Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hi Folks,

Could someone please provide an example of a route based IPSec L2L VPN using BGP on Cisco ASA?

Thanks much,
Naresh

Hello Naresh

Take a look at this Cisco documentation that describes your scenario:


If you have any more specific questions, please feel free to ask, you know where to find us…

I hope this has been helpful!

Laz

Good Day

I am setting an IPsec VPN tunnel between a CIsco ASA and a different vendor Firewall.

I completed all the steps and I can ping the remote tunnel peer IP, but when I run the command sh crypto isakmp sa it says that there are no IKEv1 SAs.

What could be causing this?

Thanks
Quinton

Hello Quinton

Pinging the remote tunnel peer IP will not bring up the tunnel, as this will simply generate traffic directly between the two firewalls, and not through the tunnel itself. You must generate user traffic, that is, traffic that will actually traverse the tunnel. In the lesson, this was generated by a ping between R1 and R2 (and not between ASA1 and ASA2 which is the equivalent of what you attempted).

Try pinging from/to the tunnelled subnets and see your results. If you still have difficulties, you know where to find us!

I hope this has been helpful!

Laz

Thank you.

Does a Cisco ASA allow you to ping using a user defined source and destination address and in the GUI where would I go to do this?

Hi

We figured out it was SHA not configured correctly on both ends for phase 1. One end was using SHA256 and the other using SHA1. The tunnel is up now thanks

1 Like

Hello Quinton

Within the command line of the ASA, you can perform what is called an extended ping. This is also available for Cisco IOS routers as well. In the extended ping you can specify various parameters including the source and destination IPs of the ping among others. To use the extended ping, you simply enter the ping command without any additional parameters. You will then be prompted for specific parameters. You can find out more about the extended ping command here:


As for the GUI, you can use the ping function from the Tools menu from which you can indeed choose the source interface for the pinging.

I hope this has been helpful!

Laz

Hi Rene,
I have a problem enabling IKEv1 policy on the OUTSIDE interface

I get this error message:

 crypto ikev1 enable outside
ERROR: CTM ipsec poll ctl DU_IOCTL_RESUME_POLL ioctl failed.



ASA1# show ver

Cisco Adaptive Security Appliance Software Version 9.1(5)16 
Device Manager Version 7.3(3)

thank you in advance.

Hello Ayong

After doing some research, I have found that this is a bug that has to do with version 9.1(5)16 as well as 9.1(7)32. I hope that this isn’t a production device that you are using, because others have experienced this issue which appears with the ASA software upgrade, but does not disappear when they downgrade to a working version. Others have had to open TAC cases to resolve it. Unless I’m mistaken, there doesn’t seem to be any published solution to the issue that I could find, beyond approaching TAC.

I hope this has been helpful!

Laz

Thank you so much Laz. I am using EVE-NG.
Best Regards.

1 Like

Hi dear friends, i configure site to site between 2 Asa.

packet-tracer inside input ip_local_host 0 0 ip_remote_host ------result Allow

But when i ping from my local host to remote host icmp unreacheble.that is way my vpn is down

Hello Cemil

It may be that the particular packet tracer command worked correctly on that specific ASA, but that does not ensure that you should have end to end connectivity. There are many other troubleshooting steps that you must take in order to locate the problem causing your lack of connectivity.

Take a look at Rene’s ASA Firewall course found here:


In there you will find Unit 5 which contains many lessons on site to site VPNs. In there you should find all the necessary principles for site to site VPN creation as well as troubleshooting.

I hope this has been helpful!

Laz

Network Lesson: Cisco ASA Site-to-Site IKEv1 IPsec VPN
I have implemented this lab using CML-LAB using the exact configuration found in this lesson.
I see the VPN is UP but I am unable to ping the interesting traffic from Router 1 and Router 2.
I believe there is no NAT involved here since both routers are connected directly to the inside interface of the ASA and there is no internet access here. I am not sure what is else missing.
Can you please advise?
I see the packets are being encapsulated but not decapsulated on ASA 1.
I see the packets are being decapsulated but not encapsulated on ASA 2.

