In the first part of the new VPN topology, I will be looking at connecting up the lower left-hand side routers, using a mix of static routes and OSPF to get them talking, and then setting up an IPSec VPN between the ASA and DMVPN-Hub2.
We will start with the basic connectivity. Using static routing to send all of Local-1's traffic to the ASA, and then OSPF to bridge the rest of the network.
You can find most of the steps in the link for ASA to IOS IKEv1.
Basic OSPF
The OSPf setup here is nothing special, everything is going into Area 0:RTD-ASA# sh int ip bri | e unas Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.254 YES manual up up GigabitEthernet0/1 10.1.2.254 YES manual up up RTD-ASA# Local-1#sh ip int bri | e unas Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.1.1 YES manual up up Loopback0 1.1.1.1 YES manual up up Local-1# Local-1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.254 Local-1(config)# RTD-ASA(config)# route inside 1.1.1.1 255.255.255.255 10.1.1.1 RTD-ASA(config)# RTD-ASA(config)# router ospf 1 RTD-ASA(config-router)# network 10.1.2.0 255.255.255.0 area 0 RTD-ASA(config-router)# red static subnets RTD-ASA(config-router)# CA-Flex(config)#do sh ip int bri | e unas Interface IP-Address OK? Method Status Protocol GigabitEthernet0/1 10.1.2.2 YES manual up up GigabitEthernet0/3 10.1.3.2 YES manual up up Loopback0 2.2.2.2 YES manual up up CA-Flex(config)#router ospf 1 CA-Flex(config-router)#router-id 2.2.2.2 CA-Flex(config-router)#network 10.1.2.0 0.255.255.255 area 0 CA-Flex(config-router)# CA-Flex(config-router)#network 10.1.3.0 0.255.255.255 area 0 CA-Flex(config-router)# DMVPN-Hub2(config)#do sh ip int bri | e unas Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.1.5.3 YES manual up up GigabitEthernet0/3 10.1.3.3 YES manual up up Loopback0 3.3.3.3 YES manual up up DMVPN-Hub2(config)#router ospf 1 DMVPN-Hub2(config-router)#router-id 3.3.3.3 DMVPN-Hub2(config-router)#network 10.1.3.0 0.255.255.255 area 0 DMVPN-Hub2(config-router)# %OSPF-5-ADJCHG: Process 1, Nbr 2.2.2.2 on GigabitEthernet0/3 from LOADING to FULL, Loading Done DMVPN-Hub2(config-router)#Now that we have this done, we can set up the VPN tunnel.
IKEv1 IPSec tunnel between ASA and IOS
Now we set up the VPN tunnel. It won't work straight away, and this is (partially) intentional. I need to be hot on the debugging of VPN failures for the exam, that said, I don't want to spend too much time troubleshooting in the lab!The first step is to create the access lists to define our interesting traffic:
RTD-ASA(config)# access-list IPSec-VPN-Traffic extended permit ip host 1.1.1.1 host 3.3.3.3 DMVPN-Hub2(config)#access-list 101 permit ip host 3.3.3.3 host 1.1.1.1 DMVPN-Hub2(config)#We then create the ISAKMP policy:
RTD-ASA(config)# crypto isakmp policy 10 RTD-ASA(config-ikev1-policy)# encryption 3des RTD-ASA(config-ikev1-policy)# auth pre-share RTD-ASA(config-ikev1-policy)# group 2 RTD-ASA(config-ikev1-policy)# DMVPN-Hub2(config)#crypto isakmp policy 10 DMVPN-Hub2(config-isakmp)#encr 3des DMVPN-Hub2(config-isakmp)#auth pre-share DMVPN-Hub2(config-isakmp)#group 2 DMVPN-Hub2(config-isakmp)#Next we create the transform set
RTD-ASA(config)# crypto ipsec transform-set VPN-transforms esp-3des esp-sha-hmac RTD-ASA(config)# DMVPN-Hub2(config)#crypto ipsec transform-set VPN-transforms esp-3des esp-sha-hmac DMVPN-Hub2(cfg-crypto-trans)#exit DMVPN-Hub2(config)#Then we create the crypto maps (defining our peers, and utilizing the transform set created earlier):
RTD-ASA(config)# crypto map VPN_Map 1 set peer 10.1.3.3
RTD-ASA(config)# crypto map VPN_Map 1 set ikev1 transform-set VPN-transforms
