Hello, I finally get to ask a question here, exciting.
We're trying to get a remote access tunnel using IPsec and AnyConnect up and running and I'm absolutely stumped as to what we're doing wrong. The tunnel comes up in ASDM monitoring and shows a child SA in sho crypto ipsec sa with the appropriate ts (at least as far as I know), the decrypt increments appropriately and throwing a vpnfilter on for testing shows the addresses in the VPN pool getting hits while the inside network doesn't. The inside interface outbound doesn't increment when pinging into it from the desktop with Anyconnect. So there's something between the VTI (where it is receiving incoming packets and decrypting/decaping them fine) and the inside interface (which never transmits) that I've configured wrong.
But I'm lost as to what that might be. We have the correct ACLs set up -- the Anyconnect tunnel works fine over SSL but the boss insists we get it working with IPsec --, the identity NAT is set up, we have split tunneling on but that works fine and taking it off doesn't make a difference. I've killed the tunnel config a few times and recreated it from scratch using both the ASDM wizard and following config guides by hand.
So:
- VPN itself comes up, shows Rx but no Tx
- Adding vpnfilter, VPN pool addresses show hits but the inside network does not
- Inside interface output doesn't increase when test pinging
- show crypto ikev2 sa has child sa with local ts of 0.0.0.0-255.255.255.255 ie all traffic, remote ts of 192.168.145.0-192.168.145.255 (the pool of addresses for Remote Access connections)
- show crypto ipsec sa shows decaps increment but encaps don't
- If setting the Anyconnect profile to not use IPsec as primary and letting it connect SSL, everything works!
I can't get full configs posted but I can answer any questions. Any help would be appreciated.
No comments:
Post a Comment