Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hi dear friends, i configure site to site between 2 Asa.

packet-tracer inside input ip_local_host 0 0 ip_remote_host ------result Allow

But when i ping from my local host to remote host icmp unreacheble.that is way my vpn is down

Hello Cemil

It may be that the particular packet tracer command worked correctly on that specific ASA, but that does not ensure that you should have end to end connectivity. There are many other troubleshooting steps that you must take in order to locate the problem causing your lack of connectivity.

Take a look at Rene’s ASA Firewall course found here:


In there you will find Unit 5 which contains many lessons on site to site VPNs. In there you should find all the necessary principles for site to site VPN creation as well as troubleshooting.

I hope this has been helpful!

Laz

Network Lesson: Cisco ASA Site-to-Site IKEv1 IPsec VPN
I have implemented this lab using CML-LAB using the exact configuration found in this lesson.
I see the VPN is UP but I am unable to ping the interesting traffic from Router 1 and Router 2.
I believe there is no NAT involved here since both routers are connected directly to the inside interface of the ASA and there is no internet access here. I am not sure what is else missing.
Can you please advise?
I see the packets are being encapsulated but not decapsulated on ASA 1.
I see the packets are being decapsulated but not encapsulated on ASA 2.

NETW-LESSON-ASA1.txt (4.0 KB) NETW-LESSON-ASA2.txt (3.8 KB)

Hello Imranj

Looking over your config I don’t see anything out of the ordinary. I see four packets encapsulated on ASA1 and four packets decapsulated on ASA2 which seems to indicate that the ping has reached ASA2. The response however is not being sent, since there are zero encaps on ASA1 and zero decaps on ASA2.

The first thing I would consider here is routing, but I see that R2 is configured correctly with the default gateway, so it should be sending traffic correctly. The only other thing I can think of that you may want to check is MTU size on the interfaces, ensuring that frames aren’t being blocked.

You may also want to try to ping from R2 to R1 and see if you get any encaps/decaps incrementing or not. If not, then it is indeed an issue of sending traffic in that particular direction ASA2 --> ASA1.

Hopefully, this has given you some inspiration to continue your troubleshooting!

I hope this has been helpful!

Laz

HI
Ipsec tunnel is up but in am getting received errors and thet are increasing

#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 165131

Hello Pavan

Recieve errors on an IKEv1 IPSec tunnel usually increase when one of the tests performed during the decapsulation of the ESP fails. These include:

  • Anti-replay out of window errors
  • Digest errors (packet corrupted)
  • Invalid decapsulation length/SA/protocol
  • Any other decapsulation failure

In order to determine in detail where the problem is, you can use various debug commands for IPSec including:

debug crypto ipsec
debug crypto isakmp

If it is an issue with ESP decapsulation, you should pick it up with the first of these debug commands. In the details of the debug you should see the reason for the recv error, and you can continue troubleshooting from there on.

Some helpful Cisco links that may aid in your troubleshooting include:

I hope this has been helpful!

Laz

Hi Rene,

I have question regarding routing with S2S VPN.
In your post we had to configure routing between 2 directly connected ASA FW. But in a case when you add (for example) in between one Router ( so ASA - R - ASA) you only have to specify default routes pointing to R. In the R configuration I do not use any route towards inside interfaces on both ASA Firewalls.
Why is that?

Asa inside interface: 192.168.1.0 /24
ASA outside interface 88.1.1.1 /24
route outside 0.0.0.0 0.0.0.0 88.1.1.2

Router interface g 0/0 88.1.1.2/24
Router interface g 0/1 88.1.2.2/24

ASA outside interface 88.1.2.1/24
ASA 2 inside interface 192.168.2.0/24
route outside 0.0.0.0 0.0.0.0 88.1.2.2

Hello Erik

This is a very good question and is important to understand the role of routers in various locations throughout a topology. That router R doesn’t need to know how to reach the inside subnets of the ASAs. It will never receive packets with a destination IP of 192.168.1.X or 192.168.2.X.

Remember, the ASAs have created a site-to-site tunnel, so all traffic with such destination addresses will be encapsulated within tunneling packets. This means that the R router will only receive packets with destination IP addresses of the outside interfaces of the ASAs.

I hope this has been helpful!

Laz

Hi Lazaros,

Thank you for the reply.
This all makes sense ( when using router ), but what I do not understand is why you have to specify routing when you have directly connected ASA FW. Directly connected ASA FW share same subnet (outside interfaces) and when we encapsulate packets in IPSEC, we know how to get to our peer, we then de encapsulate IPSEC headers ( we are left with source of inside IP and destination of inside IP) and forward in inside interface.

Thank you

Hello Erik

Let’s take it step by step. Let’s say you don’t have any routing configured in either ASA. Let’s say you have a host (H1) behind ASA1 with an IP address of 192.168.1.20 and another host (H2) behind ASA2 with an IP address of 192.168.2.40.

Now if H1 sends a ping to H2, that ping…

  1. The ping will go to the default gateway, which is ASA 1 at 192.168.1.254.
  2. The ASA will look at the destination IP of 192.168.2.40 but it doesn’t have any information about this network in the routing table. There is also no default route. So the packet is dropped.

The ASAs are directly connected, therefore they know about the 10.10.10.0/24 network to which they are both connected. However, ASA1 does not have any info about 192.168.2.0/24.

The solution is to either use the static route as shown in the lesson or introduce a default route in the routing table. That way if a destination doesn’t match anything, in the routing table, it will be sent to the default route. Once that is done, such packets will be sent to ASA2. ASA2 knows the 192.168.2.0/24 network as it is directly connected, and will forward the packet correctly.

