I have been through the process of setting up IPsec tunnels twice now and both times have failed. I am unsure what the issue is as following tutorials online, they claim everything should work. I have also talked to a networking engineer in my workplace who can't seem to find any issues with the config, and my university networking lecturer also can't find any issue as of yet. I've ran a "sh crypto ipsec sa" which reveals no IPsec Sas and a "sh crypto ipsec stats" which shows no active or previous tunnels, and all other outputs are zero. It's worth noting I'm trying to follow the NCSCs guidance for setting up an IPsec tunnel, so have been using their recommended encryption standards.
I have three networks, one on the 192.168.1.0 range (CS1) , another on the 192.158.2.0 range (CS2), and one on the 192.168.3.0 range (RS - this has not yet been configured for IPsec and has been switched off for all testing/development so far). I'm using Cisco ASA firewalls on both ends of the tunnel. The firewalls can ping eachother's outside interfaces (10.10.0.10 for CS1 and 10.10.0.20 for CS2) with no issues, however the hosts and other devices on the CS1 and CS2 sites can't ping their firewalls' outside interface, yet can reach their local gateway. I have tried using an access list that permits everything on both ends and that doesn't seem to work either. The running config for each firewall is below (I've had to type it out as GNS3 doesn't allow for exporting the ASA running configs so I've removed sections of useless information), apologies for the formatting in advance, any help would be hugely appreciated!
## CS1 Config ##
ASA Version 9.12(2)
!
hostname CS1-Firewall
no mac-address auto
!
interface GigabitEthernet0/0
description Inside interface acting as gateway
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
description Outside interface within tunnel
nameif Outside
security-level 100
ip address 10.10.0.10 255.255.255.0
!
access-list ACL-CS1 extended permit ip 192.168.1.0 255.255.255.0
!
route Outside 0.0.0.0 0.0.0.0 10.10.0.20 1
route Outside 192.168.2.0 255.255.255.0 10.10.0.20
route Outside 192.168.3.0 255.255.255.0 10.10.0.30
!
crypto ipsec ikev2 ipsec-proposal P1
protocol esp encryption aes-gcm-192
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map CS1-CS2 1 match address ACL-CS1
crypto map CS1-CS2 1 set peer 10.10.0.20
crypto map CS1-CS2 1 set ikev2 ipsec-proposal P1
crypto map CS1-CS2 interface Outside
crypto ikev2 policy 1
encryption aes-gcm-192
integrity null
group 19
prf sha256
lifetime seconds 604800
crypto ikev2 enable Outside
!
tunnel-group 10.10.0.20 type ipsec-l2l
tunnel-group 10.10.0.20 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
## CS2 Config ##
ASA Version 9.12(2)
!
hostname CS2-Firewall
no mac-address auto
!
interface GigabitEthernet0/0
description Inside interface acting as gateway
nameif Inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/1
description Outside interface within tunnel
nameif Outside
security-level 100
ip address 10.10.0.20 255.255.255.0
!
access-list ACL-CS2 extended permit ip 192.168.2.0 255.255.255.0
!
route Outside 0.0.0.0 0.0.0.0 10.10.0.10 1
route Outside 192.168.1.0 255.255.255.0 10.10.0.10
route Outside 192.168.3.0 255.255.255.0 10.10.0.30
!
crypto ipsec ikev2 ipsec-proposal P1
protocol esp encryption aes-gcm-192
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map CS1-CS2 1 match address ACL-CS2
crypto map CS1-CS2 1 set peer 10.10.0.10
crypto map CS1-CS2 1 set ikev2 ipsec-proposal P1
crypto map CS1-CS2 interface Outside
crypto ikev2 policy 1
encryption aes-gcm-192
integrity null
group 19
prf sha256
lifetime seconds 604800
crypto ikev2 enable Outside
!
tunnel-group 10.10.0.10 type ipsec-l2l
tunnel-group 10.10.0.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
No comments:
Post a Comment