I have configured IPsec using asdm site-to-site VPN wizard. Based on "show crypto isakmp sa" and "show ipsec sa" the tunnel seems to be up and fine. However pinging from one site to the other doesn't work.
show crypto isakmp sa:
'''
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:54544, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
57139155 200.200.200.1/500 200.200.200.5/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/139 sec
Child sa: local selector 192.168.100.0/0 - 192.168.100.255/65535
remote selector 192.168.200.0/0 - 192.168.200.255/65535
ESP spi in/out: 0xdb8b7bd7/0x28ced118
'''
show ipsec sa:
'''
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 200.200.200.1
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
current_peer: 200.200.200.5
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.200.200.1/500, remote crypto endpt.: 200.200.200.5/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 28CED118
current inbound spi : DB8B7BD7
inbound esp sas:
spi: 0xDB8B7BD7 (3683351511)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 223412224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239360/28770)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x28CED118 (684642584)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 223412224, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4285439/28770)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
'''
Here are the ASAs configuration:
HQ:
'''
ASA Version 9.8(1)
!
hostname ciscoasa
enable password $sha512$5000$nXzpn8V4a0y6//kETGJOdA==$RlNWonyJ9Sqh5ImXBjyPBg== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif outside
security-level 0
ip address 200.200.200.1 255.255.255.252
!
interface GigabitEthernet0/5
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network riffa
subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object 192.168.200.0 255.255.255.0
network-object object riffa
access-list outside_cryptomap extended permit ip 192.168.100.0 255.255.255.0 object-group
DM_INLINE_NETWORK_1
pager lines 23
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination
static riffa riffa no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination
static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.1
68.200.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.168.100.0_24 destination
static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-pro
xy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 200.200.200.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 200.200.200.5
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-
192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA
ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
rypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_200.200.200.5 internal
group-policy GroupPolicy_200.200.200.5 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 200.200.200.5 type ipsec-l2l
tunnel-group 200.200.200.5 general-attributes
default-group-policy GroupPolicy_200.200.200.5
tunnel-group 200.200.200.5 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
profile CiscoTAC-1
no active
: end
'''
Branch
'''
ASA Version 9.8(1)
!
hostname ciscoasa
enable password $sha512$5000$EXcoX1JPozcQiQa/55KxWg==$+LFF0QFvQKUOU3KSuzUOHA== pbkdf2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
nameif outside
security-level 0
ip address 200.200.200.5 255.255.255.252
!
interface GigabitEthernet0/5
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network hq
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_192.168.100.0_24
subnet 192.168.100.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.200.0 255.255.255.0 object hq
pager lines 23
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (inside,outside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination
static hq hq no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination
static NETWORK_OBJ_192.168.100.0_24 NETWORK_OBJ_192.1
68.100.0_24 no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 200.200.200.6 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 200.200.200.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-
192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA
ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
pto ca certificate chain _SmartCallHome_ServerCA
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_200.200.200.1 internal
group-policy GroupPolicy_200.200.200.1 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 general-attributes
default-group-policy GroupPolicy_200.200.200.1
tunnel-group 200.200.200.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
call-home
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
profile CiscoTAC-1
no active
'''
So I found the issue. After pinging from site A to site B, I found that site A encrypts the traffic and send it, on the other hand, site B receives the traffic, decrypt it, but does not encrypt and send reply. I was thinking that Site B ASA keeps on denying the traffic therefore it does not encrypt and reply, however that was not the case. Site B decrypts the traffic and forward it to the inside host (windows 7), but inside host's firewall denies icmp traffic, therefore there is no reply. So I have just shutdown inside host firewall and IPsec ran smoothly and ping succeed. It is funny that this issue been floating over the blogs and techs community for years and many could no find answers, it turned to be a simple issue.
Related
We have a real server behind the proxy server (or a firewall). The client must connect to the real server through IPSec Transport mode Encryption. The IPSec Transport mode works between the two hosts and fails whenever a hop is introduced between the two hosts. This is due to Checksum Integrity failure at the destination which is due to DNAT at the intermittent hop between 2 hosts.