RTD-ASA(config)# crypto map VPN_Map 1 set ikev2 pre-shared-key cisco
RTD-ASA(config)# crypto map VPN_Map 1 match address IPSec-VPN-Traffic
RTD-ASA(config)#
RTD-ASA(config)# crypto map VPN_Map interface Outside
RTD-ASA(config)#
RTD-ASA(config)# tunnel-group 10.1.3.3 type ipsec-l2l
RTD-ASA(config)# tunnel-group 10.1.3.3 ipsec-attributes
RTD-ASA(config-tunnel-ipsec)# ikev1 pre-shared-key cisco
RTD-ASA(config-tunnel-ipsec)#
DMVPN-Hub2(config)#crypto keyring VPN_Keys
DMVPN-Hub2(conf-keyring)#pre-shared-key address 10.1.2.254 key cisco
DMVPN-Hub2(conf-keyring)#exit
DMVPN-Hub2(config)#
DMVPN-Hub2(config)#crypto isakmp profile VPN_Map
% A profile is deemed incomplete until it has match identity statements
DMVPN-Hub2(conf-isa-prof)#match identity address 10.1.2.254 255.255.255.255
DMVPN-Hub2(conf-isa-prof)#keyring VPN_Keys
DMVPN-Hub2(conf-isa-prof)#exit
DMVPN-Hub2(config)#
DMVPN-Hub2(config)#crypto map VPN_Map 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
DMVPN-Hub2(config-crypto-map)#set peer 10.1.2.254
DMVPN-Hub2(config-crypto-map)#set transform-set VPN-transforms
DMVPN-Hub2(config-crypto-map)#set isakmp-profile VPN_Map
DMVPN-Hub2(config-crypto-map)#match address 101
DMVPN-Hub2(config-crypto-map)#int gi 0/3
DMVPN-Hub2(config-if)#crypto map VPN_Map
DMVPN-Hub2(config-if)#
*Jun 26 07:59:10.158: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
DMVPN-Hub2(config-if)#
As it stands, we can bring up the tunnel by pinging 1.1.1.1 from DMVPN-Hub2 by setting the source as lo0:DMVPN-Hub2#ping 1.1.1.1 so lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.....
Success rate is 0 percent (0/5)
DMVPN-Hub2#
RTD-ASA# sh crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 10.1.3.3
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
RTD-ASA#
DMVPN-Hub2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.2.254 10.1.3.3 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
DMVPN-Hub2#
We have the right details above. The ASA should show MM_ACTIVE, and the IOS route should show "QM_IDLE". We will not get a response yet as RTD-ASA is not set up yet. We still need to set up NAT, and a NAT exemption for the 1.1.1.1 address.We do want to NAT the 10.1.1.1 subnet, but not the 1.1.1.1 subnet, so let's set that up as well.
We start by creating three objects, one for the network we will want to NAT (10.1.1.0/24), one for the host we do not want to NAT for internally (1.1.1.1) and one for the host we will not want to NAT for externally (3.3.3.3):
RTD-ASA(config)# object network Nat-Networks RTD-ASA(config-network-object)# subnet 10.1.1.0 255.255.255.0 RTD-ASA(config-network-object)# exit RTD-ASA(config)# object network No-Nat-Networks RTD-ASA(config-network-object)# host 1.1.1.1 RTD-ASA(config-network-object)# exit RTD-ASA(config)# object network No-Nat-Destination RTD-ASA(config-network-object)# host 3.3.3.3 RTD-ASA(config-network-object)# exitThe we can use these objects in the NAT rule:
RTD-ASA(config)# terminal width 255 RTD-ASA(config)# nat (inside,outside) source static No-Nat-Networks No-Nat-Networks destination static No-Nat-Destination No-Nat-Destination no-proxy-arp route-lookup RTD-ASA(config)#Does it work now?
Local-1#ping 3.3.3.3 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 ..... Success rate is 0 percent (0/5) Local-1#Not so far. Let's dig in:
RTD-ASA# sh crypto ipsec sa
interface: Outside
Crypto map tag: VPN_Map, seq num: 1, local addr: 10.1.2.254
access-list IPSec-VPN-Traffic extended permit ip host 1.1.1.1 host 3.3.3.3
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
current_peer: 10.1.3.3
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 <== Nothing being transmitted!
#pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.1.2.254/0, remote crypto endpt.: 10.1.3.3/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 45623476
current inbound spi : 26AD8AD7
inbound esp sas:
spi: 0x26AD8AD7 (648907479)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: VPN_Map
sa timing: remaining key lifetime (kB/sec): (3914998/2623)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00007FFF
outbound esp sas:
spi: 0x45623476 (1164063862)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: VPN_Map
sa timing: remaining key lifetime (kB/sec): (3915000/2622)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
RTD-ASA#
We are not transmitting any packets. Why is this?RTD-ASA(config)# logging console 7 RTD-ASA(config)# logging on %ASA-5-111008: User 'enable_15' executed the 'logging on' command. RTD-ASA(config)# %ASA-5-111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'logging on' %ASA-7-609001: Built local-host Outside:3.3.3.3 %ASA-7-609001: Built local-host Inside:1.1.1.1 %ASA-6-302020: Built inbound ICMP connection for faddr 3.3.3.3/4 gaddr 1.1.1.1/0 laddr 1.1.1.1/0 %ASA-6-110002: Failed to locate egress interface for ICMP from Inside:1.1.1.1/0 to 3.3.3.3/4 %ASA-6-302021: Teardown ICMP connection for faddr 3.3.3.3/4 gaddr 1.1.1.1/0 laddr 1.1.1.1/0 %ASA-7-609002: Teardown local-host Outside:3.3.3.3 duration 0:00:10 %ASA-7-609002: Teardown local-host Inside:1.1.1.1 duration 0:00:10The clue here is "Failed to locate egress interface", meaning we do not have a route to the destination. Let's add one, and see if this solves the issue:
DMVPN-Hub2(config)#router ospf 1 DMVPN-Hub2(config-router)#network 3.3.3.3 0.0.0.0 area 1 DMVPN-Hub2(config-router)#Does it work now?
Local-1#ping 3.3.3.3 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 9/10/12 ms Local-1#It does. We are also encrypting as much traffic as we are decrypting:
RTD-ASA# sh vpn-sessiondb detail l2l Session Type: LAN-to-LAN Detailed Connection : 10.1.3.3 Index : 3 IP Addr : 10.1.3.3 Protocol : IKEv1 IPsec Encryption : IKEv1: (1)3DES IPsec: (1)3DES Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 400 Bytes Rx : 400 Login Time : 21:51:24 UTC Mon Jun 27 2016 Duration : 0h:01m:27s IKEv1 Tunnels: 1 IPsec Tunnels: 1 IKEv1: Tunnel ID : 3.1 UDP Src Port : 500 UDP Dst Port : 500 IKE Neg Mode : Main Auth Mode : preSharedKeys Encryption : 3DES Hashing : SHA1 Rekey Int (T): 86400 Seconds Rekey Left(T): 86313 Seconds D/H Group : 2 Filter Name : IPsec: Tunnel ID : 3.2 Local Addr : 1.1.1.1/255.255.255.255/0/0 Remote Addr : 3.3.3.3/255.255.255.255/0/0 Encryption : 3DES Hashing : SHA1 Encapsulation: Tunnel Rekey Int (T): 3600 Seconds Rekey Left(T): 3513 Seconds Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes Bytes Tx : 400 Bytes Rx : 400 Pkts Tx : 4 Pkts Rx : 4 RTD-ASA#Perfect! Logging everything on the console probably isn't the best idea, though. On a small-scale like this it's fine, but in a busy production environment, it would be easy to miss important information. In a lab exam, it's fine, just so long as you remember to remove the logging commands that were added. So, do we have a neater method?
Let's remove the route and find out
DMVPN-Hub2(config)#router ospf 1 DMVPN-Hub2(config-router)#no network 3.3.3.3 0.0.0.0 area 1 DMVPN-Hub2(config-router)# RTD-ASA# sh route | b Gate Gateway of last resort is not set S 1.1.1.1 255.255.255.255 [1/0] via 10.1.1.1, Inside C 10.1.1.0 255.255.255.0 is directly connected, Inside L 10.1.1.254 255.255.255.255 is directly connected, Inside C 10.1.2.0 255.255.255.0 is directly connected, Outside L 10.1.2.254 255.255.255.255 is directly connected, Outside O 10.1.3.0 255.255.255.0 [110/11] via 10.1.2.2, 1d14h, Outside O 10.1.5.0 255.255.255.0 [110/12] via 10.1.2.2, 1d14h, Outside RTD-ASA#Now, using the packet-tracer command, we can see the error:
RTD-ASA# packet-tracer input Inside icmp 1.1.1.1 8 0 3.3.3.3 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Result: input-interface: Inside input-status: up input-line-status: up Action: drop Drop-reason: (no-route) No route to host RTD-ASA#We can also append the "detailed" keyword to get more information, but in this case, we just get a more succint output:
RTD-ASA# packet-tracer input Inside icmp 1.1.1.1 8 0 3.3.3.3 detailed Result: input-interface: Inside input-status: up input-line-status: up Action: drop Drop-reason: (no-route) No route to host RTD-ASA#So, we can use this command, instead of enabling logging. For the moment, though, we'll just add the route back, and get the connectivity back:
DMVPN-Hub2(config)#router ospf 1 DMVPN-Hub2(config-router)#network 3.3.3.3 0.0.0.0 area 1 DMVPN-Hub2(config-router)# Local-1#ping 3.3.3.3 so lo0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Packet sent with a source address of 1.1.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 9/9/10 ms Local-1#Throughout this post, when we have looked at the output of "show crypto isakmp sa" we have been told that "There are no IKEv2 SAs". In the next post we will set up IKEv2.