1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

vpn site-to-site issues with a cisco asa

Discussion in 'Networking & Security' started by Hybrid_theory, Jul 13, 2010.

  1. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    This is a bit of a tougher question, but i thought id try asking anyway.

    I've got a test setup on my desk.

    It goes:


    Code:
    Ubuntu host(vm)-------------Openswan on ubuntu (vm)----- vmware gateway------ xp host-------------------- cisco asa ------ xp host
    
    192.168.2.2                192.168.92.128                   192.168.92.2       200.200.200.2         200.200.200.1     192.168.1.5
                                                   ========================tunnel=========================
    

    Now i had it working before, worked on some other things, came back to it and it wasnt working, so im not sure what or where i changed something. I could easily start over but id rather find out whats wrong with it. So when i ping 192.168.1.5 from 192.168.2.2, there are no replies. However i did a capture on the inside interface of the ASA and there was replies shown there, they wouldnt come back past that. I've also tried using netcat to send a file over on port 1234. On wireshark on the openswan vm, i can see a few ESP packets destined for 200.200.200.1, but 192.168.1.5 doesnt receive them.



    Here's my show run output:


    Code:
                   
    !
    hostname ciscoasa                
    enable password 8Ry2YjIyt7RRXU24 encrypted                                         
    passwd 2KFQnbNIdI.2KYOU encrypted                                
    names    
    !
    interface Vlan1              
    nameif inside             
    security-level 100                  
    ip address 192.168.1.1 255.255.255.0                                    
    !
    interface Vlan2              
    nameif outside              
    security-level 0                
    ip address 200.200.200.1 255.255.255.0                                      
    !
    interface Ethernet0/0                    
    switchport access vlan 2                        
    !
    interface Ethernet0/1                    
    !
    interface Ethernet0/2                    
    !
    interface Ethernet0/3                    
    !
    interface Ethernet0/4                    
    !
    interface Ethernet0/5                    
    !
    interface Ethernet0/6                    
    !
    interface Ethernet0/7                    
    !
    ftp mode passive               
    access-list inbound extended permit ip any any                                             
    access-list inbound extended permit udp any any eq isakmp                                                        
    access-list inbound extended permit udp any any eq 4500                                                      
    access-list inbound extended permit esp any any                                              
    access-list inbound extended deny ip any any                                           
    access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.2                                                                               
    55.255.0       
    access-list outbound_tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 25                                                                               
    5.255.255.0          
    access-list outbound_tunnel extended permit ip host 200.200.200.1 host 200.200.200.2                                                                            
    pager lines 24             
    logging enable             
    logging timestamp                
    logging buffered debugging                         
    logging asdm informational                         
    mtu inside 1500              
    mtu outside 1500               
    ip local pool name 192.168.1.40-192.168.1.60                                           
    icmp unreachable rate-limit 1 burst-size 1                                         
    no asdm history enable                     
    arp timeout 14400                
    global (outside) 1 interface                           
    nat (inside) 0 access-list NONAT                               
    nat (inside) 1 0.0.0.0 0.0.0.0                             
    access-group inbound in interface outside                                        
    route outside 0.0.0.0 0.0.0.0 200.200.200.0                                         
    timeout xlate 3:00:00                    
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                             
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                           
    timeout tcp-proxy-reassembly 0:01:00                                   
    dynamic-access-policy-record DfltAccessPolicy                                            
    http server enable                 
    http 192.168.1.0 255.255.255.0 inside                                    
    no snmp-server location                      
    no snmp-server contact                     
    snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                     
    crypto ipsec transform-set ts2 esp-3des esp-md5-hmac                                                   
    crypto ipsec security-association lifetime seconds 28800                                                       
    crypto ipsec security-association lifetime kilobytes 4608000                                                           
    crypto dynamic-map dmap 20 set transform-set ts2                                               
    crypto map emap 10 match address outbound_tunnel                                        
    crypto map emap 10 set peer 192.168.92.128                                         
    crypto map emap 10 set transform-set ts2                                       
    crypto map emap 60000 ipsec-isakmp dynamic dmap                                              
    crypto map emap interface outside                                
    crypto isakmp enab                
    crypto isakmp policy 10                      
    authentication pre-share                        
    encryption 3des               
    hash md5        
    group 2       
    lifetime 86400              
    telnet timeout 5               
    ssh timeout 5            
    console timeout 0                
    management-access inside                       
    dhcpd auto_config outside                        
    !
    dhcpd address 192.168.1.5-192.168.1.36 inside                                            
    dhcpd enable inside                  
    !
    
     
    
    threat-detection basic-threat                            
    threat-detection statistics access-list                                      
    no threat-detection statistics tcp-intercept                                           
    webvpn     
    username ryan password .MqBmFV5KQ86DWrJ encrypted                                                
    tunnel-group 200.200.200.2 type ipsec-l2l                                        
    tunnel-group 200.200.200.2 ipsec-att                                  
    pre-shared-key *                
    tunnel-group ryan type remote-access                                   
    tunnel-group ryan general-attributes                                   
    address-pool name                 
    tunnel-group ryan ipsec-attributes                                 
    pre-shared-key *                
    !
    class-map inspection_default                           
    match default-inspection-traffic                                
    !
    !
    policy-map type inspect dns preset_dns_map                                     
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:26b17c4d709bc72a3d76158f2c9997bd
    : end
    

    help is appreciated, thanks
  2. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    Well for some unknown reason, clearing out the ACLs and nat commands, then re entering them made it work. I just dont understand computers sometimes.
  3. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    For some reason this happens after i reload the ASA or power cycle it. It requires me to reenter the ACLs
  4. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,392 (4.76/day)
    Thanks Received:
    3,225
    it may also help if you explain why in the world you are doing it that way.
  5. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    On which part specifically?
  6. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,392 (4.76/day)
    Thanks Received:
    3,225
    all of it :laugh:
  7. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    haha. ok here goes.

