Cisco ASA Lab – Site to Site IPSec VPN Tunnel Configuration, with explanation of all configs, common VPN Issues / Troubleshooting tips!

This lab session I will be configuring and reviewing all aspects of Site to Site VPN configuration!

Will be going through a refresher on pretty basic VPN Configuration including the following topics:

  • Define and configure the Phase 1 and Phase 2 settings for IPSec VPN
  • Crypto Map configuration to define correct “interesting traffic”
  • Configure different NAT statements such as no-NAT / no proxy arp / route lookup
  • Review verification and troubleshooting commands

My main focus will be getting the LAN subnets between Site A and Site B communicating over an IPSec VPN to keep this lab fairly quick, but want to drill into the VPN Configs to define what they do, and why one is used over the other or what scenarios different configurations might be used.

I will to sticky this post for visibility, I would encourage others to do a similar config lab for practice!

Before jumping on the CLI, quick review of the VPN Build process step by step

  • Enable ISAKMP on the VPN Peer Interface (“crypto isakmp enable outside”)
  • Configure Subnets allowed over VPN as Network Objects / Object Groups
  • Create Crypto ACL to define traffic that will traverse the VPN
  • Configure tunnel-group with IPSec Attributes (Pre-Shared Key, keepalive)
  • Configure Phase 1 settings (Crypto ISAKMP Policy attributes)
  • Configure Phase 2 settings (Transform-set, Crypto Map)
  • Configure Static NAT for VPN Traffic
  • Configure or Verify a default route exists

The plan initially is to have Site A and Site B LAN segments communicate over the VPN, leaving the DMZ on Site B as a Static NAT / Port Forward, and then build it out appropriately as the lab grows.

Starting VPN Configuration on Site B Appliance

The very first thing to configure before anything else is enabling ISAKMP on the outside interface:

ASAv2(config)#
ASAv2(config)# crypto isakmp enable outside
ASAv2(config)#

This likely is already enabled if existing VPN Tunnels exist on the device, but always make sure this is enabled before you start anything else to avoid needless troubleshooting down the road.

From the previous lab I already have the Network Object for Site B LAN defined as shown below:

ASAv2(config)#
ASAv2(config)# sh run | b obj-10.2.2.0
object network obj-10.2.2.0
subnet 10.2.2.0 255.255.255.0

object network obj-dmzhost
host 10.5.5.10

However both sides of the VPN Tunnel also require the remote networks to be defined by a network object as well, and create an “object-group” that will contain the network objects, this allows for any future expansion of VPN subnets contained within one logical group.

It is also important to keep things as intuitive as possible, similar to how I configure the object below:

ASAv2(config)#
ASAv2(config)# object network obj-10.1.1.0
ASAv2(config-network-object)# subnet 10.1.1.0 255.255.255.0
ASAv2(config-network-object)# exit
ASAv2(config)# object-group network local-nets
ASAv2(config-network-object-group)# ?

description Specify description text
group-object Configure an object group as an object
help Help for network object-group configuration commands
network-object Configure a network object
no Remove an object or description from object-group

ASAv2(config-network-object-group)# network-object ?

network-object-group mode commands/options:
Hostname or A.B.C.D Enter an IPv4 network address
Hostname/<0-128> or X:X:X:X::X/<0-128> Enter an IPv6 prefix
host Enter this keyword to specify a
single host object
object Enter this keyword to specify a
network object

ASAv2(config-network-object-group)# network-object object ?

network-object-group mode commands/options:
WORD < 129 char Enter object ID
ASAv2(config-network-object-group)# network-object object obj-10.2.2.0
ASAv2(config-network-object-group)# exit
ASAv2(config)#
ASAv2(config)# object-group network remote-nets
ASAv2(config-network-object-group)# network-object object obj-10.1.1.0
ASAv2(config-network-object-group)# exit
ASAv2(config)#

Keeping a uniform object name for subnets such as “obj-x.x.x.x” for the network objects is good practice so that any network engineer will be able to clearly understand the VPN configuration, which helps with troubleshooting down the road and is just good practice to keep things “clean” in device configs.

