Are there any trouble shooting commands that can assist you. IE you type the password incorrectly…
Hi Robert,
When troubleshooting, I usually start with some debugs:
* debug crypto ikev2
* debug crypto ipsec
Those will usually tell you when something (like authentication) fails.
Rene
Hi Rene,
Can you please show me some packet captures of IKEv2 and explain in detail like the way you have done in IKEv1.
Thanks.
Hi Sushanth,
I do have a capture file:
https://www.cloudshark.org/captures/767a93d720ad
I might add some more detail to this lesson in the future about IKEv2:
Rene
Hello,
Any suggestions on configuring a site to site VPN to be a full tunnel? I was under the impression that default configured site to site tunnels were full but it looks like that is incorrect. They are actually split tunnels by default.
What I am trying to accomplish…
I would like to route all traffic from remote site A via a site to site vpn back to HQ. That traffic would then be routed through HQ out to the Internet.
Remote site (1.1.1.0/24) is connected to the outside interface of the ASA at HQ 2.2.2.25. As I mentioned before, I would like to route all traffic back through HQ.
Hello Antonio
In order to disable the split tunnel functionality, you will have to configure the ACL that indicates the interesting traffic to view “any” destination as interesting instead of just the networks at your remote site. You can find out more about that at this Cisco Documentation.
Keep in mind that depending on your configuration, you may also need to issue the split-tunnel-policy tunnelall
command in the group policy as well. Take a look at the above documentation which should give you a good start on the endeavour.
I hope this has been helpful!
Laz
Lazaros,
Thank you for the help. With the new ACL, I was able to confirm that the user was able to access all internal LAN functions. However, they are not able to reach internet pages. The current setup is that all machines are manually configured to point to a proxy at the HQ location. What we are looking to do is remove the need for each machine to have to be manually configured.
When I applied the new ACL Fliter. I tested with end user and I confirmed that all outside traffic was being blocked by an ACL. I created a test ACL for the enduser on the firewall. They were granted access out to the net, however they are now receiving the public IP address of the ISP.
My questions are:
- What is required for them to point to the default proxy?
- Am I missing any other settings?
Hi Antonio,
Let me jump in on this question. I don’t have a complete walkthrough, but I do have a config for an HQ and BRANCH ASA that probably achieve what you are looking for:
hostname HQ
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 192.168.123.1 255.255.255.0
!
same-security-traffic permit intra-interface
!
object network LAN1
subnet 192.168.1.0 255.255.255.0
object network LAN2
subnet 192.168.2.0 255.255.255.0
access-list LAN1_LAN2 extended permit ip any4 host 192.168.2.2
!
nat (INSIDE,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2
!
object network LAN1
nat (INSIDE,OUTSIDE) dynamic interface
object network LAN2
nat (OUTSIDE,OUTSIDE) dynamic interface
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.123.3 1
route OUTSIDE 192.168.2.0 255.255.255.0 192.168.123.2 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
protocol esp encryption aes
protocol esp integrity sha-1
!
crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
crypto map MY_CRYPTO_MAP 1 set peer 192.168.123.2
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.2 type ipsec-l2l
tunnel-group 192.168.123.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
: end
hostname BRANCH1
!
interface GigabitEthernet0/0
nameif INSIDE
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface GigabitEthernet0/1
nameif OUTSIDE
security-level 0
ip address 192.168.123.2 255.255.255.0
!
object network LAN1
subnet 192.168.1.0 255.255.255.0
object network LAN2
subnet 192.168.2.0 255.255.255.0
access-list LAN2_LAN1 extended permit ip host 192.168.2.2 any4
!
nat (INSIDE,OUTSIDE) source static LAN2 LAN2 destination static LAN1 LAN1
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.123.1 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
protocol esp encryption aes
protocol esp integrity sha-1
!
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
crypto map MY_CRYPTO_MAP 1 set peer 192.168.123.1
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
!
crypto ikev2 enable OUTSIDE
!
tunnel-group 192.168.123.1 type ipsec-l2l
tunnel-group 192.168.123.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
What this does:
- Traffic from devices behind HQ to the Internet are natted to the IP address on the outside interface.
- IKEv2 site-to-site IPSec VPN between HQ and BRANCH1. HQ uses the VPN to reach 192.168.2.0/24 behind BRANCH1, while BRANCH1 sends all traffic through the VPN to HQ.
