Jump to content

Trouble getting S2S-VPN working.

Sir Asvald
By Sir Asvald
in Networking
 Share
Go to solution Solved by Sir Asvald,

I have found another solution. I am using OpenVPN peer to peer. Everything is working. 🙂

 

Posted

Hello All,

 

I am having difficulty getting site-to-site VPN working between my Cisco ASA 5506-X and pfsense VM running on my dedicated server. I've set up the ASA to act as the responder. 

 

ASA CONFIG:

 

Spoiler

login as: admin
admin@172.16.0.254's password:
You have connected to an athentication server that is monitored and logged. Any                                                                                                                                                              unauthorised  logins will be disconnected
Type help or '?' for a list of available commands.
LON1CFWP1P> en
Password: *************
LON1CFWP1P# sh ru
: Saved

:
: Serial Number: JAD204003G8
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cor                                                                                                                                                             es)
:
ASA Version 9.8(2)20
!
hostname LON1CFWP1P
domain-name learntotechsolutions.com
enable password $sha512$5000$a2DO2Ewfi6YL86gld+QEKw==$0DPhVTfJ8Dj0rB4aTKA+Bg== p                                                                                                                                                             bkdf2
names
dns-guard
no mac-address auto
ip local pool VPN_ACCESS 192.168.50.20-192.168.50.40 mask 255.255.255.0
ip local pool 192.168.100.0 192.168.100.10-192.168.100.20 mask 255.255.255.0
ip local pool VPN_192.168.101.0 192.168.101.10-192.168.101.50 mask 255.255.255.0
ip local pool VPN_POOL 192.168.60.20-192.168.60.40 mask 255.255.255.0
ip local pool OnPrem-VPN-Pool 192.168.61.10-192.168.61.50 mask 255.255.255.0
ip local pool S2S-Pool 192.168.62.10-192.168.62.20 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 192.168.1.153 255.255.255.0
!
interface GigabitEthernet1/2
 nameif Inside
 security-level 100
 ip address 172.16.0.254 255.255.0.0
!
interface GigabitEthernet1/3
 nameif SSLCerts
 security-level 100
 ip address 10.1.22.254 255.255.255.0
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/6
 no nameif
 security-level 100
 no ip address
!
interface GigabitEthernet1/6.10
 vlan 10
 nameif SecNet
 security-level 100
 ip address 10.1.20.254 255.255.255.0
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 nameif AlphaCertsNet
 security-level 100
 ip address 10.1.21.254 255.255.255.0
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
banner exec You have connected to an athentication server that is monitored and logged. Any unauthorised  logins will be disconnected
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server 172.16.0.10
 name-server 172.16.0.11
 name-server 172.16.2.200
 domain-name learntotechsolutions.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network InsideNetwork
 subnet 172.16.0.0 255.255.0.0
object network SMTP-SERVER
 host 172.16.0.27
object network KempLoadMaster-HTTPS
 host 172.16.50.100