I also find it best practice to use an Object Group to be used in the Crypto ACL, even if there is only a single network object in use, as this will allow future config to be simply creating a new network object and placing it into the existing Object Group which then will just inherit that network object settings.

Keeping things clean on the initial config is critical, its difficult to clean up later, and often gets avoided!

I’ve seen many production configurations that were obviously poorly thought out initially, and other network engineers just added new intuitive configs onto the original messy configs, as when the config doesn’t have an intuitive flow it becomes increasingly difficult to want to rebuild the entire VPN config.

So, don’t be that sloppy config network person, be the hero that sets the standard πŸ™‚

Creating a Crypto ACL to match VPN Traffic (Interesting Traffic)

This is exactly like creating any extended ACL to define Source and Destination to be allowed, however this will be applied to the Phase 2 “Crypto Map” configuration for the VPN Tunnel, this is where the “Object Group” is used for Source / Destination to avoid needing to add configurations to this later.

ASAv2(config)#
ASAv2(config)# access-list outside_1_cryptomap permit ip object-group local-nets object-group remote-nets
ASAv2(config)#

One important note is that VPN Peers will need a “Mirror” copy of matching Crypto ACLs, meaning the VPN Tunnel will not work unless it has matching subnets on the other side of the tunnel, but in reverse order so that the local subnets are the Source and remote subnets are the Destination:

Essentially the Crypto ACL Mirror boils down to this:

Site A: 10.1.1.0 -> 10.2.2.0

Site B: 10.2.2.0 -> 10.1.1.0

One troubleshooting command to verify both sides match and are mirrored is “sh access-list (crypto acl)” which will list each subnet in the Crypto ACL, making it easy to quickly spot incorrect entries.

Tunnel-Group Configuration

To configure the Tunnel-Group you will need 2-3 pieces of information from the Peer device:

  • Peer IP Address (Outside Interface of remote side)
  • PSK or Pre-Shared Key (Must match on both sides)
  • Keep-alive timers (This will vary depending on the remote device)

The keep-alive timers provide DPD (Dead Peer Detection) by sending Keep-Alive traffic in the defined intervals, though Cisco to Non-Cisco VPN Peers can have different ways they handle DPD, so this can be a moving target when building VPN Tunnel-Groups to Vendor environments.

To begin the Tunnel-Group config is a pretty straight forward single line:

ASAv2(config)#
ASAv2(config)# tunnel-group 100.100.100.1 ?

configure mode commands/options:
type Enter the type of this group-policy
ASAv2(config)# tunnel-group 100.100.100.1 type ?

configure mode commands/options:
ipsec-l2l IPSec Site to Site group
ipsec-ra IPSec Remote Access group (DEPRECATED)
remote-access Remote access (IPSec and WebVPN) group
webvpn WebVPN group (DEPRECATED)
ASAv2(config)# tunnel-group 100.100.100.1 type ipsec-l2l ?

configure mode commands/options:

ASAv2(config)# tunnel-group 100.100.100.1 type ipsec-l2l
ASAv2(config)#

The PSK and Keep-Alive info will then be configured in Tunnel-Group Attributes:

ASAv2(config)#
ASAv2(config)# tunnel-group 100.100.100.1 ipsec-attributes
ASAv2(config-tunnel-ipsec)# pre-shared-key s3cr3ttunn3lk3y
ASAv2(config-tunnel-ipsec)#
ASAv2(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2

If you are troubleshooting a VPN Tunnel issue on an ASA, one pro-tip to verify PSK’s match on each side is that the running config will show the PSK as encrypted, however “more system:runn” will give the running config output with the PSK in plain text:

ASAv2(config)# more system:runn
: Saved

:
: Serial Number: 9A5A0ETLEU9
: Hardware: ASAv, 2048 MB RAM, CPU Lynnfield 2600 MHz
: Written by enable_15 at 18:35:08.989 UTC Sat Apr 24 2021
!
ASA Version 9.12(2)

(running config output)……..

tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
ikev1 pre-shared-key s3cr3ttunn3lk3y
!

