Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hello Sims

Using site to site VPNs with IPsec, it is not possible to extend a single subnet across two remote locations. Because the tunnel is a layer 3 entity, routing must take place at the ASAs to go from one subnet to the other.

If you want to extend a single subnet/VLAN over a remote tunnel, you will have to create a Layer 2 tunnel using L2TP which allows you to encapsulate layer 2 frames into IP Packets to be tunneled over the WAN/Internet. You can find out more about this at the following lesson.

I hope this has been helpful!

Laz

Hi.
I’m trying to configure an ipsec vpn between 2 ASA 5505 (ASAv GNS3). However, the tunnel does not come up.

ASA1# sh crypto isa sa

There are no IKEv1 SAs
There are no IKEv2 SAs

ASA1# sh crypto ipsec sa

There are no ipsec sas

The topology is the same in this lecture ipsec vpn ikev1.
This is the Configuraton:
ASA-1

nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0

nameif OUTSIDE
security-level 0
ip address 10.10.10.1 255.255.255.0


crypto ikev1 policy 10 
authentication pre-share 
encryption aes
hash sha
group 2
lifetime 3600

crypto ikev1 enable OUTSIDE
crypto isakmp identity address 

tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes 
ikev1 pre-shared-key MY_SHARED_KEY

access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
crypto map MY_CRYPTO_MAP interface OUTSIDE

ASA-2

nameif INSIDE
security-level 100
ip address 192.168.2.254 255.255.255.0

nameif OUTSIDE
security-level 0
ip address 10.10.10.2 255.255.255.0 

crypto ikev1 policy 10
authentication pre-share 
encryption aes
hash sha
group 2
lifetime 3600

crypto ikev1 enable outside
crypto isakmp identity address 

tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
ikev1 pre-shared-key MY_SHARED_KEY

access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
crypto map MY_CRYPTO_MAP interface OUTSIDE

Hello Taoufik

Your access list on ASA 2 should be reversed. Instead of

access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

it should be

access-list LAN1_LAN2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Also, your crypto peer command on ASA 2 should set the peer as 10.10.10.1 and not 10.10.10.2. It seems as you copied and pasted from one ASA to the other, these addresses were not changed.

I hope this has been helpful!

Laz

Hello Rene,
If i right understand we use static routing in this scheme because we don’t use default route?
If we will have “ISP_Router” as default route for ASA-1 and ASA-2, static routing we don’t need because “secure” traffic will fall under crypto map.

Hi Folks,

Could someone please provide an example of a route based IPSec L2L VPN using BGP on Cisco ASA?

Thanks much,
Naresh

Hello Naresh

Take a look at this Cisco documentation that describes your scenario:


If you have any more specific questions, please feel free to ask, you know where to find us…

I hope this has been helpful!

Laz

Good Day

I am setting an IPsec VPN tunnel between a CIsco ASA and a different vendor Firewall.

I completed all the steps and I can ping the remote tunnel peer IP, but when I run the command sh crypto isakmp sa it says that there are no IKEv1 SAs.

What could be causing this?

Thanks
Quinton

Hello Quinton

Pinging the remote tunnel peer IP will not bring up the tunnel, as this will simply generate traffic directly between the two firewalls, and not through the tunnel itself. You must generate user traffic, that is, traffic that will actually traverse the tunnel. In the lesson, this was generated by a ping between R1 and R2 (and not between ASA1 and ASA2 which is the equivalent of what you attempted).

Try pinging from/to the tunnelled subnets and see your results. If you still have difficulties, you know where to find us!

I hope this has been helpful!

Laz

Thank you.

Does a Cisco ASA allow you to ping using a user defined source and destination address and in the GUI where would I go to do this?

Hi

We figured out it was SHA not configured correctly on both ends for phase 1. One end was using SHA256 and the other using SHA1. The tunnel is up now thanks

1 Like

Hello Quinton

Within the command line of the ASA, you can perform what is called an extended ping. This is also available for Cisco IOS routers as well. In the extended ping you can specify various parameters including the source and destination IPs of the ping among others. To use the extended ping, you simply enter the ping command without any additional parameters. You will then be prompted for specific parameters. You can find out more about the extended ping command here:


As for the GUI, you can use the ping function from the Tools menu from which you can indeed choose the source interface for the pinging.

