I have a very odd problem with passing traffic through a VPN. I have an SSG140 connected via VPN with a Cisco ASA 5525. On both sides I have a cisco router:
Router1——SSG140 ——Internet—— ASA 5525 —— Router2.
When I ping from router 1 to router 2 it activates the tunnel between the SSG140 and ASA and the ping works.
However, ICMP is definitely not the intended traffic. The idea is to pass a second IPSEC tunnel through the IPSEC tunnel that goes between the SSG and ASA.
The router1 is connected to the SSG using 172.27.135.8/29
SSG is connected to the internet using 172.27.135.0/29
The router2 is connected to the ASA on 172.27.137.8/29.
ASA connects to the internet using 10.17.1.188/30.
The ESP traffic never makes it through, it complains of a proxy id that did not match the one in the SA config.
On my ASA I assure you the proxy ID (ACLs) are correct, I’m not too clear if what I’m doing on the SSG is correct.
Below are a few snippets from the SSG side:
This is the ping that works across the tunnel:
SSG_225-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
0000000f< 10.17.1.189 500 esp:a256/sha1 7327e143 2357 4094M A/- -1 0
0000000f> 10.17.1.189 500 esp:a256/sha1 a2a9f061 2357 4094M A/- -1 0
SSG_225-> get sa active stat
stat show feature statistics of sa
SSG_225-> get sa active stat
Total active sa: 1
total configured sa: 1
HEX ID Gateway Fragment Auth-Fail Other Totalbytes
0000000f< 10.17.1.189 0 0 0 1097360
0000000f> 10.17.1.189 0 0 0 1218132
SSG_225->
SSG_225->
SSG_225->
SSG_225-> get event
Total event entries = 3072
Date Time Module Level Type Description
2014-08-12 19:23:18 system info 00536 IKE 10.17.1.189 Phase 2 msg ID
5b1ebf1d: Completed negotiations with
SPI 7327e145, tunnel ID 15, and
lifetime 3600 seconds/4194303 KB.
2014-08-12 19:23:18 system notif 00625 Session (id 48046 src-ip 172.27.135.2
dst-ip 10.17.1.189 dst port 0) route
is valid.
2014-08-12 19:23:18 system info 00536 IKE 10.17.1.189 phase 2:The symmetric
crypto key has been generated
successfully.
2014-08-12 19:23:18 system info 00536 IKE 10.17.1.189 Phase 2 msg ID
5b1ebf1d: Responded to the peer's
first message.
2014-08-12 19:23:18 system notif 00625 Session (id 47871 src-ip 172.27.135.2
dst-ip 10.17.1.189 dst port 0) route
is valid.
2014-08-12 19:23:17 system notif 00625 Session (id 47836 src-ip 172.27.135.2
dst-ip 10.17.1.189 dst port 500) route
is invalid.
2014-08-12 19:23:17 system notif 00625 Session (id 47944 src-ip 172.27.135.2
dst-ip 172.27.137.9 dst port 182)
route is invalid.
2014-08-12 19:23:17 system notif 00625 Session (id 47894 src-ip 172.27.135.2
dst-ip 172.27.137.9 dst port 182)
route is invalid.
2014-08-12 19:23:17 system notif 00625 Session (id 47856 src-ip 172.27.135.2
dst-ip 172.27.137.9 dst port 182)
route is invalid.
2014-08-12 19:23:17 system notif 00625 Session (id 47905 src-ip 172.27.135.2
dst-ip 172.27.137.9 dst port 182)
route is invalid.
2014-08-12 19:23:17 system notif 00625 Session (id 47875 src-ip 172.27.135.2
dst-ip 172.27.137.9 dst port 182)
route is invalid.
2014-08-12 19:23:17 system notif 00625 Session (id 48038 src-ip 172.27.135.2
dst-ip 172.27.137.9 dst port 182)
route is invalid.