I would have to imagine as network security progresses (and we move away from traditional ASAs) this command will be phased out, however while it works its a great way to verify the PSK, or to retrieve it from one side of the tunnel to re-configure on the other side to verify they match.

Next we configure Phase 1 ISAKMP Policy info – Must match on both Peers

The policy will consist of the following items that must be agreed upon by both sides:

  • Authentication Method
  • Encryption Algorithm
  • Hashing Algorithm
  • Diffie-Hellman Group #

Phase 1 can be kind of an oddity when first configuring / troubleshooting it, as devices will sometimes contain many ISAKMP Policy configs in no particular order, and the “Policy #” itself is locally significant only so this part does NOT have to match between the Peers – They only need one of the many ISAKMP Policy configs to match exactly on both sides.

ASAv2(config)# crypto ?

configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map

exec mode commands/options:
ca Certification authority
ASAv2(config)# crypto ikev1 ?

configure mode commands/options:
am-disable Disable inbound aggressive mode connections
enable Enable IKEv1 on the specified interface
ipsec-over-tcp Enable and configure IPSec over TCP
limit Enable limits on IKEv1 SAs
policy Set IKEv1 policy suite
ASAv2(config)# crypto ikev1 policy ?

configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASAv2(config)# crypto ikev1 policy 10 ?

configure mode commands/options:

ASAv2(config)# crypto ikev1 policy 10
ASAv2(config-ikev1-policy)# ?

crypto ikev1 policy configuration commands:
authentication Set authentication method (pre-share or rsa-sig)
encryption Set encryption algorithm (des, 3des, aes-128, aes-192, or
aes-256)

exit Exit from crypto ikev1 policy configuration mode
group Set Diffie-Hellman group (1,2 or 5)
hash Set hash algorithm (md5 or sha1)
help Help for crypto ikev1 policy configuration commands
lifetime Set IKEV1 SA lifetime (seconds)
no Negate a command or set its defaults


ASAv2(config-ikev1-policy)# authentication ?

ikev1-policy mode commands/options:
pre-share set auth pre-share
rsa-sig set auth rsa-sig
ASAv2(config-ikev1-policy)# authentication pre-share
ASAv2(config-ikev1-policy)#
ASAv2(config-ikev1-policy)# encryption ?

ikev1-policy mode commands/options:
3des 3des encryption
aes aes-128 encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
ASAv2(config-ikev1-policy)# encryption 3des
ASAv2(config-ikev1-policy)#
ASAv2(config-ikev1-policy)# hash ?

ikev1-policy mode commands/options:
md5 set hash md5
sha set hash sha1
ASAv2(config-ikev1-policy)# hash sha
ASAv2(config-ikev1-policy)#
ASAv2(config-ikev1-policy)# group ?

ikev1-policy mode commands/options:
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
7 Diffie-Hellman group 7 (DEPRECATED)
ASAv2(config-ikev1-policy)# group 2
ASAv2(config-ikev1-policy)#

To view the Policies configured on the device:

ASAv2(config)# sh run crypto ikev1
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2

lifetime 86400
ASAv2(config)#

Note that the “lifetime” was not configured manually in my configuration, however it is required to match on both sides as well (it is 86400 or 24 hours by default), the “lifetime” is how often the VPN Tunnel will perform a re-key or re-authenticates with the Peer.

Nothing else will just choose a default in an ISAKMP policy, so wanted to drive that point home.

Next comes Phase 2 Configuration of the Transform-Set and Crypto Map

The “Transform-Set” is what tells the VPN what Encryption and Hashing algorithms to use on the data when it traverses the VPN, whereas the ISAKMP Policy only negotiates and agrees on these values to form an SA or Security Association, so the VPN Tunnel can appear up but not be transmitting data properly in one direction if this is not configured properly on both VPN Peers.

For this reason it is often seen that for every ISAKMP Policy, there is a matching transform-set in the running configuration, even if that Transform-Set is not being used on any Crypto Map configs.

