Site-to-Site with Cisco ASA

Ivnosys · June 23, 2020, 7:04am

Hello,

I’m trying to connect Vyos to Cisco ASA and getting only this error:

pluto[21150]: added connection description “peer-$IP_DEST-tunnel-1”
ipsec_starter[21149]: routing ‘peer-$IP_DEST-tunnel-1’ failed

In the other side, the errrors are:

PROTO-4: (697): Searching policy based on peer’s identity ‘$IP_ORIG’ of type ‘IPv4 address’
IKEv2-PLAT-4: (697): New generic remote access client connection detected based on received address request
IKEv2-PLAT-2: (697): mapped to wrong tunnel group $IP_ORIG of type ipsec-l2l for RA peerIKEv2-PROTO-2: (697): Failed to locate an item in the database

The answer of CISCO provider is “Vyos appears to be attempting to build a remote-access VPN rather than a Lan to Lan (site to site/S2S/business to business)”, but the configuration is all with “vpn ipsec site-to-site”

Any ideas that what can be happening?

Thanks in advance.

Viacheslav · June 23, 2020, 9:46am

@Ivnosys Can you provide configuration from both sides?

Dmitry · June 24, 2020, 6:34pm

I think @Ivnosys use 1.1.8 (because pluto daemon ) which is EOL now.
I propose update to 1.3 rolling.

Ivnosys · June 26, 2020, 10:32am

The Vyos vpn configuration:

    esp-group esp {
        compression disable
        lifetime 3600
        mode tunnel
        pfs dh-group14
        proposal 1 {
            encryption aes256
            hash sha256
        }
    ike-group ike {
        dead-peer-detection {
            action restart
            interval 15
            timeout 30
        }
        ikev2-reauth yes
        key-exchange ikev2
        lifetime 86400
        proposal 1 {
            dh-group 14
            encryption aes256
            hash sha256
        }
    }
    ipsec-interfaces {
        interface eth0
    }
    nat-traversal enable
        peer $IP_DEST {
            authentication {
                id $IP_ORIG
                mode pre-shared-secret
                pre-shared-secret ********
                remote-id @$HOST_DEST.$DOM_DEST
            }
            connection-type initiate
            default-esp-group esp
            ike-group ike
            ikev2-reauth yes
            local-address $IP_ORIG
            tunnel 1 {
                local {
                    prefix 192.168.1.0/24
                }
                protocol all
                remote {
                    prefix 10.0.0.0/24
                }
            }
        }

The CISCO ASA configuration:

ASA Version 9.12(3)12
!

hostname $HOST_DEST
domain-name $DOM_DEST

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.22.26.43 255.255.255.0 standby 172.22.26.44

object network Client_DTI
subnet 192.168.1.0 255.255.255.0

object network DTI_Local
subnet 10.0.0.0 255.255.255.0

crypto ipsec ikev2 ipsec-proposal sha256
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto map outside_map 51 match address outside_cryptomap_54
crypto map outside_map 51 set pfs group14
crypto map outside_map 51 set peer $IP_ORIG
crypto map outside_map 51 set ikev2 ipsec-proposal sha256
crypto map outside_map 51 set ikev2 pre-shared-key ########
crypto map outside_map 51 set reverse-route

crypto isakmp identity hostname
crypto isakmp nat-traversal 30

crypto ikev2 policy 65
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

crypto ikev2 enable outside

group-policy POLITICA_L2L_DTI_CLIENT internal
group-policy POLITICA_L2L_DTI_CLIENT attributes
vpn-tunnel-protocol ikev2

tunnel-group $IP_ORIG type ipsec-l2l
tunnel-group $IP_ORIG general-attributes
default-group-policy POLITICA_L2L_DTI_CLIENT
tunnel-group $IP_ORIG ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key ########
ikev2 local-authentication pre-shared-key ########
!