NETW-LESSON-ASA1.txt (4.0 KB) NETW-LESSON-ASA2.txt (3.8 KB)

Hello Imranj

Looking over your config I don’t see anything out of the ordinary. I see four packets encapsulated on ASA1 and four packets decapsulated on ASA2 which seems to indicate that the ping has reached ASA2. The response however is not being sent, since there are zero encaps on ASA1 and zero decaps on ASA2.

The first thing I would consider here is routing, but I see that R2 is configured correctly with the default gateway, so it should be sending traffic correctly. The only other thing I can think of that you may want to check is MTU size on the interfaces, ensuring that frames aren’t being blocked.

You may also want to try to ping from R2 to R1 and see if you get any encaps/decaps incrementing or not. If not, then it is indeed an issue of sending traffic in that particular direction ASA2 --> ASA1.

Hopefully, this has given you some inspiration to continue your troubleshooting!

I hope this has been helpful!

Laz

HI
Ipsec tunnel is up but in am getting received errors and thet are increasing

#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 165131

Hello Pavan

Recieve errors on an IKEv1 IPSec tunnel usually increase when one of the tests performed during the decapsulation of the ESP fails. These include:

  • Anti-replay out of window errors
  • Digest errors (packet corrupted)
  • Invalid decapsulation length/SA/protocol
  • Any other decapsulation failure

In order to determine in detail where the problem is, you can use various debug commands for IPSec including:

debug crypto ipsec
debug crypto isakmp

If it is an issue with ESP decapsulation, you should pick it up with the first of these debug commands. In the details of the debug you should see the reason for the recv error, and you can continue troubleshooting from there on.

Some helpful Cisco links that may aid in your troubleshooting include:

I hope this has been helpful!

Laz

Hi Rene,

I have question regarding routing with S2S VPN.
In your post we had to configure routing between 2 directly connected ASA FW. But in a case when you add (for example) in between one Router ( so ASA - R - ASA) you only have to specify default routes pointing to R. In the R configuration I do not use any route towards inside interfaces on both ASA Firewalls.
Why is that?

Asa inside interface: 192.168.1.0 /24
ASA outside interface 88.1.1.1 /24
route outside 0.0.0.0 0.0.0.0 88.1.1.2

Router interface g 0/0 88.1.1.2/24
Router interface g 0/1 88.1.2.2/24

ASA outside interface 88.1.2.1/24
ASA 2 inside interface 192.168.2.0/24
route outside 0.0.0.0 0.0.0.0 88.1.2.2

Hello Erik

This is a very good question and is important to understand the role of routers in various locations throughout a topology. That router R doesn’t need to know how to reach the inside subnets of the ASAs. It will never receive packets with a destination IP of 192.168.1.X or 192.168.2.X.

Remember, the ASAs have created a site-to-site tunnel, so all traffic with such destination addresses will be encapsulated within tunneling packets. This means that the R router will only receive packets with destination IP addresses of the outside interfaces of the ASAs.

I hope this has been helpful!

Laz

Hi Lazaros,

Thank you for the reply.
This all makes sense ( when using router ), but what I do not understand is why you have to specify routing when you have directly connected ASA FW. Directly connected ASA FW share same subnet (outside interfaces) and when we encapsulate packets in IPSEC, we know how to get to our peer, we then de encapsulate IPSEC headers ( we are left with source of inside IP and destination of inside IP) and forward in inside interface.

Thank you

Hello Erik

Let’s take it step by step. Let’s say you don’t have any routing configured in either ASA. Let’s say you have a host (H1) behind ASA1 with an IP address of 192.168.1.20 and another host (H2) behind ASA2 with an IP address of 192.168.2.40.

Now if H1 sends a ping to H2, that ping…

  1. The ping will go to the default gateway, which is ASA 1 at 192.168.1.254.
  2. The ASA will look at the destination IP of 192.168.2.40 but it doesn’t have any information about this network in the routing table. There is also no default route. So the packet is dropped.

The ASAs are directly connected, therefore they know about the 10.10.10.0/24 network to which they are both connected. However, ASA1 does not have any info about 192.168.2.0/24.

The solution is to either use the static route as shown in the lesson or introduce a default route in the routing table. That way if a destination doesn’t match anything, in the routing table, it will be sent to the default route. Once that is done, such packets will be sent to ASA2. ASA2 knows the 192.168.2.0/24 network as it is directly connected, and will forward the packet correctly.

I hope this has been helpful!

Laz

1 Like