To configure this properly the ISAKMP Policy Encryption and Hash info must be used:

ASAv2(config)# crypto ?

configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map

exec mode commands/options:
ca Certification authority
ASAv2(config)# crypto ipsec ?

configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
inner-routing-lookup Enable IPsec inner routing lookup
profile Set ipsec profile settings
security-association Set security association parameters
ASAv2(config)# crypto ipsec ikev1 ?

configure mode commands/options:
transform-set Define transform and settings
ASAv2(config)# crypto ipsec ikev1 transform-set ?

configure mode commands/options:
WORD < 64 char Transform set tag
ASAv2(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA ?

configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication
mode mode transport
ASAv2(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des ?

configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication

ASAv2(config)# $m-set ESP-3DES-SHA esp-3des esp-sha-hmac ?

configure mode commands/options:

ASAv2(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-$
ASAv2(config)#

ESP stands for Encryption Security Protocol which IPSec uses encryption so that is where the ESP comes from in the configuration, generally the format of the name will be “ESP-(encrypt type)-(auth type)” on most ASA’s I’ve seen, so when there are 10+ lines of “transform-set” you can scan them by name when troubleshooting rather than trying to read several lines of mixed encryption / authentication.

ASAv2(config)#
ASAv2(config)# sh run | i transform-set
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ASAv2(config)#

Next is the Crypto Map config:

ASAv2(config)#
ASAv2(config)# crypto map ?

configure mode commands/options:
WORD < 64 char Crypto map template tag
ASAv2(config)# crypto map outside_map_1 ?

configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASAv2(config)# crypto map outside_map_1 1 ?

configure mode commands/options:
annotation Specify annotation text – to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings
ASAv2(config)# crypto map outside_map_1 1 set ?

configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
df-bit Set IPsec DF policy
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
tfc-packets Configure TFC packets to mask a tunnel’s traffic
profile
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry
validate-icmp-errors Set Validate ICMP Errors
ASAv2(config)# crypto map outside_map_1 1 set peer 100.100.100.1 ?

configure mode commands/options:
Hostname or A.B.C.D IP address
Hostname or X:X:X:X::X IPv6 address


ASAv2(config)# crypto map outside_map_1 1 set peer 100.100.100.1
ASAv2(config)#

This first line defines the name of the crypto map (outside_map_1), its sequence # (1), and the peer IP Address (Public IP of VPN Peer).

Next is tying to Crypto ACL to this Crypto Map:

ASAv2(config)# crypto map outside_map_1 ?

configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to
ASAv2(config)# crypto map outside_map_1 1 ?

configure mode commands/options:
annotation Specify annotation text – to be used by ASDM only
ipsec-isakmp IPSec w/ISAKMP
match Match address of packets to encrypt
set Specify crypto map settings
ASAv2(config)# crypto map outside_map_1 1 match ?

configure mode commands/options:
address Match address of packets to encrypt
ASAv2(config)# crypto map outside_map_1 1 match address ?

configure mode commands/options:
WORD Access-list name
ASAv2(config)# crypto map outside_map_1 1 match address outside_1_cryptomap ?

configure mode commands/options:

ASAv2(config)# crypto map outside_map_1 1 match address outside_1_cryptomap
ASAv2(config)#

Next the Transform-Set configured is tied to the Crypto Map:

ASAv2(config)# crypto map outside_map_1 1 set ?

configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
df-bit Set IPsec DF policy
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
tfc-packets Configure TFC packets to mask a tunnel’s traffic
profile
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry
validate-icmp-errors Set Validate ICMP Errors
ASAv2(config)# crypto map outside_map_1 1 set ikev1 ?

configure mode commands/options:
phase1-mode Specify mode(main or aggressive) to be used while initiating a
connection based on this entry
transform-set Specify list of transform sets in priority order
ASAv2(config)# crypto map outside_map_1 1 set ikev1 transform-set ESP-3DES-SHA
ASAv2(config)#

Finally we tie the Crypto Map to the Outside interface:

ASAv2(config)# crypto map ?

configure mode commands/options:
WORD < 64 char Crypto map template tag
ASAv2(config)# crypto map outside_map_1 ?

configure mode commands/options:
<1-65535> Sequence to insert into map entry
client Enable IKE extended authentication (Xauth)
interface Name of interface to apply the crypto map to

ASAv2(config)# crypto map outside_map_1 interface outside
ASAv2(config)#

Some Crypto Map configs provided by vendors or 3rd parties may also include the PFS or Perfect Forward Secrecy in the Crypto Map settings, but they are not required so I’m skipping them here.

