I practically use security context to PAT (and NAT) clients using a different outside public IP address on a context-based Cisco ASA firewall. This makes the ASA configuration scalable and more manageable. I also used to run a separate ASA firewall just to terminate site-to-site IPsec VPNs but with the Cisco ASA Software release 9.0, I'm now able to run IKEv1 (and IKEv2) VPNs on a context-based ASA. I wasn't successful establishing the IPSec VPN tunnel right after its configuration so I ran some debugs:
Aug 19 06:30:54 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 7
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, constructing ISAKMP SA payload
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, constructing Fragmentation VID + extended capabilities payload
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, Tunnel Rejected: The maximum tunnel count allowed has been reached
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, IKE MM Responder FSM error history (struct &0x00007fff36a117d0) <state>, <event>: MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, IKE SA MM:ce5a3ed0 terminating: flags 0x0100c002, refcnt 0, tuncnt 0
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, sending delete/delete with reason message
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing blank hash payload
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing IKE delete payload
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing qm hash payload
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=e1881a02) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Even though my IKE Phase 1 and Phase 2 policies on both VPN peers were correct, they're still unable to establish a security association (SA). I found out that for multiple ASA context, we need to explicitly define the VPN class resource for each context. We first create a class (IPSEC-VPN) where we set the VPN resource and then add the specific context (admin) to the said class.
ciscoasa# configure terminal
ciscoasa(config)# class ?
configure mode commands/options:
WORD Symbolic name of the class
ciscoasa(config)# class IPSEC-VPN
ciscoasa(config-class)# ?
Class configuration commands:
limit-resource Configure the resource limits
no Negate a command or set its defaults
ciscoasa(config-class)# limit-resource ?
class mode commands/options:
rate Enter this keyword to specify a rate/sec
Following resources available:
ASDM ASDM Connections
All All Resources
Conns Connections
Hosts Hosts
Routes Routing Table Entries
SSH SSH Sessions
Telnet Telnet Sessions
VPN VPN resources
Xlates XLATE Objects
ciscoasa(config-class)# limit-resource vpn ?
class mode commands/options:
Burst Burst limit over the configured limit. This burst limit is not
guaranteed. The context may take this resource if it is available on
the device at run time.
Other Other VPN sessions which include Site-to-Site, IKEv1 RA and L2tp
Sessions. These are guaranteed for a context and shouldn't exceed the
system capacity when combined across all contexts.
ikev1 Configure IKEv1 specific resources.
ciscoasa(config-class)# limit-resource vpn other ?
class mode commands/options:
WORD Value of resource limit (in <value> or <value>%)
ciscoasa(config-class)# limit-resource vpn other 10 // I HAD 10 SECURITY CONTEXT LICENSE INSTALLED
ciscoasa(config-class)# context admin
ciscoasa(config-ctx)# ?
Context configuration commands:
allocate-interface Allocate interface to context
allocate-ips Allocate IPS virtual sensor to context
config-url Configure URL for a context configuration
description Provide a description of the context
exit Exit from context configuration mode
help Interactive help for context subcommands
join-failover-group Join a context to a failover group
member Configure class membership for a context
no Negate a command
scansafe Enable scansafe inspection in this context
ciscoasa(config-ctx)# member ?
context mode commands/options:
WORD Class name
ciscoasa(config-ctx)# member IPSEC-VPN
ciscoasa(config-ctx)# end
ciscoasa# changeto context admin
ciscoasa/admin# debug crypto ikev1 255
ciscoasa/admin# debug crypto ipsec 255
<OUTPUT TRUNCATED>
Aug 19 06:40:22 [IKEv1]Group = 116.21.19.9, IP = 116.21.19.9, PHASE 1 COMPLETED
Aug 19 06:40:22 [IKEv1]IP = 116.21.19.9, Keep-alive type for this connection: DPD
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Starting P1 rekey timer: 82080
Aug 19 06:40:22 [IKEv1 DECODE]IP = 116.21.19.9, IKE Responder starting QM: msg id = 0848596d
IPSEC: Increment SA NP ref counter for inbound SPI 0xA6685BB5, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5281)
IPSEC: Completed inbound permit rule, SPI 0xA6685BB5
Rule ID: 0x00007fff369ff5d0
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA6685BB5, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4645)
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA6685BB5, old value: 1, new value: 0, (ctm_np_vpn_context_cb:10167)
IPSEC: Increment SA HW ref counter for inbound SPI 0xA6685BB5, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_ibsa:743)
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Pitcher: received KEY_UPDATE, spi 0xa6685bb5
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Starting P2 rekey timer: 27360 seconds.
