# vpn site-to-site issues with a cisco asa



## Hybrid_theory (Jul 13, 2010)

This is a bit of a tougher question, but i thought id try asking anyway.

I've got a test setup on my desk.

It goes:



```
Ubuntu host(vm)-------------Openswan on ubuntu (vm)----- vmware gateway------ xp host-------------------- cisco asa ------ xp host

192.168.2.2                192.168.92.128                   192.168.92.2       200.200.200.2         200.200.200.1     192.168.1.5
                                               ========================tunnel=========================
```
 

Now i had it working before, worked on some other things, came back to it and it wasnt working, so im not sure what or where i changed something. I could easily start over but id rather find out whats wrong with it. So when i ping  192.168.1.5 from 192.168.2.2, there are no replies. However i did  a capture on the inside interface of the ASA and there was replies shown there, they wouldnt come back past that. I've also tried using netcat to send a file over on port 1234. On wireshark on the openswan vm, i can see a few ESP packets destined for 200.200.200.1, but 192.168.1.5 doesnt receive them.



Here's my show run output:



```
!
hostname ciscoasa                
enable password 8Ry2YjIyt7RRXU24 encrypted                                         
passwd 2KFQnbNIdI.2KYOU encrypted                                
names    
!
interface Vlan1              
nameif inside             
security-level 100                  
ip address 192.168.1.1 255.255.255.0                                    
!
interface Vlan2              
nameif outside              
security-level 0                
ip address 200.200.200.1 255.255.255.0                                      
!
interface Ethernet0/0                    
switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
ftp mode passive               
access-list inbound extended permit ip any any                                             
access-list inbound extended permit udp any any eq isakmp                                                        
access-list inbound extended permit udp any any eq 4500                                                      
access-list inbound extended permit esp any any                                              
access-list inbound extended deny ip any any                                           
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.2                                                                               
55.255.0       
access-list outbound_tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 25                                                                               
5.255.255.0          
access-list outbound_tunnel extended permit ip host 200.200.200.1 host 200.200.200.2                                                                            
pager lines 24             
logging enable             
logging timestamp                
logging buffered debugging                         
logging asdm informational                         
mtu inside 1500              
mtu outside 1500               
ip local pool name 192.168.1.40-192.168.1.60                                           
icmp unreachable rate-limit 1 burst-size 1                                         
no asdm history enable                     
arp timeout 14400                
global (outside) 1 interface                           
nat (inside) 0 access-list NONAT                               
nat (inside) 1 0.0.0.0 0.0.0.0                             
access-group inbound in interface outside                                        
route outside 0.0.0.0 0.0.0.0 200.200.200.0                                         
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                             
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                           
timeout tcp-proxy-reassembly 0:01:00                                   
dynamic-access-policy-record DfltAccessPolicy                                            
http server enable                 
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                     
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                     
crypto ipsec transform-set ts2 esp-3des esp-md5-hmac                                                   
crypto ipsec security-association lifetime seconds 28800                                                       
crypto ipsec security-association lifetime kilobytes 4608000                                                           
crypto dynamic-map dmap 20 set transform-set ts2                                               
crypto map emap 10 match address outbound_tunnel                                        
crypto map emap 10 set peer 192.168.92.128                                         
crypto map emap 10 set transform-set ts2                                       
crypto map emap 60000 ipsec-isakmp dynamic dmap                                              
crypto map emap interface outside                                
crypto isakmp enab                
crypto isakmp policy 10                      
authentication pre-share                        
encryption 3des               
hash md5        
group 2       
lifetime 86400              
telnet timeout 5               
ssh timeout 5            
console timeout 0                
management-access inside                       
dhcpd auto_config outside                        
!
dhcpd address 192.168.1.5-192.168.1.36 inside                                            
dhcpd enable inside                  
!

 

threat-detection basic-threat                            
threat-detection statistics access-list                                      
no threat-detection statistics tcp-intercept                                           
webvpn     
username ryan password .MqBmFV5KQ86DWrJ encrypted                                                
tunnel-group 200.200.200.2 type ipsec-l2l                                        
tunnel-group 200.200.200.2 ipsec-att                                  
pre-shared-key *                
tunnel-group ryan type remote-access                                   
tunnel-group ryan general-attributes                                   
address-pool name                 
tunnel-group ryan ipsec-attributes                                 
pre-shared-key *                
!
class-map inspection_default                           
match default-inspection-traffic                                
!
!
policy-map type inspect dns preset_dns_map                                     
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:26b17c4d709bc72a3d76158f2c9997bd
: end
```
 

help is appreciated, thanks


----------



## Hybrid_theory (Jul 13, 2010)

Well for some unknown reason, clearing out the ACLs and nat commands, then re entering them made it work. I just dont understand computers sometimes.