The final configuration to get this working – The NAT Statement!!! :

This NAT statement is kind of an odd concept as well, as when you think of NAT you think translation, however this Static NAT is meant to prevent NAT from translating the traffic destined for the VPN:

ASAv2(config)#
ASAv2(config)# nat (inside,outside) 1 source static ?

configure mode commands/options:
WORD Specify object or object-group name for real source
any Abbreviation for source address and mask of 0.0.0.0
ASAv2(config)# nat (inside,outside) 1 source static local-nets local-nets ?

configure mode commands/options:
description Specify NAT rule description
destination Destination NAT parameters
dns Use the created xlate to rewrite DNS record
inactive Disable a NAT rule
no-proxy-arp Disable proxy ARP on egress interface
route-lookup Perform route lookup for this rule
service NAT service parameters
unidirectional Enable per-session NAT

configure mode commands/options:
static Specify destination NAT type
ASAv2(config)# $ce static local-nets local-nets destination static ?

configure mode commands/options:
WORD Specify object or object-group name for mapped destination
interface Specify interface overload
ASAv2(config)# $ce static local-nets local-nets destination static remote-nets ?

configure mode commands/options:
WORD Specify object or object-group name for real destination
any Abbreviation for source address and mask of 0.0.0.0
ASAv2(config)# $-nets destination static remote-nets remote-nets ?

configure mode commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
net-to-net Net to net mapping of IPv4 to IPv6
no-proxy-arp Disable proxy ARP on egress interface
route-lookup Perform route lookup for this rule

service NAT service parameters
unidirectional Enable per-session NAT


ASAv2(config)# nat (inside,outside) 1 source static local-nets local-nets dest$
ASAv2(config)#

I’ve highlight two entries that are commonly used to fix VPN issues on ASA’s with multiple VPN Tunnels or networks, I won’t configure it on the tunnel here, but wanted to quickly discuss “no-proxy-arp” and “route-lookup” options and what they do / what they can fix.

These both have to do with the NAT Lookup process of the ASA, essentially these two options disables NAT Xlate lookup due to ARP requests being processed on the egress interface, and the route-lookup option tells the NAT to verify the egress interface based on the route table rather than the NAT entry.

A quick review of the original NAT statement to understand it fully:

nat (inside,outside) 1 source static local-nets local-nets destination static remote-nets remote-nets

This is kind of an odd statement when new to NAT, as it actually translates local-nets to local-nets (so it keeps its IP address the same), and the same with remote-nets. This statement is telling NAT not to translate the traffic with PAT by translating it statically to itself, so that it matches the Crypto ACL and is then encrypted and sent over the VPN Tunnel.

That is a mouth full of explanation right there πŸ™‚

The ASA on Site A was configured separately with the following VPN config:

object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network obj-10.2.2.0
subnet 10.2.2.0 255.255.255.0
object-group network local-nets
network-object object obj-10.1.1.0
object-group network remote-nets
network-object object obj-10.2.2.0

access-list outside_1_cryptomap extended permit ip object-group local-nets object-group remote-nets

nat (inside,outside) source static local-nets local-nets destination static remote-nets remote-nets

route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map_1 1 match address outside_1_cryptomap
crypto map outside_map_1 1 set peer 200.200.200.1
crypto map outside_map_1 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map_1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
ikev1 pre-shared-key *

I did make the ISAKMP Sequence # different from Site B to verify that does not play a role, otherwise everything (I hope) should match and this VPN should come right up when Host A pings Host B:

Sure enough it does come right up!