    So im trying to get the opensource VPN to talk with a Cisco ASA for a site-to-site VPN solution. I have an endpoint ubuntu machine using a localhost adapter, the other ubuntu has openswan installed and is a virutal machine as well on the same windows xp host. this openswan has two virtual NICs, one is localhost to talk with the other ubuntu. The second NIC is NAT to connect to the the windows machine, and the ASA beyond that. On the otherside of the asa is a laptop running XP.

    Openswan and the ASA are setup to start an ipsec vpn and talk to one another. I can then send a file through the vpn with netcat. I sniff the traffic along the way, and everything is encrypted with ESP.

    So everything is fine up to this point. However should I need to execute a reload or, the ASA gets power cycled, for whatever reason, the packets that are sent from the ubuntu host, get stopped after the outside interface of the ASA. If i clear the ACLs, reenter them, and configure a couple other lines that referenced the ACLs, everything is fine again.

    If there's anything else I need to clarify let me know
  8. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,392 (4.76/day)
    Thanks Received:
    3,225
    isn't that supposed to happen?
  9. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    Well the configuration is saved, when it reloads it should be fine. I shouldnt have to manually clear them and reenter them.
  10. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,392 (4.76/day)
    Thanks Received:
    3,225
    file permissions issue then.
  11. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    :confused:

    It's just network traffic, file permissions shouldnt be a problem, and they dont exist on Cisco equipment to my knowlege.

    Any event i rebooted the ubuntu virtual machines in question and left the asa on. Its having the same issue. So redoing the ACLs on the ASA fixes the problem, but its not the root of it either.
  12. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,392 (4.76/day)
    Thanks Received:
    3,225
    that cisco ASA has some sort of software on it that allows you to save a configuration file right?
  13. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    you can back it up, im not sure if you can save a copy to the nvram or not.
  14. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,392 (4.76/day)
    Thanks Received:
    3,225
    hrm. well i would have to be in front of it to really see what is going on. if you save the configuration to the ASA, it resets and it no longer uses that configuration then it beats me.
  15. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    well everything else is there, it just behaves differently untill i redo the ACLs. But because the issue occured as well when I rebooted the openswan vm, i think it could be just that and not the router reload that causes it. I'll have to test some more tomorrow
  16. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    Alright so whether ubuntu reboots or the Cisco ASA does, it doesnt work. An error i found on the ASA states: ike initiator unable to find policy. Which from some googling has something to do with the crypto map and the ACL. But it looks fine according to a bunch of configs and guides ive looked at. so it could be a mix of things or something
  17. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,392 (4.76/day)
    Thanks Received:
    3,225
    right, so as soon as they stop talking to one another the configuration file or 'policy' youve setup no longer works and has to be manually re-added. honestly, that sounds more like it is supposed to happen. like a security feature.
  18. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    It kinda does, but I can't see that being the issue. I found this error when doing some debugging on the ASA:

    ike initiator unable to find policy

    With some googling, it has to do with the crypto map of the access list for what traffic to encrypt; in my case the outbound_tunnel access list. Unfortunately the few fixes ive seen have not worked for me. I do see a lot of configs using just static maps. I've tried removing: "crypto dynamic-map dmap 20 set transform-set ts2 " but then the vpn wont fully establish.
  19. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,392 (4.76/day)
    Thanks Received:
    3,225
    any chance you could switch out the cisco with something else?
  20. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    Nah, its a required component in this. I'm more or less testing other software and how it interacts with it.

    Thanks for your help so far rhino.
  21. Easy Rhino

    Easy Rhino Linux Advocate

    Joined:
    Nov 13, 2006
    Messages:
    13,392 (4.76/day)
    Thanks Received:
    3,225
    well at least for testing you could switch it out to see if the problem persists. maybe it is this specific ASA. who knows.
  22. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    Well ive got the latest IOS on it that my company will use, and its a newly purchased device. But a possibility nonetheless.
  23. dir_d

    dir_d

    Joined:
    Sep 1, 2009
    Messages:
    848 (0.47/day)
    Thanks Received:
    110
    Location:
    Manteca, Ca
    im not sure it will work crypto maps are cisco device to cisco device i think its giving you an error because it cant talk to unbuntu.
  24. Hybrid_theory

    Hybrid_theory New Member

    Joined:
    Mar 31, 2007
    Messages:
    1,895 (0.71/day)
    Thanks Received:
    163
    Location:
    ontario canada
    I dont doubt its not as clean as cisco to cisco. But there are others who have tried such a thing and have it working. Why its just me with this I dunno. With the dynamic map setting in there it will establish and a dynamic map is put into allow any connection to get in. A static map is more specific, now people have been more successful with static maps.

    When i just have the static ones in there and the dynamic removed, im getting an error: Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.10.10.0/255.255.255.0/0/0 local proxy 192.168.1.0/255.255.255.0/0/0 on interface outside.

    Well my crypto map does match the ACL for those networks. so i dunno :headbang:
  25. dir_d

    dir_d

    Joined:
    Sep 1, 2009
    Messages:
    848 (0.47/day)
    Thanks Received:
    110
    Location:
    Manteca, Ca
    It might be getting confused by the extended ACL you are using for the crypto map try using a regular ACL and apply that ACL to the outbound VLAN.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page