We want something to encapsulate the ESP Transport mode packet either in an IP Header or UDP encapsulation or something like this ->
A --------------------> GATEWAY --------------------> B
Transport (Transport mode is received Packet
and IP header is accepted
encapsulated on the packet
and is forwarded again)
Is something like this possible where the Client sends the Transport mode ESP packet and the intermittent hosts encapsulate that packet (either in IP/UDP) and then send it to the destination?
Is there any RFC for these types of scenarios?
I would need to configure a cross connect between two networks via SFP Fiber.
Unfortunately I'm new on BGP configuration and would need confirmation that I'm doing it on the right way...
I have Two VPC:
VPC A:
ASN 200
IP Router: 169.254.250.1
Sub Network: 10.0.0.1/34
VPC B:
ASN 100
IP Router: 169.254.250.2
4 Servers: 169.254.131.1 / 169.254.131.2 / 169.254.131.3 / 169.254.131.4
VPC A is completely configured, I purchased a Cisco router C1113-8PM to configure my VPC B. My aim is to ensure that any server on VPC A can access my 4 servers located in VPC B through BGP.
The procedure I started to write into VPC B Router:
#Configure ASN VPC B on Router
enable
configure terminal
router bgp 100
bgp router-id 169.254.250.2
timers bgp 70 120
end
# Configure ASN VPC A and routes
configure terminal
neighbor 169.254.250.1 remote-as 200
address-family ipv4 unicast
neighbor 169.254.250.1 activate
end
is it enough ? Do I need to set each IP address of my VPC B into BGP table ? how ?
Targeted topology and config should be as I described below
Network Diagram
Two important commands are needed to enable this peering:
Peer-gateway : The vPC peer-gateway functionality allows a vPC switch to act as the active gateway for packets that are addressed to the router MAC address of the vPC peer
layer3 peer-router : no change for TTL of packets destined to the peer, external device sees the vPC domain as single physical entity from layer route protocol peering perspective as well.
Configurations
Leaf 1:
! Form the vPC domain:
vpc domain 1
peer-switch
role priority 10 peer-keepalive destination 192.0.2.2 source 192.0.2.1 peer-gateway layer3 peer-router ipv6 nd synchronize ip arp synchronize
!
!vPC peer-link interface members
interface Ethernet1/53 - 54
description vPC-Peerlink member
switchport
switchport mode trunk
channel-group 11 mode active
no shutdown
!
! vPC peer-link port-channel
interface port-channel11
description vPC-peerlink
switchport
switchport mode trunk
spanning-tree port type network
no shutdown
vpc peer-link
!
! vPC port-channel member to External Device
interface Ethernet1/52
description ExternalDevice Eth2/13
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
channel-group 12 mode active
no shutdown
!
! vPC port-channel to External Device
interface port-channel12
description vPC port-channel to External Device
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
vpc 12
!
! Layer 3 interface to the Eternal device:
interface Vlan205
no shutdown
vrf member Customer
! BFD for eBGP
bfd interval 500 min_rx 500 multiplier 3
! Disable bfd echo, as it is not supported over vPC
no bfd echo
no ip redirects
! We use/29 as we need 3 ip address, one per each member of the ! vPC domain and 3rd for the External Device
ip address 198.51.100.1/29 tag 800204
! Disable redirects - this is needed to enable BFD
no ipv6 redirects
!
router bgp 65535
router bgp 65535
router-id 203.0.113.1
log-neighbor-changes
address-family ipv4 unicast
Customer router-id 198.51.100.1 address-family ipv4 unicast neighbor 198.51.100.2 description Leaf-2 remote-as 65535 address-family ipv4 unicast soft-reconfiguration inbound always neighbor 198.51.100.3 description to External Device bfd remote-as 65000 update-source Vlan205 address-family ipv4 unicast soft-reconfiguration inbound always ! Leaf 2:
! Form the vPC domain:
vpc domain 1
peer-switch
role priority 10
peer-keepalive destination 192.0.2.1 source 192.0.2.2
peer-gateway
layer3 peer-router
ipv6 nd synchronize
ip arp synchronize
!
!vPC peer-link interface members
interface Ethernet1/53 - 54
description vPC-Peerlink member
switchport
switchport mode trunk
channel-group 11 mode active
no shutdown
!