Aug 19 06:40:22 [IKEv1]Group = 116.21.19.9, IP = 116.21.19.9, PHASE 2 COMPLETED (msgid=0848596d)
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Sending keep-alive of type DPD R-U-THERE (seq number 0x382b231e)
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing blank hash payload
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing qm hash payload
Aug 19 06:40:35 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=ddb7337f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
ciscoasa/admin# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 116.21.19.9
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ciscoasa/admin# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 818, local addr: 202.7.2.12
access-list SYDNEY_TO_PERTH extended permit ip host220.10.7.14 host 220.10.7.14
local ident (addr/mask/prot/port): (220.10.7.14/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (116.21.19.9/255.255.255.255/0/0)
current_peer: 220.10.7.14
#pkts encaps: 1569732, #pkts encrypt: 1585121, #pkts digest: 1585121
#pkts decaps: 1824463, #pkts decrypt: 1824463, #pkts verify: 1824463
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1569732, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 15389, #pre-frag failures: 0, #fragments created: 30778
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 87450
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.7.2.12/0, remote crypto endpt.: 116.21.19.9
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5AE3F513
current inbound spi : 36AE99F5
<OUTPUT TRUNCATED>
Aug 19 06:30:54 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 7
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, constructing ISAKMP SA payload
Aug 19 06:30:54 [IKEv1 DEBUG]IP = 116.21.19.9, constructing Fragmentation VID + extended capabilities payload
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, Tunnel Rejected: The maximum tunnel count allowed has been reached
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, IKE MM Responder FSM error history (struct &0x00007fff36a117d0) <state>, <event>: MM_DONE, EV_ERROR-->MM_SND_MSG6_H, EV_SND_MSG_OK-->MM_SND_MSG6_H, EV_SND_MSG-->MM_SND_MSG6, EV_SND_MSG-->MM_BLD_MSG6, EV_ENCRYPT_OK-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ENCRYPT_MSG-->MM_BLD_MSG6, EV_CHECK_IA
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, IKE SA MM:ce5a3ed0 terminating: flags 0x0100c002, refcnt 0, tuncnt 0
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, sending delete/delete with reason message
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing blank hash payload
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing IKE delete payload
Aug 19 06:30:54 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing qm hash payload
Aug 19 06:30:54 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=e1881a02) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Even though my IKE Phase 1 and Phase 2 policies on both VPN peers were correct, they're still unable to establish a security association (SA). I found out that for multiple ASA context, we need to explicitly define the VPN class resource for each context. We first create a class (IPSEC-VPN) where we set the VPN resource and then add the specific context (admin) to the said class.
ciscoasa# configure terminal
ciscoasa(config)# class ?
configure mode commands/options:
WORD Symbolic name of the class
ciscoasa(config)# class IPSEC-VPN
ciscoasa(config-class)# ?
Class configuration commands:
limit-resource Configure the resource limits
no Negate a command or set its defaults
ciscoasa(config-class)# limit-resource ?
class mode commands/options:
rate Enter this keyword to specify a rate/sec
Following resources available:
ASDM ASDM Connections
All All Resources
Conns Connections
Hosts Hosts
Routes Routing Table Entries
SSH SSH Sessions
Telnet Telnet Sessions
VPN VPN resources
Xlates XLATE Objects
ciscoasa(config-class)# limit-resource vpn ?
class mode commands/options:
Burst Burst limit over the configured limit. This burst limit is not
guaranteed. The context may take this resource if it is available on
the device at run time.