 host 172.16.134.240
object network NETWORK_OBJ_192.168.100.0_27
 subnet 192.168.100.0 255.255.255.224
object network 192.168.100.0
 subnet 192.168.100.0 255.255.255.0
object network Proxmox8006
 host 172.16.50.100
object service Proxmox
 service tcp source eq 8006 destination eq 8006
object network Plex
 host 172.16.50.100
object service PlexPort
 service tcp source eq 32400 destination eq 32400
object network 10Net
 subnet 10.1.1.0 255.255.255.0
object network AOVPN-Network
 subnet 192.168.200.0 255.255.255.224
object network LON1DC1V1P
 host 172.16.0.10
object network SecNet
 subnet 10.1.20.0 255.255.255.0
object network Servers
 subnet 20.1.20.0 255.255.255.0
object network Inside
 subnet 172.16.0.0 255.255.0.0
object network HTTPS-2
 host 172.16.50.101
object network AlphaCerts-HTTPS
 host 172.16.50.101
object network Proxmox2
 host 10.1.20.135
object network LON1EXTDNS01
 host 172.16.2.5
object network Alphacerts-DHCP-Scope
 subnet 10.1.21.0 255.255.255.0
object network AlphaCertsNet
 subnet 10.1.21.0 255.255.255.0
object network CoreSwitch
 host 10.1.22.9
object network S2S-VPN
 subnet 192.168.100.0 255.255.255.0
object network 172Net
 subnet 172.16.0.0 255.255.255.0
object network SSLCerts
 subnet 10.1.22.0 255.255.255.0
object network Site-A-SN
 subnet 172.16.0.0 255.255.0.0
object network Site-B-SN
 subnet 10.1.23.0 255.255.255.0
object network NETWORK_OBJ_10.1.22.0_24
 subnet 10.1.22.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_16
 subnet 172.16.0.0 255.255.0.0
object network NETWORK_OBJ_192.168.60.0_26
 subnet 192.168.60.0 255.255.255.192
object network VPN_POOL
 subnet 192.168.60.0 255.255.255.0
object network CiscoSwitch
 host 172.16.0.251
object network Radius
 host 172.16.0.10
object network OnPrem-VPN
 subnet 192.168.61.0 255.255.255.0
object network LON1DC4V1P
 host 10.1.20.144
object network NETWORK_OBJ_10.1.23.0_24
 subnet 10.1.23.0 255.255.255.0
object network LTTCR01
 host 194.26.222.133
object network Site-C-SN
 subnet 10.1.20.0 255.255.255.0
object network Site-D-SN
 subnet 10.1.21.0 255.255.255.0
object network Site-E-SN
 subnet 10.1.22.0 255.255.255.0
object network LTTCloudNet
 subnet 10.1.23.0 255.255.255.0
object network LTTNet
 subnet 10.1.24.0 255.255.255.0
object network LTTCDCV1P
 host 10.1.20.138
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network BLOCKED-IPS
 network-object object WorldStream
 network-object object TEST
object-group service MW2-61499-2 udp
 port-object eq 61499
object-group service MW2-UDP udp
 port-object range 27000 27031
 port-object eq 27036
 port-object eq 3074
 port-object range 4379 4380
object-group service MW2-28960 udp
 port-object eq 28960
object-group network immuniweb
 network-object 192.175.11.224 255.255.255.224
 network-object 64.15.129.96 255.255.255.224
 network-object 70.38.27.240 255.255.255.240
 network-object 72.55.136.144 255.255.255.240
 network-object 72.55.136.192 255.255.255.240
 network-object 79.141.85.24 255.255.255.248
 network-object 192.175.111.224 255.255.255.224
object-group service AOVPN udp
 port-object eq 4500
 port-object eq isakmp
object-group service RDP tcp-udp
 port-object eq 3389
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object time-exceeded
 icmp-object timestamp-reply
 icmp-object timestamp-request
 icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object time-exceeded
 icmp-object timestamp-request
 icmp-object unreachable
object-group service AnyConnect tcp-udp
 port-object eq 8443
object-group icmp-type DM_INLINE_ICMP_3
 icmp-object time-exceeded
 icmp-object timestamp-reply
 icmp-object timestamp-request
 icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_4
 icmp-object time-exceeded
 icmp-object timestamp-reply
 icmp-object timestamp-request
 icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_5
 icmp-object time-exceeded
 icmp-object timestamp-reply
 icmp-object timestamp-request
 icmp-object unreachable
object-group service DM_INLINE_UDP_1 udp
 port-object eq radius
 port-object eq radius-acct
object-group network DM_INLINE_NETWORK_1
 network-object object Site-A-SN
 network-object object Site-C-SN
 network-object object Site-D-SN
 network-object object Site-E-SN
object-group network DM_INLINE_NETWORK_2
 network-object object Site-A-SN
 network-object object Site-C-SN
 network-object object Site-D-SN
 network-object object Site-E-SN
object-group network DM_INLINE_NETWORK_3
 network-object object Site-A-SN
 network-object object Site-C-SN
 network-object object Site-D-SN
 network-object object Site-E-SN
access-list outside_access_in_3 extended permit tcp any object KempLoadMaster-HTTPS eq https
access-list outside_access_in_3 extended permit tcp any object SMTP-SERVER eq smtp
access-list outside_access_in_3 extended permit tcp any object Proxmox8006 eq https
