RA-VPN : Cisco VPN client & ASA (psk) - ping not working..!

image

 

I'm doing this lab on GNS

The topology for Remote access vpn using cisco vpn client & asa with preshared keys.

asa1 is the easy vpn server.

I'm using ASA 8.4

network between R1 & ASA1 - 10.1.101.0/24

network between R2 & ASA1 - 192.168.1.0/24

network between R2 & cloud - 192.168.2.0/24

Default routes from R1 to ASA1

Default route from ASA1 to R2

R1 - loo1- 1.1.1.1/24

cloud is the pc being used for remote access connections

pc ip add (the cloud) - 192.168.2.200

there is a static route from pc to ASA1's outside int (192.168.1.10)

 

isakmp parameters - psk , 3des , sha , gr-2

ipsec parameters - 3des , sha

username remoteuser & pass - user123 , is created on asa1

address pool - 192.168.21.1-192.168.21.5

user's {i.e; PC (cloud,in the diagram) } traffic destined to an ip 1.1.1.1should be encrypted, remaining should dent out in clear text.... - This is the task

config on asa1#

crypto ikev1 enable outside

#cry ikev1 policy 1

  auth pre-shared

  encr 3des

  hash sha

  gr 2

#cry ipsec ikev1 tra TSET esp-3des esp-sha

#ip local pool EZ-POOL 192.168.21.1-192.168.21.5 mask 255.255.255.0

#access-list SPLIT standard permit host 1.1.1.1

#group-policy SPLIT internal

#group-policy SPLIT attributes

  vpn-tunnel-protocol l2tp-ipsec

  split-tunnel-policy tunnelspecifies

  split-tunnel-network-list value SPLIT

#tunnel-gr SALES type remo

#tunnel-gr SALES general-attributes

  default-group-policy SPLIT

  address-pool EZ-POOL

#tunnel-gr ipsec-attributes

  ikev1 pre-shared-key cisco123

#cry dynamic-map D-MAP 10 set tra TSET

#cry map MAP 1 ipsec-isakmp dynamic D-MAP

#cry map MAP int outside

 

#username remoteuser pass user123

#username remoteuser attributes

  vpn-group-policy SPLIT

#route inside 1.1.1.0 255.255.255.0 10.1.101.1

.

.... also there is a static route route from PC to 192.168.2.2 (r2's int)

...

now when I connected to ASA's out int (192.168.1.10) through VPN client software on my PC with group-name : SALES , pass : cisco123

and user-remoteuser , pass - user123 ,

I got connected..

but when I tried to ping from cmd prompt on my PC to 1.1.1.1 I wasn't able to..

the packets are not getting decrypted on my side.

also there are no packets getting decrypted on ASA (when I typed #sh cry ipsec sa)

address is being assigned from the pool to my pc.

when I checked (#logging on) & (#debug cry isakmp 50) on asa , the messages of PHASE-1 & PHASE-2 completed are being shown..the tunnel is established , but the packets are not getting decrypted at asa side..

can anyone please address my issue..

I'm unable to understand what is the problem at encryption and decryption..!!

Thank you,

 

 

 

 

 

Comments

  • Does R1 know how to route back?


    On 15/09/2013, at 11:56, "ramu6390" <[email protected]> wrote:

     

    I'm doing this lab on GNS

    The topology for Remote access vpn using cisco vpn client & asa with preshared keys.

    asa1 is the easy vpn server.

    I'm using ASA 8.4

    network between R1 & ASA1 - 10.1.101.0/24

    network between R2 & ASA1 - 192.168.1.0/24

    network between R2 & cloud - 192.168.2.0/24

    Default routes from R1 to ASA1

    Default route from ASA1 to R2

    R1 - loo1- 1.1.1.1/24

    cloud is the pc being used for remote access connections

    pc ip add (the cloud) - 192.168.2.200

    there is a static route from pc to ASA1's outside int (192.168.1.10)

     

    isakmp parameters - psk , 3des , sha , gr-2

    ipsec parameters - 3des , sha

    username remoteuser & pass - user123 , is created on asa1

    address pool - 192.168.21.1-192.168.21.5

    user's {i.e; PC (cloud,in the diagram) } traffic destined to an ip 1.1.1.1should be encrypted, remaining should dent out in clear text.... - This is the task

    config on asa1#

    crypto ikev1 enable outside

    #cry ikev1 policy 1

      auth pre-shared

      encr 3des

      hash sha

      gr 2

    #cry ipsec ikev1 tra TSET esp-3des esp-sha

    #ip local pool EZ-POOL 192.168.21.1-192.168.21.5 mask 255.255.255.0

    #access-list SPLIT standard permit host 1.1.1.1

    #group-policy SPLIT internal

    #group-policy SPLIT attributes

      vpn-tunnel-protocol l2tp-ipsec

      split-tunnel-policy tunnelspecifies

      split-tunnel-network-list value SPLIT

    #tunnel-gr SALES type remo

    #tunnel-gr SALES general-attributes

      default-group-policy SPLIT

      address-pool EZ-POOL

    #tunnel-gr ipsec-attributes

      ikev1 pre-shared-key cisco123

    #cry dynamic-map D-MAP 10 set tra TSET

    #cry map MAP 1 ipsec-isakmp dynamic D-MAP

    #cry map MAP int outside

     

