Route10 to Cisco ASA

Hi

Anyone successfully got a site to site VPN set up between a Route10 and Cisco ASA? On my ASA end it seems to think the IKEv2 SA is up but an ipsec sa never forms. However, from the Route10 perspective it thinks an ipsec association is connected. No traffic is flowing between the clients on each side.

Thanks, JS

Here’s what my ASA sees

IKEv2 SAs:

Session-id:36, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
2012693851 xx.xx.xx.xx/4500 xx.xx.xx.xx/4500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/5 sec

show crypto ipsec sa

There are no ipsec sas

And here’s what my route10 sees

~ # ipsec status
Security Associations (1 up, 0 connecting):
vpnlMrvCD[1]: ESTABLISHED 9 minutes ago,

If I’m not misremembering my commands, then you might be able to run swanctl --log from the Route10 terminal and get some more information about what’s going on from the Route10 side at least

That command works but all I see is some DPD packets being sent and returned

Any chance you can run some debugs on the ASA? I deal with ASAs using S2S tunnels at work. They’re not my favorite to say the least, but it’s what we use. If you can run a debug crypto ipsec sa and if it doesn’t produce any logs because the SA isn’t even attempting to be created (which I doubt because the Route 10 sees it) a debug crypto ipsec.

I think I’m having issues with the ASA and route 10 agreeing proposals. In fact in my ASA debugs I see

IKEv2-PROTO-2 (649): Failed to find matching policy.

This is my Route 10 end. What does this translate to at the ASA end ?

I don’t have an IKEv2 VPN setup to test right now unfortunately but I wonder if either of these might be helpful to reference? Since the Route10 is using strongSwan internally.

All working now. It was mismatching IKEv2 and ESP proposals causing the issue.

1 Like

Think there’s a chance you could post a snippet of the config on each device? Nothing identifying of course. Might help someone in the future if they stumble on this thread with a similar problem :slight_smile:

Here are the relevant sections of my ASA config

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto map outside_map 10 match address [Crypto access list]
crypto map outside_map 10 set peer [Alta labs Route10 IP]
crypto map outside_map 10 set ikev2 ipsec-proposal AES256
crypto map outside_map 10 set ikev2 pre-shared-key [PSK]
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

crypto ikev2 policy 80
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside client-services port XXXX
crypto ikev1 enable outside

Here are the sections from my Route 10 config

The name is just a description of the VPN.
For Hostname I used the public IP address of my ASA
PSK is self explanatory. Same one on ASA.
Remote subnet. I only need to reach one subnet so I define it here in the format xx.xx.xx.0/24

Here is my IKEv2 config

For local ID I used the gateway address of the Route 10 subnet.
For remote ID I used the public IP of my ASA

Not sure the IDs I used are what I should use but they work.

Here’s the ESP config on my Route 10

For local TS I used the local Route 10 subnet I wanted to encrypt in the format xx.xx.xx.0/24

So, on the ASA end in my crypto ACL I need to define the remote subnet and local TS as an entry with the source being the Remote ID on the Route 10 and the destination being the local TS on the route 10.

Also, on the ASA you have to make sure traffic between the encryptoed subnets is NOT NAT’d. I believe that needs explicitly defined, I believe turning off masquerade on the Route 10 ensures the traffic is not NAT’d at that end.

1 Like

Really appreciate the detail, that’s awesome!