----------



## Hybrid_theory (Jul 14, 2010)

For some reason this happens after i reload the ASA or power cycle it. It requires me to reenter the ACLs


----------



## Easy Rhino (Jul 14, 2010)

it may also help if you explain why in the world you are doing it that way.


----------



## Hybrid_theory (Jul 14, 2010)

On which part specifically?


----------



## Easy Rhino (Jul 14, 2010)

all of it


----------



## Hybrid_theory (Jul 14, 2010)

haha. ok here goes.

So im trying to get the opensource VPN to talk with a Cisco ASA for a site-to-site VPN solution. I have an endpoint ubuntu machine using a localhost adapter, the other ubuntu has openswan installed and is a virutal machine as well on the same windows xp host. this openswan has two virtual NICs, one is localhost to talk with the other ubuntu. The second NIC is NAT to connect to the the windows machine, and the ASA beyond that. On the otherside of the asa is a laptop running XP.

Openswan and the ASA are setup to start an ipsec vpn and talk to one another. I can then send a file through the vpn with netcat. I sniff the traffic along the way, and everything is encrypted with ESP. 

So everything is fine up to this point. However should I need to execute a reload or, the ASA gets power cycled, for whatever reason, the packets that are sent from the ubuntu host, get stopped after the outside interface of the ASA. If i clear the ACLs, reenter them, and configure a couple other lines that referenced the ACLs, everything is fine again.

If there's anything else I need to clarify let me know


----------



## Easy Rhino (Jul 14, 2010)

Hybrid_theory said:


> So everything is fine up to this point. However should I need to execute a reload or, the ASA gets power cycled, for whatever reason, the packets that are sent from the ubuntu host, get stopped after the outside interface of the ASA. If i clear the ACLs, reenter them, and configure a couple other lines that referenced the ACLs, everything is fine again.
> 
> If there's anything else I need to clarify let me know



isn't that supposed to happen?


----------



## Hybrid_theory (Jul 14, 2010)

Well the configuration is saved, when it reloads it should be fine. I shouldnt have to manually clear them and reenter them.


----------



## Easy Rhino (Jul 14, 2010)

Hybrid_theory said:


> Well the configuration is saved, when it reloads it should be fine. I shouldnt have to manually clear them and reenter them.



file permissions issue then.


----------



## Hybrid_theory (Jul 14, 2010)

> file permissions issue then.




It's just network traffic, file permissions shouldnt be a problem, and they dont exist on Cisco equipment to my knowlege.

Any event i rebooted the ubuntu virtual machines in question and left the asa on. Its having the same issue. So redoing the ACLs on the ASA fixes the problem, but its not the root of it either.


----------



## Easy Rhino (Jul 14, 2010)

Hybrid_theory said:


> It's just network traffic, file permissions shouldnt be a problem, and they dont exist on Cisco equipment to my knowlege.
> 
> Any event i rebooted the ubuntu virtual machines in question and left the asa on. Its having the same issue. So redoing the ACLs on the ASA fixes the problem, but its not the root of it either.



that cisco ASA has some sort of software on it that allows you to save a configuration file right?


----------



## Hybrid_theory (Jul 14, 2010)

Easy Rhino said:


> that cisco ASA has some sort of software on it that allows you to save a configuration file right?



you can back it up, im not sure if you can save a copy to the nvram or not.


----------



## Easy Rhino (Jul 14, 2010)

Hybrid_theory said:


> you can back it up, im not sure if you can save a copy to the nvram or not.



hrm. well i would have to be in front of it to really see what is going on. if you save the configuration to the ASA, it resets and it no longer uses that configuration then it beats me.


----------



## Hybrid_theory (Jul 14, 2010)

Easy Rhino said:


> hrm. well i would have to be in front of it to really see what is going on. if you save the configuration to the ASA, it resets and it no longer uses that configuration then it beats me.



well everything else is there, it just behaves differently untill i redo the ACLs. But because the issue occured as well when I rebooted the openswan vm, i think it could be just that and not the router reload that causes it. I'll have to test some more tomorrow


----------



## Hybrid_theory (Jul 15, 2010)

Alright so whether ubuntu reboots or the Cisco ASA does, it doesnt work. An error i found on the ASA states: ike initiator unable to find policy. Which from some googling has something to do with the crypto map and the ACL. But it looks fine according to a bunch of configs and guides ive looked at. so it could be a mix of things or something


----------



## Easy Rhino (Jul 15, 2010)

right, so as soon as they stop talking to one another the configuration file or 'policy' youve setup no longer works and has to be manually re-added. honestly, that sounds more like it is supposed to happen. like a security feature.