    #username remoteuser pass user123

    #username remoteuser attributes

      vpn-group-policy SPLIT

    #route inside 1.1.1.0 255.255.255.0 10.1.101.1

    .

    .... also there is a static route route from PC to 192.168.2.2 (r2's int)

    ...

    now when I connected to ASA's out int (192.168.1.10) through VPN client software on my PC with group-name : SALES , pass : cisco123

    and user-remoteuser , pass - user123 ,

    I got connected..

    but when I tried to ping from cmd prompt on my PC to 1.1.1.1 I wasn't able to..

    the packets are not getting decrypted on my side.

    also there are no packets getting decrypted on ASA (when I typed #sh cry ipsec sa)

    address is being assigned from the pool to my pc.

    when I checked (#logging on) & (#debug cry isakmp 50) on asa , the messages of PHASE-1 & PHASE-2 completed are being shown..the tunnel is established , but the packets are not getting decrypted at asa side..

    can anyone please address my issue..

    I'm unable to understand what is the problem at encryption and decryption..!!

    Thank you,

     

     

     

     

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • qqabdal ,

                  it has default route towards the firewall interface. ASA1 has default route to R2.

                  static route from PC to 192.168.1.10 via 192.168.2.2 (r2)..

  • Are you using cisco VPN client or the windows client?

    Sent from my iPad

    On 15/09/2013, at 14:47, "ramu6390" <[email protected]> wrote:

    qqabdal ,

                  it has default route towards the firewall interface. ASA1 has default route to R2.

                  static route from PC to 192.168.1.10 via 192.168.2.2 (r2)..




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Sorry, I now see that you are using a Cisco VPN client as per your post's subject.

    I replicated your config and it worked for me, the only thing I added was reverse route injection (RRI) on my scenario, but I think it does not matter on yours, as you are using static routing.

    Could this be something with your PC? Are you using a VM to emulate the PC with GNS3?

  • I'm confused on why this worked for you qqabdal. The vpn-tunnel-protocol in the group-policy is L2TP which should be used for the native windows client without the presence of the Cisco VPN Client. Did you change the vpn-tunnel-protocol to 'ipsec' or did you leave it at l2ptp?

  • Its just my pc (windows 7 ) and gns , thats it..!!

    the encrypted packets are not reaching fw's outside interface..!!

  • DJS ,

             I'm using ASA 8.4 .. and in that for the group-policy , so I used vpn-tunnel-protocol l2tp (thats the only command I felt was apt)

             there is no 'ipsec' command appearing in it..

             is it enough if we use vpn-tunnel-protocol ikev1 ,

             please can u explain ..

    pardon my inexperience..

    thank u..!!

     








  • Yes, I changed that and that was the reason why I asked if it was Cisco VPN client or native windows. L2TP is for the windows client. I am assuming that the OP also changed this otherwise he wouldn't be able to compete phase 1 to begin
    with.



    -----Original Message-----



    From: DJS

    Sent: 16 Sep 2013 07:13:25 GMT

    To: [email protected]

    Subject: Re: [CCIE Sec] RA-VPN : Cisco VPN client & ASA (psk) - ping not working..!





    I'm confused on why this worked for you qqabdal. The vpn-tunnel-protocol in the group-policy is L2TP which should be used for the native windows client without the presence of the Cisco VPN Client. Did you change the vpn-tunnel-protocol to 'ipsec' or did
    you leave it at l2ptp?








    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx










  • Try using a VM running any flavor of windows that should work.



    -----Original Message-----



    From: ramu6390

    Sent: 16 Sep 2013 07:14:57 GMT

    To: [email protected]

    Subject: Re: [CCIE Sec] RA-VPN : Cisco VPN client & ASA (psk) - ping not working..!





    Its just my pc (windows 7 ) and gns , thats it..!!

    the encrypted packets are not reaching fw's outside interface..!!








    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx










  • You can completely remove that command. The problem is that if this was an issue, it wouldn't even allow you to connect, but you said that you are able to connect and authenticate, just not able to ping



    -----Original Message-----



    From: ramu6390

    Sent: 16 Sep 2013 13:41:49 GMT

    To: [email protected]

    Subject: Re: [CCIE Sec] RA-VPN : Cisco VPN client & ASA (psk) - ping not working..!