! vPC peer-link port-channel
interface port-channel11
description vPC-peerlink
switchport
switchport mode trunk
spanning-tree port type network
no shutdown
vpc peer-link
!
! vPC port-channel member to External Device
interface Ethernet1/52
description ExternalDevice Eth2/13
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
channel-group 12 mode active
no shutdown
!
! vPC port-channel to External Device
interface port-channel12
description vPC port-channel to External Device
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
vpc 12
!
! Layer 3 interface to the Eternal device:
interface Vlan205
no shutdown
vrf member Customer
! BFD for eBGP
bfd interval 500 min_rx 500 multiplier 3
! Disable bfd echo, as it is not supported over vPC
no bfd echo
no ip redirects
! We use/29 as we need 3 ip address, one per each member of the ! vPC domain and 3rd for the External Device
ip address 198.51.100.2/29 tag 800204
! Disable redirects - this is needed to enable BFD
no ipv6 redirects
!
router bgp 65535
router bgp 65535
router-id 203.0.113.2
log-neighbor-changes
address-family ipv4 unicast
vrf Customer
router-id 198.51.100.2
address-family ipv4 unicast
neighbor 198.51.100.1
description Leaf-2
remote-as 65535
address-family ipv4 unicast
soft-reconfiguration inbound always
neighbor 198.51.100.3
description to External Device
bfd
remote-as 65000
update-source Vlan205
address-family ipv4 unicast
soft-reconfiguration inbound always
!
External Device (NX-OS style CLI):
interface Ethernet2/13 - 14
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
channel-group 12 mode active
no shutdown
!
interface port-channel12
switchport
switchport mode trunk
switchport trunk allowed vlan 203,205
mtu 9216
no shutdown
!
interface Vlan205
no shutdown
mtu 9216
! See notes in Leaf-1 and Leaf 2 for BFD
bfd interval 500 min_rx 500 multiplier 3
no bfd echo
no ip redirects
ip address 198.51.100.3/29
no ipv6 redirects
!
router bgp 65000
log-neighbor-changes
address-family ipv4 unicast
neighbor 198.51.100.1 remote-as 65535
description to Leaf-1
update-source Vlan205
bfd
neighbor 198.51.100.2 remote-as 65535
description to Leaf-2
update-source Vlan205
bfd
end
!
Verify
Below is output of show bgp ipv4 unicast neighbors. It verifies that:
BGP neighborship is established and stable
BFD is enabled between external neighbors
Troubleshoot
Following commands will help verify operation:
show vpc
show vpc consistency-parameters global
show vpc consistency-parameters interface <interface>
show bgp ipv4 unicast neighbors
show bgp ipv4 unicast summary
Ref. https://www.cisco.com/c/en/us/support/docs/ip/ip-routing/217099-ebgp-peering-over-vpc-on-nexus.html
I'd like to set up a vpn to allow two separate computers to connect to each other.
I've found a bunch of places where they say you should remove redirect-gateway def1 bypass-dhcp from the server config and add a route route 10.0.0.0 255.255.255.0 vpn_gateway to make connecting to the private network work. But this doesn't seem to do what I want.
Yes it now makes all requests via my local gateway (All servers report my public ip is my own ip, rather than that of the vpn), but now connecting to other clients no longer works.
I can still connect to my own private ip (10.0.0.0) as assigned by the vpn, but other clients can not reach me on this same ip.
My client.conf:
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3
key-direction 1
My server.conf:
port 1194
proto udp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
# push "redirect-gateway def1 bypass-dhcp"
push "route 10.0.0.0 255.255.255.0 vpn_gateway 1"
client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
ccd/myclient
ifconfig-push 10.0.0.0 255.255.255.255
How can I make client-to-client work without making all my regular traffic flow through the vpn?
edit: After some more experimenting I've figured out that this setup is working fine as long the assigned private ip is in the 10.8.0.x range. I have a few static private ips in the 10.0.0.x range, so that's why it isn't working. I'd still like to use these ips though.
I ended up changing the server config to use 10.0.0.x as default pool.
I changed:
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
to
server 10.0.0.0 255.255.255.0
I don't like that static and dynamic ips are now both using the same pool, but this is the best I can do.
What are the differences between SMTP and TCP handshaking? Why is SMTP handshaking important?
