Cisco ASA Spoke-to-Spoke IPSec VPN – Strike Two

In the previous article I talked about spoke-spoke IPSec VPN connections between ASA appliances. Now it’s time to see some debugs and shows.

Let’s turn debugs on all three ASAs by “debug cry isak 2“.

Don’t forget “terminal monitor” if you’re accessing the device via SSH or Telnet.

At this point we don’t have any tunnels up:

ASA1#
ASA1# show cry isak sa

There are no isakmp sas
ASA1#

ASA2#
ASA2# show cry isak sa

There are no isakmp sas
ASA2#

ASA3#
ASA3# show cry isak sa

There are no isakmp sas
ASA3#

Let’s initiate some traffic from BranchA to BranchB by simply pinging from R1 to R2:

R1#
R1#ping 10.0.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 32/48/56 ms
R1#

We missed first two pings which are gone while the tunnel was coming up. This is normal. Now let’s see debugs:

ASA2
Nov 04 08:37:36 [IKEv1]: IP = 192.168.1.254, IKE Initiator: New Phase 1, Intf inside, IKE Peer 192.168.1.254 local Proxy Address 10.0.1.0, remote Proxy Address 10.0.2.0, Crypto map (MAP)
Nov 04 08:37:37 [IKEv1]: IP = 192.168.1.254, Connection landed on tunnel_group 192.168.1.254
Nov 04 08:37:37 [IKEv1]: IP = 192.168.1.254, Connection landed on tunnel_group 192.168.1.254
Nov 04 08:37:37 [IKEv1]: Group = 192.168.1.254, IP = 192.168.1.254, Freeing previously allocated memory for authorization-dn-attributes
Nov 04 08:37:37 [IKEv1]: Group = 192.168.1.254, IP = 192.168.1.254, PHASE 1 COMPLETED
Nov 04 08:37:37 [IKEv1]: Group = 192.168.1.254, IP = 192.168.1.254, Security negotiation complete for LAN-to-LAN Group (192.168.1.254) Initiator, Inbound SPI = 0x70c94b3d, Outbound SPI = 0x31206370
Nov 04 08:37:37 [IKEv1]: Group = 192.168.1.254, IP = 192.168.1.254, PHASE 2 COMPLETED (msgid=90b491cc)

As you can see VPN connection was made to ASA1. We are initiator here.

ASA1
Nov 04 08:37:46 [IKEv1]: IP = 192.168.1.252, Connection landed on tunnel_group 192.168.1.252
Nov 04 08:37:46 [IKEv1]: IP = 192.168.1.252, Connection landed on tunnel_group 192.168.1.252
Nov 04 08:37:46 [IKEv1]: Group = 192.168.1.252, IP = 192.168.1.252, Freeing previously allocated memory for authorization-dn-attributes
Nov 04 08:37:46 [IKEv1]: Group = 192.168.1.252, IP = 192.168.1.252, PHASE 1 COMPLETED
Nov 04 08:37:46 [IKEv1]: Group = 192.168.1.252, IP = 192.168.1.252, IKE: requesting SPI!
Nov 04 08:37:46 [IKEv1]: Group = 192.168.1.252, IP = 192.168.1.252, Security negotiation complete for LAN-to-LAN Group (192.168.1.252) Responder, Inbound SPI = 0x31206370, Outbound SPI = 0x70c94b3d
Nov 04 08:37:46 [IKEv1]: Group = 192.168.1.252, IP = 192.168.1.252, PHASE 2 COMPLETED (msgid=90b491cc)

Now we can see that ASA1 first made VPN tunnel with ASA2 and we can see that we are responder.

Nov 04 08:37:47 [IKEv1]: IP = 192.168.1.253, IKE Initiator: New Phase 1, Intf outside, IKE Peer 192.168.1.253 local Proxy Address 10.0.1.0, remote Proxy Address 10.0.2.0, Crypto map (MAP)
Nov 04 08:37:48 [IKEv1]: IP = 192.168.1.253, Connection landed on tunnel_group 192.168.1.253
Nov 04 08:37:48 [IKEv1]: IP = 192.168.1.253, Connection landed on tunnel_group 192.168.1.253
Nov 04 08:37:48 [IKEv1]: Group = 192.168.1.253, IP = 192.168.1.253, Freeing previously allocated memory for authorization-dn-attributes
Nov 04 08:37:48 [IKEv1]: Group = 192.168.1.253, IP = 192.168.1.253, PHASE 1 COMPLETED
Nov 04 08:37:48 [IKEv1]: Group = 192.168.1.253, IP = 192.168.1.253, Security negotiation complete for LAN-to-LAN Group (192.168.1.253) Initiator, Inbound SPI = 0xed16cbd9, Outbound SPI = 0xcf22687e
Nov 04 08:37:48 [IKEv1]: Group = 192.168.1.253, IP = 192.168.1.253, PHASE 2 COMPLETED (msgid=dd36fdbb)

After ASA1 negotiates VPN session with ASA2 it then makes separate VPN tunnel to ASA3 and acts as initiator.