----------



## Hybrid_theory (Jul 15, 2010)

> ight, so as soon as they stop talking to one another the configuration file or 'policy' youve setup no longer works and has to be manually re-added. honestly, that sounds more like it is supposed to happen. like a security feature.



It kinda does, but I can't see that being the issue. I found this error when doing some debugging on the ASA:

ike initiator unable to find policy

With some googling, it has to do with the crypto map of the access list for what traffic to encrypt; in my case the outbound_tunnel access list. Unfortunately the few fixes ive seen have not worked for me. I do see a lot of configs using just static maps. I've tried removing: "crypto dynamic-map dmap 20 set transform-set ts2 " but then the vpn wont fully establish.


----------



## Easy Rhino (Jul 15, 2010)

any chance you could switch out the cisco with something else?


----------



## Hybrid_theory (Jul 15, 2010)

> any chance you could switch out the cisco with something else?



Nah, its a required component in this. I'm more or less testing other software and how it interacts with it.

Thanks for your help so far rhino.


----------



## Easy Rhino (Jul 15, 2010)

Hybrid_theory said:


> Nah, its a required component in this. I'm more or less testing other software and how it interacts with it.
> 
> Thanks for your help so far rhino.



well at least for testing you could switch it out to see if the problem persists. maybe it is this specific ASA. who knows.


----------



## Hybrid_theory (Jul 15, 2010)

Well ive got the latest IOS on it that my company will use, and its a newly purchased device. But a possibility nonetheless.


----------



## dir_d (Jul 15, 2010)

im not sure it will work crypto maps are cisco device to cisco device i think its giving you an error because it cant talk to unbuntu.


----------



## Hybrid_theory (Jul 15, 2010)

> im not sure it will work crypto maps are cisco device to cisco device i think its giving you an error because it cant talk to unbuntu.



I dont doubt its not as clean as cisco to cisco. But there are others who have tried such a thing and have it working. Why its just me with this I dunno. With the dynamic map setting in there it will establish and a dynamic map is put into allow any connection to get in. A static map is more specific, now people have been more successful with static maps.

When i just have the static ones in there and the dynamic removed, im getting an error: Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.10.10.0/255.255.255.0/0/0 local proxy 192.168.1.0/255.255.255.0/0/0 on interface outside.

Well my crypto map does match the ACL for those networks. so i dunno :headbang:


----------



## dir_d (Jul 15, 2010)

It might be getting confused by the extended ACL you are using for the crypto map try using a regular ACL and apply that ACL to the outbound VLAN.


----------



## Hybrid_theory (Jul 15, 2010)

dir_d said:


> It might be getting confused by the extended ACL you are using for the crypto map try using a regular ACL and apply that ACL to the outbound VLAN.



not a bad idea. but i do need to specify source and destination address. which you can only do source if i recall


----------



## dir_d (Jul 15, 2010)

Yes on the interface that you wanted crypto map on then you are supposed to do the same on the other device, well thats the way ive ever known.


----------



## Hybrid_theory (Jul 16, 2010)

> It might be getting confused by the extended ACL you are using for the crypto map try using a regular ACL and apply that ACL to the outbound VLAN.



HAH. just entered a standard ACL. And when i tried to match the crypto map to it, says access-list should be of type extended.


----------



## Hybrid_theory (Jul 16, 2010)

ugh!!!. I changed the acl from outbound_tunnel to a number 101. AND IT WORKED!!!!!!!. I could connect and everything. So to solve the original problem i tried power cycling WITHOUT SAVING THE CONFIG. So i set it to a numbered ACL, but it still wont establish. Just says received encrypted packet with no matching SA, dropping.


----------



## dir_d (Jul 16, 2010)

Sounds like the cisco ios is being picky in the extended ACLs


----------



## Hybrid_theory (Jul 16, 2010)

Yeah definately, i'd go as far to say thats a bug. The guides i followed, some used a number, others had a name. Just didnt think much of it, searching on the cisco support forums i found a suggestion for that.


----------