2014-08-12 19:23:17 system notif 00625 Session (id 48040 src-ip 172.27.135.2
set interface "tunnel.1" zone "Untrust"
This is the internal interface:
set interface ethernet0/0 ip 172.27.135.11/29
set interface ethernet0/0 nat
External interface:
set interface ethernet0/2 ip 172.27.135.2/29
set interface ethernet0/2 route
set interface ethernet0/7 ip 172.27.132.181/28
set interface tunnel.1 ip unnumbered interface ethernet0/2
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "172.27.135.9/32" 172.27.135.9 255.255.255.255
set address "Trust" "225" 172.27.135.8 255.255.255.248 "172.27.135.8/29"
set address "Untrust" "172.27.137.9/32" 172.27.137.9 255.255.255.255
set address "Untrust" "250" 172.27.137.8 255.255.255.248 "172.27.137.8/29"
set crypto-policy
exit
set ike p1-proposal "SUITE-B-P1" preshare group19 esp aes256 sha2-256 second 28800
set ike p1-proposal "ASA5525-P1" preshare group2 esp aes256 sha-1 second 86400
set ike p2-proposal "SUITE-B-P2" group19 esp aes256 sha2-256 second 3600
set ike p2-proposal "ASA5525-P2" group2 esp aes256 sha-1 second 3600
set ike gateway "VPN225-GW" address 10.17.1.189 Main outgoing-interface "ethernet0/2" preshare "ybbbb" proposal "ASA5525-P1"
set ike gateway "VPN225-GW" dpd-liveness always-send
set ike respond-bad-spi 1
set ike gateway "VPN225-GW" heartbeat hello 5
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
set ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 4000
set ipsec access-session lower-threshold 1000
set ipsec access-session dead-p2-sa-timeout 10
set vpn "VPN225" gateway "VPN225-GW" no-replay tunnel idletime 0 proposal "ASA5525-P2"
set vpn "VPN225" id 0xf bind interface tunnel.1
set url protocol websense
exit
set vpn "VPN225" proxy-id local-addr "Trust" "172.27.135.9/32" remote-addr "Untrust" "172.27.137.9/32" "ANY"
set policy id 5 from "Untrust" to "Trust" "172.27.137.9/32" "172.27.135.9/32" "ANY" permit log count
set policy id 5
exit
set policy id 4 from "Trust" to "Untrust" "172.27.135.9/32" "172.27.137.9/32" "ANY" permit log count
set policy id 4
exit
set policy id 2 name "Untrust-Trust" from "Untrust" to "Trust" "Any" "Any" "ANY" permit log
set policy id 2
set log session-init
exit
set policy id 1 name "Trust-Untrust" from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 1
set log session-init
exit
set policy id 3 from "Trust" to "Trust" "Any" "Any" "ANY" permit log
set policy id 3
set log session-init
exit
set policy id 6 from "Trust" to "Untrust" "172.27.135.9/32" "172.27.137.9/32" "ESP" permit
set policy id 6
This is the traffic that does not get passed:
Date Time Module Level Type Description
2014-08-12 19:37:05 system info 00536 Rejected an IKE packet on ethernet0/2
from 10.17.1.189:500 to 172.27.135.2:
500 with cookies 8d470ee268333fd8 and
a6ab0e372b9c5ace because The peer sent
a proxy ID that did not match the one
in the SA config.
2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 Phase 2: No policy
exists for the proxy ID received:
local ID (172.27.135.9/255.255.255.255,
50, 0) remote ID (172.27.137.9/
255.255.255.255, 50, 0).
2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 Phase 2 msg ID
655ee9fe: Responded to the peer's
first message.
2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 Phase 1: Completed
Main mode negotiations with a
86400-second lifetime.
2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 phase 1:The symmetric
crypto key has been generated
successfully.
2014-08-12 19:37:05 system info 00536 IKE 10.17.1.189 Phase 1: Responder
starts MAIN mode negotiations.
Any help would be greatly appreciated,
Thanks