PDA

View Full Version : IPSec VPN between CP R75.20 and Cisco ASA One Way Failure



Plasibo
2012-07-20, 03:38
I am having troubles with this communication over two weeks now...
First the details for the configuration
On my side I have:
1. CP R75.20
2. Real network hosts
- 192.168.55.203 and 192.168.55.204
3. Networks used for NAT towards the peer
- 10.157.0.0/18, 10.158.0.0/18, 10.159.0.0/18
4. Firewall rules
- 192.168.55.203 and 192.168.55.204 towards 10.221.0.0/16 and 10.226.1.0/24 and 10.226.2.0/24 through the appropriate VPN
- 10.0.24.0/24 towards 10.227.1.0/24 and 10.227.2.0/24 and 10.250.0.0/16 through the appropriate VPN
- 10.221.0.0/16 and 10.226.1.0/24 and 10.226.2.0/24 towards 10.158.0.0/18 and 10.159.0.0/18 through the appropriate VPN
- 10.227.2.0/24 and 10.250.0.0/16 towards 10.157.0.0/18 through the appropriate VPN
5. NAT rules
- 192.168.55.204 NAT-ed to 10.158.0.102 when going towards 10.221.0.0/24
- 192.168.55.203 NAT-ed to 10.158.0.101 when going towards 10.221.0.0/24
6. IPSec VPN details
In the VPN Domain I have all these networks:
10.221.0.0/16 (other side)
10.250.0.0/16 (other side)
10.226.1.0/24 (other side)
10.226.2.0/24 (other side)
10.227.1.0/24 (other side)
10.227.2.0/24 (other side)
10.157.0.0/18 (my side)
10.158.0.0/18 (my side)
10.159.0.0/18 (my side)

Encryption method: IKEv1 only

VPN Tunnel Sharing: One VPN tunnel per subnet pair (tried even with One VPN tunnel per each pair of hosts)

We do not use PFS

Disable NAT inside the VPN community is unchecked
On peer side they have:
1. Cisco ASA
2. Real network hosts
- 10.221.190.93 and 10.221.234.30
3. ACL (allowed in both directions)
- 10.221.0.0/16 and 10.226.1.0/24 and 10.226.2.0/24 towards 10.158.0.0/18 and 10.159.0.0/18 through the appropriate VPN
- 10.227.1.0/24 and 10.227.2.0/24 and 10.250.0.0/16 towards 10.157.0.0/18 through the appropriate VPN

I can reach their PCs and successfully open telnet on any port (as it should be) and I see encrypted packets on the Tracker, and they see decrypted packets on their side, but when they try to reach us, they see encrypted packets and I see packets coming towards me but they are not decrypted.
I get the following messages all the time:
1. From the communication between the GW
- IKE: Quick Mode Received Notification from Peer: invalid id information
2. From the communication between the hosts when they try to reach us
- encryption failure: no response from peer
- inzone: External
outzone: External (THIS IS STRANGE)
service_id: domain-tcp
encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information
dst scheme: IKE
dst methods: ESP: AES-256 + SHA1
dst peer gateway: <PEER IP ADDRESS>
dst community: <COMMUNITY>

Another strange thing is that this IPSec VPN was working 3 months ago, and now for the implementation it has failed.
The guys from the other side are ensuring me that they did not changed anything.

Any opinions if there is anything wrong with the configuration or suggestions…

Thanks in advance!!!

Plasibo
2012-07-25, 05:44
I've found out that the problem is with the NAT that the CP is making.
Namely, when I used real IP addresses and pools the IPSec VPN works fine, but when I implement NAT (to NAT my real addresses 192.168.55.0 / 24 into 10.158.0.0) the problem occurs.

Plasibo
2012-07-30, 07:15
IT WORKS !!!

I've found the cause of the problem.
Namely, because I was doing NAT into network that was not real (existing) on my CP, there was no ARP record.
So I've created interface on my cluster members with IP from the pool that I was NAT-ing into and VOILA it was working.