access-list outside_access_in_3 extended permit ip object VPN_POOL any
access-list outside_access_in_3 extended permit tcp any object Plex eq https
access-list outside_access_in_3 extended permit ip any object HTTP
access-list outside_access_in_3 extended permit icmp any any object-group DM_INLINE_ICMP_2
access-list outside_access_in_3 extended permit ip object OnPrem-VPN any
access-list outside_access_in_3 extended permit ip object LON1DC4V1P 172.16.0.0 255.255.0.0
access-list outside_access_in_3 extended permit ip object LTTCR01 any
access-list outside_access_in_3 extended permit ip object LON1DC4V1P any
access-list VPN standard permit 172.16.105.0 255.255.255.0
access-list VPN standard permit 192.168.50.0 255.255.255.0
access-list VPN standard permit 172.16.0.0 255.255.0.0
access-list VPN standard permit 10.1.20.0 255.255.255.0
access-list LANAccess standard permit 172.16.0.0 255.255.0.0
access-list LANAccess standard permit host 172.16.0.10
access-list LANAccess standard permit host 172.16.0.11
access-list LANAccess standard permit host 172.16.2.200
access-list SSLCerts_access_in extended permit ip any any
access-list SSLCerts_access_in extended permit icmp any any object-group DM_INLINE_ICMP_3
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit icmp any any unreachable
access-list 10Net_access_in extended permit ip any any
access-list Servers_access_in extended permit ip any any
access-list Servers_access_in extended permit ip object Inside 10.1.20.0 255.255.255.0
access-list SecNet_access_in extended permit ip any any
access-list SecNet_access_in extended permit icmp any any time-exceeded
access-list SecNet_access_in extended permit icmp any any unreachable
access-list SecNet_access_in extended permit object-group TCPUDP object Alphacerts-DHCP-Scope object SecNet eq domain
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list SecNet_access_in_1 extended permit ip any any
access-list AlphaCertsNet_access_in extended permit ip any any
access-list AlphaCertsNet_access_in extended permit ip object AlphaCertsNet object Inside
access-list AlphaCertsNet_access_in extended permit ip 10.1.21.0 255.255.255.0 object Site-B-SN
access-list AlphaCertsNet_access_in extended permit icmp any any object-group DM_INLINE_ICMP_5
access-list AlphaCertsNet_access_in extended permit ip object LTTCR01 10.1.21.0 255.255.255.0
access-list SSLCertsNet_access_in extended permit ip any any
access-list SSLCertsNet_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list S2S extended permit ip object Site-A-SN object Site-B-SN
access-list outside_cryptomap_3 extended permit ip object-group DM_INLINE_NETWORK_3 object Site-B-SN
access-list LTTNet_access_in extended permit ip any any
access-list outbound extended permit icmp any any
access-list SSLCerts_access_in_1 extended permit ip any any
access-list Inside_access_in extended permit ip any any
access-list Inside_access_in extended permit ip 172.16.0.0 255.255.0.0 object Site-B-SN
access-list Inside_access_in extended permit ip any4 object VPN_POOL
access-list Inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_4
access-list Inside_access_in extended permit udp any object Radius object-group DM_INLINE_UDP_1
access-list Inside_access_in extended permit ip object InsideNetwork object LON1DC4V1P
access-list Inside_access_in extended permit ip object LTTCR01 172.16.0.0 255.255.0.0
access-list AnyConnect standard permit 172.16.0.0 255.255.0.0
access-list AnyConnect standard permit 10.1.20.0 255.255.255.0
access-list AnyConnect standard permit 10.1.21.0 255.255.255.0
access-list AnyConnect standard permit 192.168.50.0 255.255.255.0
access-list AnyConnect standard permit any4
access-list OnPrem-VPN standard permit 10.1.22.0 255.255.255.0
access-list OnPrem-VPN standard permit 10.1.21.0 255.255.255.0
access-list OnPrem-VPN standard permit 172.16.0.0 255.255.0.0
access-list OnPrem-VPN standard permit 10.1.20.0 255.255.255.0
!
scansafe general-options
 server primary fqdn proxy193.scansafe.net port 8080
 server backup fqdn proxy1363.scansafe.net port 8080
 retry-count 5
!
pager lines 24
logging enable
logging asdm informational
logging from-address alerts@learntotechsolutions.com
logging recipient-address alerts@learntotechsolutions.com level errors
mtu outside 1500
mtu Inside 1500
mtu SSLCerts 1500
mtu SecNet 1500
mtu AlphaCertsNet 1500
ip verify reverse-path interface Inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (outside,outside) source static VPN_POOL VPN_POOL destination static VPN_POOL VPN_POOL
nat (Inside,outside) source static VPN_POOL VPN_POOL destination static Inside Inside
nat (Inside,outside) source static any any destination static NETWORK_OBJ_192.168.60.0_26 NETWORK_OBJ_192.168.60.0_26 no-proxy-arp route-lookup
