This week I had a client who had a head office and three satellite sites. They had old firewalls (a 5510 and 5505’s), and my firm had installed FTTC circuits, into the sites for them. My job was to reconfigure the firewalls and the site to site VPN tunnels (each site had a tunnel to the other sites), then disconnect their old ADSL connections, change the firewalls public IP, then connect to the shiny new FTTC circuits.
To save on downtime, my plan was to create new tunnel-groups for all the new IP addresses with the same shared-secrets, then add the new IPs as an alternative crpytomap peers. That way I could migrate all the sites and , the only downtime would be when I changed the firewall to the new IP and plugged into the new router, cool eh?
All was going well until I hit the third satellite site and tried to add a second VPN peer like so…
[box]crypto map outside_map 1 set peer {new-ip-address} {old-ip-address} [/box]
It returned this error;
ERROR: Multiple Peers can be specified only with originate-only connections
Solution
None of the other sites had done this, and I’ve done redundant VPN configs many times, (see the failover ISP article at the bottom of the page.) Never had I seen this error?
I made the ‘mistake‘ of adding;
[box]crypto map outside_map 1 set connection-type originate-only [/box]
A few minutes later I got an email “That sites VPNs have all gone down?”. On investigation the remote site thought the tunnel was up, (it was even encrypting and decrypting layer two traffic?) The main site didn’t even say phase one was attempting. I changed all the crypto maps back to a single peer IP and removed the ‘connection-type originate-only’ from all the crypto entries as well, everything started working again?
I found a bug report for something similar (CSCsd21514) but that affected version 7, I did a show version on the firewall it was running 7.2 (eeurgh.) I updated it to 8.3, (yes I could go to 9 but lets not tempt fate). Problem disappeared, it accepted the redundant VPN config and everything worked, (I flipped the circuit on this problem firewall this morning and downtime was less than 10 seconds).
Related Articles, References, Credits, or External Links
I’ve followed your Reverse Route Injection article and its not working? This email dropped in my mailbox a while back As it turns out the article I had written was for OSPF, and this chap was using EIGRP. So I ran it up with EIGRP as well to test.
Heres my topology, I want to inject the route for the remote site, into my internal EIGRP routing table.
Solution
Assuming EIGRP is already setup between the ASA and the LAN (i.e. Core Switch).
[box]
ASA
Petes-ASA# show run router
!
router eigrp 20
no auto-summary
network 10.1.0.0 255.255.0.0
passive-interface default
no passive-interface inside
redistribute static
!
Switch
Core-SW#show run | sec router
router eigrp 20
network 10.1.0.0 0.0.255.255
network 10.2.0.0 0.0.255.255
network 10.3.0.0 0.0.255.255
no auto-summary
[/box]
Also assuming you already have a site to site VPN established and working.
[box]
Petes-ASA# show cry isakmp
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.249.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Petes-ASA# show cry ipsec sa
interface: outside
Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 192.168.253.254
access-list VPN-INTERESTING-TRAFIC extended permit ip 10.1.0.0 255.255.0.0 10.250.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.250.0.0/255.255.0.0/0/0)
current_peer: 192.168.249.254
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
[/box]
Show the Cryptomap, then add the RRI.
[box]
Petes-ASA# show run crypto
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 192.168.249.254
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
Petes-ASA# configure terminal
Petes-ASA(config)# crypto map CRYPTO-MAP 1 set reverse-route
Petes-ASA(config)#
[/box]
Create a ‘Prefix-List’ for the routes to inject (i.e the remote LAN at the other end of the VPN tunnel).
Core-SW#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.1.1.1 to network 0.0.0.0
10.0.0.0/16 is subnetted, 4 subnets
C 10.2.0.0 is directly connected, GigabitEthernet2/0
C 10.3.0.0 is directly connected, GigabitEthernet3/0
C 10.1.0.0 is directly connected, GigabitEthernet1/0
D EX 10.250.0.0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0
D*EX 0.0.0.0/0 [170/28416] via 10.1.1.1, 00:00:02, GigabitEthernet1/0
[/box]
Related Articles, References, Credits, or External Links
I’ve done thousands of firewall VPN’s but not many that terminate on Cisco Routers. It’s been a few years since I did one, and then I think I was a wuss and used the SDM. So when I was asked to do one last week thankfully I had the configs ready to go.
I’m going to use the IP addresses above, and my tunnel will use the following settings;
3. Create a ‘Crypto map’ that is used to apply the phase 2 settings to an interface.
[box]
R1(config)#crypto map VPN-C-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 1.1.1.2
R1(config-crypto-map)#set transform-set VPN-TS
R1(config-crypto-map)#match address VPN-ACL
[/box]
4. Apply that crypto map to an interface, (usually the Internet facing one).
[box]
R1(config-crypto-map)#interface Serial0/1/0
R1(config-if)#crypto map VPN-C-MAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#exit
R1(config)#
[/box]
5. In most cases your router will be doing NAT, if so you will need to change the ACL that is looking after the NAT for you, look in your running config for something that looks like the following;
[box]
R1#show run
Building configuration...
Current configuration : 1249 bytes
------------output removed for the sake of space------------
!
ip nat inside source list 100 interface Serial0/1/0 overload
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
------------output removed for the sake of space------------
!
line aux 0
!