A TCP handshake happens at the transport layer of the TCP/IP protocol stack, involving signaling using TCP flags, TCP sequence numbers, TCP port numbers and IP addresses.
SMTP handshaking occurs at the application layer of the TCP/IP protocol, above the transport layer. SMTP handshaking is rarely called a handshake and is composed of the server sending a 220 message representing its banner, the client sending an EHLO or a HELO message along with its name, to which the server will respond with a 220 message indicating success. Subsequent to this the actual email exchange begins.
You can read more about this in RFC 5321.
i'm facing with this simple configuration and i can't figure it out.
Scenario:
With a cisco vpn client (or ipad, iphone..) i can connect to my company vpn.
What i know is:
VPN GROUP NAME
VPN KEY
VPN SERVER PUBLIC IP
VPN USERNAME and PASSWORD
Ip address of virtual adapter created by cisco vpn client: 10.0.201.31 255.255.255.0
My lan 172.23.28.0 255.255.255.224
Company lan 172.19.248.0 255.255.252.0
The question is "How can i handle this for my home's lan with a cisco 827 router ?"
I think the steps are:
1) configuring eth0, dns and dhcp (done)
2) configuring ATM0 and Dialer0 to get internet access (done)
3) configuring access list and ip routes for my lan (done)
4)configuring ezvpn parameters (done)
5) configuring virtual interface with Ip 10.0.201.31 (What kind of interface?)
6) Set inside and outside nat for "crypto ipsec client ezvpn MYVPNTUNNELNAME" (which interfaces and how ?)
7) configuring route to 172.19.248.0 255.255.252.0 (how?)
Here is my configuration:
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R827
!
boot-start-marker
boot-end-marker
!
enable secret 5 cryptedSecret
enable password notcrypted
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 172.23.28.1
ip dhcp excluded-address 172.23.28.2
ip dhcp excluded-address 172.23.28.3
ip dhcp excluded-address 172.23.28.4
ip dhcp excluded-address 172.23.28.5
ip dhcp excluded-address 172.23.28.6
ip dhcp excluded-address 172.23.28.7
ip dhcp excluded-address 172.23.28.8
ip dhcp excluded-address 172.23.28.9
ip dhcp excluded-address 172.23.28.10
!
ip dhcp pool CeccoDhcp
network 172.23.28.0 255.255.255.224
default-router 172.23.28.1
dns-server 8.8.8.8
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
crypto ipsec client ezvpn MYVPNTUNNELNAME
connect auto
group MYGROUPNAME key MYGROUPKEY
mode network-extension
peer PUBLICIPOFVPNSERVER
username MYUSER password MYPASSWORD
!
!
!
interface Ethernet0
ip address 172.23.28.1 255.255.255.224
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username aliceadsl password 7 15130705072F2A203B3F
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
!
!
access-list 101 permit ip 172.23.28.0 0.0.0.31 any
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
stopbits 1
line vty 0 4
password MYTERMINALPASSWORD
login
!
scheduler max-task-time 5000
end
End of configuration.
Please note:
If i add
crypto ipsec client ezvpn MYVPNTUNNELNAME
to Dialer0
and
crypto ipsec client ezvpn MYVPNTUNNELNAME inside
to Ethernet0
i get this:
Tunnel name : MYVPNTUNNELNAME
Inside interface list: Ethernet0,
Outside interface: Dialer0
Current State: READY
Last Event: CONN_UP
Hope someone could help me.
Thanks in advance.
Cecco
Ok, I compared your config to some old notes I had. I did work turning up Cisco VPNs in the past so this jogged my memory.
I think the READY state and CONN_UP last event mean that it sits there, prior to authentication. And this may be because you're not telling the 871 how to handle XAUTH.
Try adding the below to your crypto ipsec client ezvpn section:
xauth userid mode interactive
That and turning debugging on should give you something to work on. Let me know how it goes.
Solved!!
Thanks to James help i switched ezvpn conf to "mode client" and with debug i noticed that the problem was on server side, cause "storage-password enable" was not set.
When company's net admin told me that "storage-password enable" was set i just did:
conf t
int Dia0
crypto ipsec client ezvpn MYVPNTUNNELNAME
....and everything works perfectly :-)