I hope this has been helpful!

Laz

Hi Rene,
I have a problem enabling IKEv1 policy on the OUTSIDE interface

I get this error message:

 crypto ikev1 enable outside
ERROR: CTM ipsec poll ctl DU_IOCTL_RESUME_POLL ioctl failed.



ASA1# show ver

Cisco Adaptive Security Appliance Software Version 9.1(5)16 
Device Manager Version 7.3(3)

thank you in advance.

Hello Ayong

After doing some research, I have found that this is a bug that has to do with version 9.1(5)16 as well as 9.1(7)32. I hope that this isn’t a production device that you are using, because others have experienced this issue which appears with the ASA software upgrade, but does not disappear when they downgrade to a working version. Others have had to open TAC cases to resolve it. Unless I’m mistaken, there doesn’t seem to be any published solution to the issue that I could find, beyond approaching TAC.

I hope this has been helpful!

Laz

Thank you so much Laz. I am using EVE-NG.
Best Regards.

1 Like

Hi dear friends, i configure site to site between 2 Asa.

packet-tracer inside input ip_local_host 0 0 ip_remote_host ------result Allow

But when i ping from my local host to remote host icmp unreacheble.that is way my vpn is down

Hello Cemil

It may be that the particular packet tracer command worked correctly on that specific ASA, but that does not ensure that you should have end to end connectivity. There are many other troubleshooting steps that you must take in order to locate the problem causing your lack of connectivity.

Take a look at Rene’s ASA Firewall course found here:


In there you will find Unit 5 which contains many lessons on site to site VPNs. In there you should find all the necessary principles for site to site VPN creation as well as troubleshooting.

I hope this has been helpful!

Laz

Network Lesson: Cisco ASA Site-to-Site IKEv1 IPsec VPN
I have implemented this lab using CML-LAB using the exact configuration found in this lesson.
I see the VPN is UP but I am unable to ping the interesting traffic from Router 1 and Router 2.
I believe there is no NAT involved here since both routers are connected directly to the inside interface of the ASA and there is no internet access here. I am not sure what is else missing.
Can you please advise?
I see the packets are being encapsulated but not decapsulated on ASA 1.
I see the packets are being decapsulated but not encapsulated on ASA 2.

NETW-LESSON-ASA1.txt (4.0 KB) NETW-LESSON-ASA2.txt (3.8 KB)

Hello Imranj

Looking over your config I don’t see anything out of the ordinary. I see four packets encapsulated on ASA1 and four packets decapsulated on ASA2 which seems to indicate that the ping has reached ASA2. The response however is not being sent, since there are zero encaps on ASA1 and zero decaps on ASA2.

The first thing I would consider here is routing, but I see that R2 is configured correctly with the default gateway, so it should be sending traffic correctly. The only other thing I can think of that you may want to check is MTU size on the interfaces, ensuring that frames aren’t being blocked.

You may also want to try to ping from R2 to R1 and see if you get any encaps/decaps incrementing or not. If not, then it is indeed an issue of sending traffic in that particular direction ASA2 --> ASA1.

Hopefully, this has given you some inspiration to continue your troubleshooting!

I hope this has been helpful!

Laz

HI
Ipsec tunnel is up but in am getting received errors and thet are increasing

#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 165131

Hello Pavan

Recieve errors on an IKEv1 IPSec tunnel usually increase when one of the tests performed during the decapsulation of the ESP fails. These include:

  • Anti-replay out of window errors
  • Digest errors (packet corrupted)
  • Invalid decapsulation length/SA/protocol
  • Any other decapsulation failure

In order to determine in detail where the problem is, you can use various debug commands for IPSec including:

debug crypto ipsec
debug crypto isakmp

If it is an issue with ESP decapsulation, you should pick it up with the first of these debug commands. In the details of the debug you should see the reason for the recv error, and you can continue troubleshooting from there on.

Some helpful Cisco links that may aid in your troubleshooting include:

I hope this has been helpful!

Laz