi: B1766115
    current inbound spi : CFEF1634


    inbound esp sas:
    spi: 0xCFEF1634 (3488552500)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 65536, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (4239359/3179)
    IV size: 8 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x0000003F
    outbound esp sas:
    spi: 0xB1766115 (2977325333)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn_id: 65536, crypto-map: outside_map
    sa timing: remaining key lifetime (kB/sec): (4008959/3179)
    IV size: 8 bytes
    replay detection support: Y
    Anti replay bitmap:
    0x00000000 0x00000001

  • #2
    Re: New Site to Site VPN Issues - IKEv2

    Verify your crypto acl's. I see that the ACL permits traffic to and from a specific host .I can't see the addressing from the config as you didnt post it.From the output of your ipsec sa's I do see traffic being encapsulated encrypted and decrypted on both ends. Check your logs.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: New Site to Site VPN Issues - IKEv2

      Figured it out and was definitely a D'oh moment. The NAT rules for the firewall had the default inside->outside as the first rule so the VPN traffic was hitting that rule first. Moved the VPN match rule above, everything works like a charm.

      Thanks for the advice and making me think.

      Comment


      • #4
        Re: New Site to Site VPN Issues - IKEv2

        Did you do a manual nat for your regular traffic? Thats the only reason it would have been higher in nat order. If you did an auto nat for your regular traffic and a manual for your nat exemption the exemption would have been in Section 1 which takes precedence over Auto Nat which is in Section 2
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X