I hope this has been helpful!

Laz

1 Like

Hi Everybody,

I would like to ask a little help.
I am a beginer network engeener.
My question is:

If i created a s2S Ipsec Ikev1 vpn between 2 asa or 2 router and the interesting traffic are the same on both site. What should i have to do excatly?

I think i should do a NAT but i do not know how?
What kind of NAT do i have to use and how do i have to create NAT in this situation? What network do i have to translate for?

Thank you for your support.

Hello Tivadar

Take a look at this lesson:

There you will see a detailed step-by-step procedure on how to create a site-to-site IPSec IKEv1 VPN between two ASAs.

If you have further questions about this particular setup, please feel free to let us know!

I hope this has been helpful!

Laz

HI Lagapides,

My problem is that the interesting traffic is the same on the both ASA or router.
I can not found such a example for it.

ASA1 local network 192.168.1.0/24
ASA2 local network 192.168.1.0/24

I would like that these 2 networks reach each other on S2S Tunnel.

How can i resolve this problem?

Thank you for your support.

Hello Tivadar

I see, thank you for the clarification. It depends on what you want to achieve. There are two possibilities here:

  1. You are creating a single subnet of 192.168.1.0/24 that you want to span across two remote sites. Each host in the subnet is unique, in other words, you may have 192.168.1.10 at site 1 but not at site 2, and similarly 192.168.1.11 at site 2 but not at site 1. This essentially means you have a single subnet that is shared across the VPN tunnel, with a total of 254 unique hosts among the two sites.

  2. The other case involves two separate subnets, each at each remote location, where you have the same network. So you may have 192.168.1.10 at both locations. This situation would arise if you have two separate branch offices, which happen to use the same IP address ranges, and you want to interconnect them.

If your case is the first, then you can easily do this by creating a Layer 2 tunnel between the two sites using the Layer 2 Tunnel Protocol (L2TP) as described in the lesson. Here you must ensure that each host has a unique IP address across both sites.

If your case is the second, then you must find a way to make those addresses unique. There are several ways to do this:

  1. Maybe the easiest is to actually change the network addressing on that subnet and make it unique. It’s not always possible, but if it is, it is the cleanest solution. You can then set up a site-to-site VPN with the appropriate routing.
  2. If that’s not possible, you should be able to NAT the addresses of one of the sites, as you suggested using static one-to-one NAT between the 192.168.1.0/24 subnet and another subnet that is not in use, such as 192.168.10.0/24. This NATing should be done either on the VPN router at the remote site that contains the subnet to be NATted, or on a router internal to that network, before the traffic reaches the VPN router. For one-to-one static NAT, take a look at this lesson.
  3. Although this is probably not a viable solution for your case, it may be worth mentioning that MPLS is a technology that is designed to be able to discern between multiple remote networks that may be using the same subnets.

Let us know which is your case so that we can help you further.

I hope this has been helpful!

Laz

Hi Lazaros,

Thank you for your support.
I review the one to one NAT lesson.

It is not completely clear yet :slight_smile:

So it may be have a question to you. :slight_smile:

Thank you very much!

Hello Tivadar

No problem, that’s what we’re here for! Take a look at your convenience, and if you have any questions, you know where to find us!

Laz

Hi team,

Could you explain the differences between the attributes part for the tunnel-group? What are the differences between ipsec-attributes and general-attributes? How do we decide to choose one
over another?

tunnel-group 10.10.10.1 ipsec-attributes

Thank you in advance.

Hello Po

According to Cisco’s command reference:

  • tunnel-group general-attributes “is used to configure settings that are common to all supported tunneling protocols.”
  • tunnel-group ipsec-attributes “is used to configure settings that are specific to the IPSec tunneling protocol.”

Similarly, there are other attribute groups you can configure including:

  • tunnel-group ppp-attributes
  • tunnel-group webvpn-attributes

…both of which can be found in the above command reference link as well.

I hope this has been helpful!

Laz

HI Lazaros,

I would like to do this in my ASA what you suggested:

If that’s not possible, you should be able to NAT the addresses of one of the sites, as you suggested using static one-to-one NAT between the 192.168.1.0/24 subnet and another subnet that is not in use, such as 192.168.10.0/24. This NATing should be done either on the VPN router at the remote site that contains the subnet to be NATted, or on a router internal to that network, before the traffic reaches the VPN router. For one-to-one static NAT

  1. I do the ASA S2S VPN is the same than in lession: Cisco ASA Site-to-Site IKEv1 IPsec VPN

  2. I do a Static NAT 192.168.1.0/24 → 192.168.1.11/24 network, this network not in use, and it should be a existing working network (192.168.1.11/24)?

object network Internal
subnet 192.168.1.0 255.255.255.0
object network Internal2
subnet 192.168.11.0 255.255.255.0

I look at static NAT but there i can translate one ip address to one ip address.
How can i translate the internal 192.168.1.0/24 network to the 192.168.11.0/24 internal network?
I don not understand. :frowning:

Hello Tivadar

I think you have a typo there, I think you meant “existing working network (192.168.11.0/24)?”

The you translate to can be anything you like but it should not exist on any other internal network that you want to be able to reach, nor should it use any public IP addresses as this could result in incorrect routing to particular destinations on the Internet.

In order to achieve one to one NAT address translation for a whole range of addresses, you can use the range keyword like so:

object network Internal
range 192.168.1.2 192.168.1.254
object network Internal2
range 192.168.11.2 192.168.11.254

You can see more detailed information about such configurations here:

I hope this has been helpful!

Laz