    DJS ,

             I'm using ASA 8.4 .. and in that for the group-policy , so I used vpn-tunnel-protocol l2tp (thats the only command I felt was apt)

             there is no 'ipsec' command appearing in it..

             is it enough if we use vpn-tunnel-protocol
    ikev1 ,

             please can u explain ..

    pardon my inexperience..

    thank u..!!

     








    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx



  • Concerning the group-policy vpn-tunnel-protocol type you were using l2tp which is used if you do not have the Cisco VPN client installed. This is because l2tp information is not encrypted so an IPsec tunnel is made THEN the tunneled packets flow so the ASA has to know how to handle this tunnel type so that there is proper encryption.

    1. User connects to internet via PPP and gets IP
    2. User launches L2TP program
    3. User initiates Phase 1
    4. User initiates Phase 2
    5. After IPsec the client initiates L2TP tunnel
    6. PPP tunnel initiation is negotiated
    7. L2TP packets are sent that are encrypted by IPsec

    I just asked this question because it seems if you were using the Cisco VPN client then your tunnel type shouldn't be l2tp. On code prior to 8.4 the vpn-tunnel-protocol type is ipsec and can still be used in 8.4 but it's hidden. This is because the new code differentiates between IKEv1 and IKEv2 in which case the new command would be vpn-tunnel-protocol ikev1 for IKEv1 IPsec tunnels.

    If you were getting the tunnel up from step 4, you may have had issues with your computer trying to establish an L2TP tunnel that wasn't configured. You would want to switch to the vpn-tunnel-protocol ikev1 for the Cisco VPN client to handle the tunneling of the traffic.

  • DJS ,

             the same problem persists even after changing vpn-tunnel-protocol to ikev1..

             when I pinged from my PC's cmd prompt to 1.1.1.1 , the same statistics are being shown.. only encryption is taking place.

             also when I logged the messages on ASA .. the output of log after pinging 1.1.1.1 is

     

    %ASA-7-713236: IP = 192.168.2.200, IKE_DECODE RECEIVED Message (msgid=a81b1938) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    %ASA-7-715047: Group = SALES, Username = remoteuser, IP = 192.168.2.200, processing hash payload
    %ASA-7-715047: Group = SALES, Username = remoteuser, IP = 192.168.2.200, processing notify payload
    %ASA-7-715075: Group = SALES, Username = remoteuser, IP = 192.168.2.200, Received keep-alive of type DPD R-U-THERE (seq number 0x4c1a1695)
    %ASA-7-715036: Group = SALES, Username = remoteuser, IP = 192.168.2.200, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x4c1a1695)
    %ASA-7-715046: Group = SALES, Username = remoteuser, IP = 192.168.2.200, constructing blank hash payload
    %ASA-7-715046: Group = SALES, Username = remoteuser, IP = 192.168.2.200, constructing qm hash payload
    %ASA-7-713236: IP = 192.168.2.200, IKE_DECODE SENDING Message (msgid=d7cbe63a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

    ...

     

    please do help me with this..

    and qqabdal , please correct me if I'm wrong : -- from windows VM we have to directly ping the 1.1.1.1 , instead from vpn client..

    am I right..

     

    thank you ,

     

  • No, the idea of using a VM is just because when binding your local PC to GNS3 may not work 100% of the time, so I suggested you using a VM PC with Windows installed.

    Even when having the VM installed you would need still need the Cisco VPN Client and then after connecting, you would try the ping to 1.1.1.1.

    I will try to lab this up in a few minutes and will let you know the results I get.

    HTH

    Good luck!

  • Ok, so I finally took some time to lab this up and verify it. Here is what I found.

     

    First off, it is really interesting that you are able to connect to the VPN using Cisco VPN Client while having the following line on your group-policy:

    vpn-tunnel-protocol l2tp-ipsec

     

    As we previously discussed L2TP is used when you are using Windows client to connect to the VPN, not Cisco VPN Client. So you either can completely remove it or configure vpn-tunnel-protocol ikev1 instead.

     

    Anyhow, I kept your config and tried to connect, as I expected, the ASA will complain due to the l2tp-ipsec config.

     

    Sep 17 06:14:57 [IKEv1]Group = SALES, Username = remoteuser, IP = 192.168.56.101, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

     

    Removing that allowed me to connect to the VPN. I used to PCs to test it out:

     

    - Windows VM

    - My local PC running GNS3

     

    The Windows VM was able to successfully ping 1.1.1.1. But the local PC running GNS3, was not.

     

    So if you could try with your VM, I think your config is good aside from what I mentioned above.

    HTH

    Good luck!

Sign In or Register to comment.