Note that there is a small packet loss because the tunnel was not formed yet, so when the pings started to hit the ASA this “interesting traffic” being detected triggered the VPN Tunnel to build, as we see here:

ASAv1(config)#
ASAv1(config)# sh cry isa sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 200.200.200.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs
ASAv1(config)#

The “sh cry isa sa” is my troubleshooting command to see if the VPN Tunnel shows it is trying to form at all, and if so what the “State” message is, as it will display certain MM_WAIT_# messages here if the SA Negotiation fails at some step in the negotiation process between the Peers.

However if the Transform-Set is mismatched the VPN Tunnel will show “Active” but encryption will not be working in one direction of the communication, which can be found using “sh cry ipsec sa” shown here:

ASAv1(config)#
ASAv1(config)# sh cry ipsec sa
interface: outside
Crypto map tag: outside_map_1, seq num: 1, local addr: 100.100.100.1

  access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
  local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
  current_peer: 200.200.200.1


  #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
  #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
  #send errors: 0, #recv errors: 0

If there is a one-way communication issue, it will be seen in this output where it shows “pkts encaps: #” and “pkts decaps: #” entries, if those two #’s are very close to each other its likely the transform-set.

(I am not sure why the output is formatting like that so I cannot highlight the pkts encap / decap)

Packets Encapsulated (pckts encaps) = Traffic being sent to the Peer

Packets Decapsulated (pckts decaps) = Traffic received from the Peer

One major cause of this issue is not the crypto map transform-set config changed, but rather the ASA likely has several ISAKMP Policies (Phase 1) and Transform-Sets (Phase 2) configured, and when the re-key happened between the Peers they negotiated an ISAKMP Policy that uses a different Transform-Set than the one that is configured to the Crypto-Map!

Often times a “clear crypto isa sa” to bounce all VPN tunnels will force a renegotiation and hopefully it uses the correct ISAKMP Policy, that is not an option to use during production unless you verify it is ok to drop all VPN tunnels momentarily (until they rebuild from interesting traffic), but it will usually fix the immediate issue of communication until the problem config can be identified and removed.

That will conclude this gigantic VPN Lab, if you made it this far you are an IT trooper!

Troubleshooting VPN Connectivity is both an art as well as a technical skill, as this VPN Config is very straight forward, but getting on a production ASA packed with messy configs can get confusing quickly so its a very good idea to throw up a couple of these ASAv in a virtual lab and practice building a tunnel and troubleshooting the configuration if it fails as I have done in these labs!

Below I will paste the output of ASAv1 (Site A) and ASAv2 (Site B) for a clear review!

Please comment if you have any questions regarding this info! Until next time!!! πŸ™‚


Site A VPN Configuration

object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
object network obj-10.2.2.0
subnet 10.2.2.0 255.255.255.0
object-group network local-nets
network-object object obj-10.1.1.0
object-group network remote-nets
network-object object obj-10.2.2.0

access-list outside_1_cryptomap extended permit ip object-group local-nets object-group remote-nets

nat (inside,outside) source static local-nets local-nets destination static remote-nets remote-nets

route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map_1 1 match address outside_1_cryptomap
crypto map outside_map_1 1 set peer 200.200.200.1
crypto map outside_map_1 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map_1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
ikev1 pre-shared-key *

Site B VPN Configuration

object network obj-10.2.2.0
subnet 10.2.2.0 255.255.255.0
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
object-group network local-nets
network-object object obj-10.2.2.0
object-group network remote-nets
network-object object obj-10.1.1.0

access-list outside_1_cryptomap extended permit ip object-group local-nets object-group remote-nets

nat (inside,outside) source static local-nets local-nets destination static remote-nets remote-nets

route outside 0.0.0.0 0.0.0.0 200.200.200.2 1

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map_1 1 match address outside_1_cryptomap
crypto map outside_map_1 1 set peer 100.100.100.1
crypto map outside_map_1 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map_1 interface outside

tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
ikev1 pre-shared-key *

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s