[/box]
6. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:
Permit=Perform NAT
Deny=Don’t perform NAT
On this router (unlike the ASA‘s that I’m more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#exit
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#write mem
Building configuration...
[OK]
[/box]
7. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.
[box]
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP
no access-list 100 permit ip 20.20.20.0 0.0.0.255anyaccess-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255access-list 100 permit ip 10.10.10.0 0.0.0.255 any
[/box]
8. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!
[box]
show crypto isakmp sa
show crypto ipsec sa
[/box]
WARNING: If you have an ACL applied to the routers outside interface, you will need to allow in the Peer IP, like so;
[box]
ip access-list extended outside-in
permit esp host 1.1.1.1 any
permit udp host 1.1.1.1 any eq isakmp
permit udp host 1.1.1.1 any eq non500-isakmp
[/box]
If you do not, the other end will fail Phase 1 with a WAIT_MSG_3 Error!
Related Articles, References, Credits, or External Links
Note: This is for firewalls running an operating system BEFORE version 7, if you have an PIX running version 7 or above go here instead. I’ll run though he commands first and then the configuration from PDM at the end.
Solution
PIX 500: Configure a site to site VPN from command line
1. Connect to the PIX, go to “enable mode”, then to “Configure terminal mode”
[box]
User Access Verification
Password:
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ********
PetesPIX# configure Terminal
PetesPIX(config)#
[/box]
2. I’m assuming the network BEHIND the PIX 500 is 192.168.124.0/24 and the network at the far end of the tunnel is 192.168.123.0/24. So I’m going to create two ACL’s one to tell the PIX that this traffic should be encrypted, and the second to tell the PIX NOT to perform NAT on the VPN traffic.
Note: Yes I can use one ACL, but having two makes it easier to troubleshoot any VPN problems.
[box]
PetesPIX(config)# access-list VPN_CRYPTO_ACL permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0
PetesPIX(config)# access-list VPN_NO_NAT line 1 permit ip 192.168.124.0 255.255.255.0 192.168.123.0 255.255.255.0
[/box]
3. Now I’ve got an ACL that will stop performing NAT I need to add it as a “Nat 0” (this means don’t perform NAT).
Note: Check to make sure you do not already have a nat(inside) 0 xxx command, if you do, use the SAME ACL that is already in use.
4. To set up all the VPN parameters you need to create a crypto map. In the example below I set the peer IP (the firewall at the other end of the tunnel), to 81.81.81.81. Then I tie it to the ACL I created earlier (VPN_CRYPTO_ACL). I’ve set the encryption and hashing used for the tunnel to 3DES and SHA (These will be used for IPSec (Phase 2)). Set the timeouts for the tunnel, and finally apply the cryptomap I’ve just created, to the outside interface.
7. To establish the VPN phase 1 (ISAKMP) the devices at both ends of the tunnel need a matching ISAKMP policy. I’ve already set up my shared secret, the first line lets the other end know that’s how we will be communicating. Then once again I’m using 3DES and SHA. I’m telling the system to use Diffie Hellman group 2 for the secure key exchange, and then binding this policy to the outside interface.
Note: If you are interested on how all this stuff works see here
Reverse Route injection is the process that can be used on a Cisco ASA to take a route for an established VPN, and populate/inject that route into the routing table of other devices in it’s routing group.
In the example below, on the main site, we have a Layer 3 switch that’s routing all the 192.168.x.x networks, and we have an established site to site VPN to a remote site. To access the web server at 172.16.1.10 the 192.168.x.x networks need a route to it.
I’m going to use OSPF, (the ASA also supports EIGRP and RIP.)
Solution
1. We already have a site to site VPN, let’s find out what cryptomap it is using.
[box]
Main-GW# show run crypto map
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 123.123.123.60
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
Main-GW#
[/box]
2. So in this example it’s called CRYPTO-MAP 1, let’s enable reverse route injection for that crypto map.
[box]
Main-GW# configure terminal
Main-GW(config)# crypto map CRYPTO-MAP 1 set reverse-route
[/box]
3. Now create a ‘prefix-list‘ that contains our remote VPN subnet. (Note: if you had a lot of remote subnets you could add them separately or simply summarise them if they were contiguous networks).
6. And while still in config-router mode, set it to redistribute our VPN network(s). And finally remember the ASA wont send out any networks, without a default-information originate command.
Main-GW# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
Main-GW#
[/box]
8. To make sure it has worked, on the core switch CORE-SW-01, look at the routing table.
[box]
Core-SW-01#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 123.123.123.123 to network 0.0.0.0
O E1 172.16.0.0/16 [110/12011] via 192.168.1.1, 00:00:04, GigabitEthernet0/0
C 192.168.10.0/24 is directly connected, GigabitEthernet0/1
C 192.168.50.0/24 is directly connected, GigabitEthernet0/2
C 192.168.100.0/24 is directly connected, GigabitEthernet0/3
O*E2 0.0.0.0/0 [110/1] via 192.168.1.1, 00:00:03, GigabitEthernet0/0
[/box]
Related Articles, References, Credits, or External Links