Hi People, I've set up a Cisco ASAv on AWS, all working fine apart from one very annoying bug bear.. I have set up a number of IPsec site-to-site VPN tunnels and keep on coming across the same problem and it stems from the ASAv having two IPs on it's outside interface. Lets say one is 8.8.4.4 and the other is the inside private IP of the outside interface.
It looks like you have to have it set up like that and Amazon take care of the NAT between the two IPs.
So here is my problem. If both vendors either side of the tunnel are Cisco it works right away, every time. But If I connect to a different vendor firewall the person I'm trying to connect to sees traffic from the private IP of my outside interface and has to manually put in that IP as an IKE ID (10.10.2.254).
So, my question is does anyone know a way around this? Below is the debug output from a connection without 10.10.2.254 specified.
Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, processing SA payload Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, Oakley proposal is acceptable Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, processing VID payload Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, Received xauth V6 VID Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, constructing ke payload Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, constructing nonce payload Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, constructing Cisco Unity VID payload Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, constructing xauth V6 VID payload Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, Send IOS VID Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, constructing VID payload Jan 15 21:28:08 [IKEv1 DEBUG]IP = 8.8.8.8, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Jan 15 21:28:08 [IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256 Jan 15 21:28:09 [IKEv1]IKE Receiver: Packet received on 10.10.2.254:500 from 8.8.8.8:500 Jan 15 21:28:09 [IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 172 Jan 15 21:28:09 [IKEv1 DEBUG]IP = 8.8.8.8, processing ke payload Jan 15 21:28:09 [IKEv1 DEBUG]IP = 8.8.8.8, processing ISA_KE payload Jan 15 21:28:09 [IKEv1 DEBUG]IP = 8.8.8.8, processing nonce payload Jan 15 21:28:09 [IKEv1]IP = 8.8.8.8, Connection landed on tunnel_group 8.8.8.8 Jan 15 21:28:09 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Generating keys for Initiator... Jan 15 21:28:09 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing ID payload Jan 15 21:28:09 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing hash payload Jan 15 21:28:09 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Computing hash for ISAKMP Jan 15 21:28:09 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing dpd vid payload Jan 15 21:28:09 [IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84 Jan 15 21:28:12 [IKEv1]IKE Receiver: Packet received on 10.10.2.254:500 from 8.8.8.8:500 Jan 15 21:28:12 [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected. Retransmitting last packet. Jan 15 21:28:12 [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM Jan 15 21:28:15 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Sending keep-alive of type DPD R-U-THERE (seq number 0x5cb8c914) Jan 15 21:28:15 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing blank hash payload Jan 15 21:28:15 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, constructing qm hash payload Jan 15 21:28:15 [IKEv1]IP = 8.8.8.8, IKE_DECODE SENDING Message (msgid=e1b9f03e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Jan 15 21:28:15 [IKEv1]IKE Receiver: Packet received on 10.10.2.254:500 from 8.8.8.8:500 Jan 15 21:28:15 [IKEv1]IP = 8.8.8.8, IKE_DECODE RECEIVED Message (msgid=15c47b49) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Jan 15 21:28:15 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, processing hash payload Jan 15 21:28:15 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, processing notify payload Jan 15 21:28:15 [IKEv1 DEBUG]Group = 8.8.8.8, IP = 8.8.8.8, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x5cb8c914) Jan 15 21:28:16 [IKEv1]IKE Receiver: Packet received on 10.10.2.254:500 from 8.8.8.8:500 Jan 15 21:28:16 [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected. Retransmitting last packet. Jan 15 21:28:16 [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM Jan 15 21:28:20 [IKEv1]IKE Receiver: Packet received on 10.10.2.254:500 from 8.8.8.8:500 Jan 15 21:28:20 [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, Duplicate Phase 1 packet detected. Retransmitting last packet. Jan 15 21:28:20 [IKEv1]Group = 8.8.8.8, IP = 8.8.8.8, P1 Retransmit msg dispatched to MM FSM
No comments:
Post a Comment