- Traffic between the subnets behind HQ and BRANCH1 through the VPN is not translated with NAT.
- Traffic from behind BRANCH1 through the VPN to HQ, towards the Internet is translated with NAT using the outside interface of HQ.
Some key things in this config that you need:
-
same-security-traffic permit intra-interface
: you need this command to tell HQ to translate traffic that arrives on the outside interface and exits the outside interface (VPN traffic from BRANCH1). -
nat (INSIDE,OUTSIDE) source static LAN1 LAN1 destination static LAN2 LAN2
: this is a “no nat” rule to tell HQ not to translate traffic between the private subnets.
About your default proxy, where do you configure this? Are these windows hosts? This isn’t something you configure on your ASAs.
Hope this helps! If you have questions about this setup, let me know
Rene
Appreciate the response! Currently the endusers are using windows machines are manually pointing back to the proxy here at HQ. Under the LAN settings (in what looks to be Internet Explorer) that have selected automatically detect settings. When that setting is checked, they are unable to reach the net at all. If I do an ip any/any on the firewall, the end user is able to reach the net and they get a public IP address when they type in what’s my IP.
I am still at a loss here. Looking back, i don’t believe I added the new ACL to the HQ firewall.
I’m working in my lab on some site-to-site VPN stuff and was wondering if someone could help me. Understand something…
My Setup is asa5505 <-> rtr2801 <-> rtr2911 <-> asa5505
I’m trying to verify that my IKE’s are regenerating every 15 minutes…. Below are some CLI outputs… Does this tell me that the life of the IKE’s is 900 seconds after the slash is time left… And Turned-id is the new tunnel with the new IKE’s
ak01-lab-asa# sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
69714249 1.1.1.2/500 1.1.2.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 900/810 sec
Child sa: local selector 172.16.1.0/0 - 172.16.1.255/65535
remote selector 192.168.1.0/0 - 192.168.1.255/65535
ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa# sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
193031137 1.1.1.2/500 1.1.2.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 900/5 sec
Child sa: local selector 172.16.1.0/0 - 172.16.1.255/65535
remote selector 192.168.1.0/0 - 192.168.1.255/65535
ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa#
ak01-lab-asa# sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
288927687 1.1.1.2/500 1.1.2.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 900/816 sec
Child sa: local selector 172.16.1.0/0 - 172.16.1.255/65535
remote selector 192.168.1.0/0 - 192.168.1.255/65535
ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa# sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
362523125 1.1.1.2/500 1.1.2.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 900/26 sec
Child sa: local selector 172.16.1.0/0 - 172.16.1.255/65535
remote selector 192.168.1.0/0 - 192.168.1.255/65535
ESP spi in/out: 0x8d3c4ad8/0xc8ac72e5
ak01-lab-asa#
Hello Aaron
Yes you are correct, this output tells us the following:
Life/Active Time is the total and active times of the IKEv2 tunnel
Tunnel-id is the unique identifier of the IKEv2 tunnel
You can find out more about this output at this command reference:
I hope this has been helpful!
Laz
yes - thank you very much…
Can anyone expand on the Remote Access VPN which includes tunneling of all traffic including internet traffic from the central site.
Hello Adrian
Take a look at the following post which should address your question.
I hope this has been helpful!
Laz
Site to Site with 2 ASA having the remote site access to the central site and internet from the central site. The remote site has a dynamic WAN IP, Central Site Static IP.
Would like to use IKEv2.
Hi Adrian
Take a look at the post above.
Laz
Is there any consideration for Antonio’s topology has routers in between the two ASA’s.
I am going LAN-HQ<>ASA-HQ<>Internet<>ASA-BR<>LAN-BR ?
Static IP at HQ and Dynamic IP at BR.
Hello Adrian
If I understand your question correctly, you are asking if there are any considerations for topologies that may have routers in between the two ASAs for site to site VPNs…
Well, it doesn’t really matter what exists between them as long as the two ASAs can find each other via correct routing. In your case, if you have a dynamic IP at the branch office, then you can see the solution described in this lesson:
I hope this has been helpful!
Laz
Hello,
If we have both IKEV1 and IKEV2 L2L tunnels in parallel with the same peer and the same SAs, what kind of issues could that cause, if any?