ASA3
Nov 04 08:37:35 [IKEv1]: IP = 192.168.1.254, Connection landed on tunnel_group 192.168.1.254
Nov 04 08:37:36 [IKEv1]: IP = 192.168.1.254, Connection landed on tunnel_group 192.168.1.254
Nov 04 08:37:36 [IKEv1]: Group = 192.168.1.254, IP = 192.168.1.254, Freeing previously allocated memory for authorization-dn-attributes
Nov 04 08:37:36 [IKEv1]: Group = 192.168.1.254, IP = 192.168.1.254, PHASE 1 COMPLETED
Nov 04 08:37:36 [IKEv1]: Group = 192.168.1.254, IP = 192.168.1.254, IKE: requesting SPI!
Nov 04 08:37:36 [IKEv1]: Group = 192.168.1.254, IP = 192.168.1.254, Security negotiation complete for LAN-to-LAN Group (192.168.1.254) Responder, Inbound SPI = 0xcf22687e, Outbound SPI = 0xed16cbd9
Nov 04 08:37:36 [IKEv1]: Group = 192.168.1.254, IP = 192.168.1.254, PHASE 2 COMPLETED (msgid=dd36fdbb)

ASA3 accepts connection from ASA1 and acts as a responder.

How about IKE session?

ASA2#
ASA2# show cry isak sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.168.1.254
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA2#

ASA1#
ASA1# show cry isak sa

Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 IKE Peer: 192.168.1.252
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 192.168.1.253
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ASA1#

ASA3#
ASA3# show cry isak sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 192.168.1.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA3#

Which is expected. Now IPSec tunnels:

ASA2#
ASA2# show vpn-sess l2l

Session Type: LAN-to-LAN

Connection : 192.168.1.254
Index : 3 IP Addr : 10.0.2.0
Protocol : IKE IPsec
Encryption : AES256 Hashing : SHA1
Bytes Tx : 400 Bytes Rx : 300
Login Time : 08:37:37 UTC Fri Nov 4 2011
Duration : 0h:08m:23s
ASA2#

ASA1#
ASA1# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : 192.168.1.252
Index : 5 IP Addr : 10.0.1.0
Protocol : IKE IPsec
Encryption : AES256 Hashing : SHA1
Bytes Tx : 300 Bytes Rx : 400
Login Time : 08:37:46 UTC Fri Nov 4 2011
Duration : 0h:08m:41s
Connection : 192.168.1.253
Index : 6 IP Addr : 10.0.2.0
Protocol : IKE IPsec
Encryption : AES256 Hashing : SHA1
Bytes Tx : 300 Bytes Rx : 300
Login Time : 08:37:48 UTC Fri Nov 4 2011
Duration : 0h:08m:39s
ASA1#

ASA3#
ASA3# show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : 192.168.1.254
Index : 3 IP Addr : 10.0.1.0
Protocol : IKE IPsec
Encryption : AES256 Hashing : SHA1
Bytes Tx : 300 Bytes Rx : 300
Login Time : 08:37:36 UTC Fri Nov 4 2011
Duration : 0h:08m:54s
ASA3#

Please make note on Tx and Rx counters on all IPSec connections because we are going to ping some more:

R1#
R1#ping 10.0.2.1 rep 100

Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.0.2.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 28/38/76 ms
R1#

Now Tx/Rx on ASA2 are 10400/10300. Tx/Rx on ASA1 towards ASA2 are 10300/10400, and 10300/10300 towards ASA3. On ASA3 Tx/Rx are 10300/10300. So traffic gets encrypted from ASA2 to ASA3 but going through ASA1. You can do “show cry ipsec sa | i encap|decap” on all three devices as well.

So, good question is whether this is spoke-spoke VPN or hub-and-spoke VPN? From the traffic flow stand point it is clearly hub-and-spoke, because all traffic flows via hub.

Let’s not discuss about if the title is named right or not 🙂 The point of these two articles is clear: put yourself in the shoes of network engineer in charge of HQ company. You need to make sure that traffic BranchA to/from BranchB is protected without setting separate IPSec tunnel between them, for what ever reason you have. It’s too much hassle for you, some security policy mandates it, you want to decrypt traffic from branches, do IPS check via AIP-SSM module on HQ ASA (I must admit I did not try this, but sounds possible), … Whatever reason you have – this is the way to do it. And yes, traffic between branches and HQ does get encrypted to. You can verify it by yourselves 🙂

Hope this helped a bit. Until the next time …

Advertisements
This entry was posted in ASA, Cisco, VPN and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s