Other Other VPN sessions which include Site-to-Site, IKEv1 RA and L2tp
Sessions. These are guaranteed for a context and shouldn't exceed the
system capacity when combined across all contexts.
ikev1 Configure IKEv1 specific resources.
ciscoasa(config-class)# limit-resource vpn other ?
class mode commands/options:
WORD Value of resource limit (in <value> or <value>%)
ciscoasa(config-class)# limit-resource vpn other 10 // I HAD 10 SECURITY CONTEXT LICENSE INSTALLED
ciscoasa(config-class)# context admin
ciscoasa(config-ctx)# ?
Context configuration commands:
allocate-interface Allocate interface to context
allocate-ips Allocate IPS virtual sensor to context
config-url Configure URL for a context configuration
description Provide a description of the context
exit Exit from context configuration mode
help Interactive help for context subcommands
join-failover-group Join a context to a failover group
member Configure class membership for a context
no Negate a command
scansafe Enable scansafe inspection in this context
ciscoasa(config-ctx)# member ?
context mode commands/options:
WORD Class name
ciscoasa(config-ctx)# member IPSEC-VPN
ciscoasa(config-ctx)# end
ciscoasa# changeto context admin
ciscoasa/admin# debug crypto ikev1 255
ciscoasa/admin# debug crypto ipsec 255
<OUTPUT TRUNCATED>
Aug 19 06:40:22 [IKEv1]Group = 116.21.19.9, IP = 116.21.19.9, PHASE 1 COMPLETED
Aug 19 06:40:22 [IKEv1]IP = 116.21.19.9, Keep-alive type for this connection: DPD
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Starting P1 rekey timer: 82080
Aug 19 06:40:22 [IKEv1 DECODE]IP = 116.21.19.9, IKE Responder starting QM: msg id = 0848596d
IPSEC: Increment SA NP ref counter for inbound SPI 0xA6685BB5, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:5281)
IPSEC: Completed inbound permit rule, SPI 0xA6685BB5
Rule ID: 0x00007fff369ff5d0
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA6685BB5, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:4645)
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA6685BB5, old value: 1, new value: 0, (ctm_np_vpn_context_cb:10167)
IPSEC: Increment SA HW ref counter for inbound SPI 0xA6685BB5, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_ibsa:743)
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Pitcher: received KEY_UPDATE, spi 0xa6685bb5
Aug 19 06:40:22 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Starting P2 rekey timer: 27360 seconds.
Aug 19 06:40:22 [IKEv1]Group = 116.21.19.9, IP = 116.21.19.9, PHASE 2 COMPLETED (msgid=0848596d)
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, Sending keep-alive of type DPD R-U-THERE (seq number 0x382b231e)
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing blank hash payload
Aug 19 06:40:35 [IKEv1 DEBUG]Group = 116.21.19.9, IP = 116.21.19.9, constructing qm hash payload
Aug 19 06:40:35 [IKEv1]IP = 116.21.19.9, IKE_DECODE SENDING Message (msgid=ddb7337f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
ciscoasa/admin# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 116.21.19.9
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ciscoasa/admin# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 818, local addr: 202.7.2.12
access-list SYDNEY_TO_PERTH extended permit ip host220.10.7.14 host 220.10.7.14
local ident (addr/mask/prot/port): (220.10.7.14/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (116.21.19.9/255.255.255.255/0/0)
current_peer: 220.10.7.14
#pkts encaps: 1569732, #pkts encrypt: 1585121, #pkts digest: 1585121
#pkts decaps: 1824463, #pkts decrypt: 1824463, #pkts verify: 1824463
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1569732, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 15389, #pre-frag failures: 0, #fragments created: 30778
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 87450
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.7.2.12/0, remote crypto endpt.: 116.21.19.9
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5AE3F513
current inbound spi : 36AE99F5
<OUTPUT TRUNCATED>
No comments:
Post a Comment