nat (outside,AlphaCertsNet) source static VPN_POOL VPN_POOL destination static AlphaCertsNet AlphaCertsNet
nat (outside,SecNet) source static VPN_POOL VPN_POOL destination static SecNet SecNet
nat (outside,SSLCerts) source static VPN_POOL VPN_POOL destination static SSLCerts SSLCerts
nat (any,any) source static Radius Radius destination static Radius Radius
nat (outside,Inside) source static OnPrem-VPN OnPrem-VPN destination static Inside Inside
nat (outside,AlphaCertsNet) source static OnPrem-VPN OnPrem-VPN destination static AlphaCertsNet AlphaCertsNet
nat (outside,SSLCerts) source static OnPrem-VPN OnPrem-VPN destination static SSLCerts SSLCerts
nat (outside,SecNet) source static OnPrem-VPN OnPrem-VPN destination static SecNet SecNet
nat (outside,Inside) source static LON1DC4V1P LON1DC4V1P destination static InsideNetwork InsideNetwork
nat (Inside,outside) source static InsideNetwork InsideNetwork destination static LON1DC4V1P LON1DC4V1P
nat (outside,SecNet) source static LTTCDCV1P LTTCDCV1P destination static SecNet SecNet
nat (Inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN no-proxy-arp route-lookup
!
object network obj_any
 nat (Inside,outside) dynamic interface
object network InsideNetwork
 nat (Inside,outside) dynamic interface
object network SMTP-SERVER
 nat (any,outside) static interface service tcp smtp smtp
object network KempLoadMaster-HTTPS
 nat (Inside,outside) static interface service tcp https https
object network HTTP
 nat (any,outside) static interface service tcp www www
object network MW2-TCP-3074
 nat (any,outside) static interface service tcp 3074 3074
object network MW2-TCP-27014
 nat (any,outside) static interface service tcp 27014 27014
object network MW2-UDP-3478
 nat (any,outside) static interface service udp 3478 3478
object network MW2-UDP-4379
 nat (any,outside) static interface service udp 4379 4379
object network 192.168.100.0
 nat (any,Inside) dynamic interface
object network Proxmox8006
 nat (any,outside) static interface service tcp 8006 8006
object network Plex
 nat (any,outside) static interface service tcp 32400 32400
object network 10Net
 nat (any,outside) dynamic interface
object network SecNet
 nat (any,outside) dynamic interface
object network Servers
 nat (any,outside) dynamic interface
object network Inside
 nat (any,outside) dynamic interface
object network Alphacerts-DHCP-Scope
 nat (any,outside) dynamic interface
object network AlphaCertsNet
 nat (any,outside) dynamic interface
object network CoreSwitch
 nat (any,outside) dynamic interface
object network SSLCerts
 nat (any,outside) dynamic interface
object network VPN_POOL
 nat (any,outside) dynamic interface
object network CiscoSwitch
 nat (any,outside) dynamic interface
object network OnPrem-VPN
 nat (any,outside) dynamic interface
object network LTTCloudNet
 nat (any,outside) dynamic interface
object network LTTNet
 nat (any,outside) dynamic interface
access-group outside_access_in_3 in interface outside
access-group Inside_access_in in interface Inside
access-group SSLCerts_access_in_1 in interface SSLCerts
access-group SecNet_access_in_1 in interface SecNet
access-group AlphaCertsNet_access_in in interface AlphaCertsNet
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
route outside 192.168.50.0 255.255.255.0 172.16.0.0 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server VPN_ADMINS protocol kerberos
aaa-server VPN_ADMINS (Inside) host 172.16.2.16
 kerberos-realm LEARNTOTECHSOLUTIONS.COM
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
no aaa authentication login-history
http server enable 8444
http 172.16.0.0 255.255.0.0 Inside
http 192.168.1.0 255.255.255.0 Inside
http 192.168.1.0 255.255.255.0 outside
http 192.168.100.0 255.255.255.255 outside
http 192.168.100.0 255.255.255.255 Inside
http 172.16.0.0 255.255.255.0 Inside
http 10.1.20.0 255.255.255.0 SecNet
no snmp-server location
no snmp-server contact
auth-prompt prompt You have connected to an athentication server that is monitored and logged. Any unauthorised logins will be disconnected.
auth-prompt accept You are now connected, Welcome
auth-prompt reject You do not have the correct authorisation to login
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set S2S-VPN-SET esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set S2S esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set pfSense-AES128SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes
 protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec profile S2S-VPN
 set ikev2 ipsec-proposal VPN-TRANSFORM
 set pfs group19
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup
crypto map CRYPTO-MAP 1 match address outside_cryptomap_3
crypto map CRYPTO-MAP 1 set pfs group19
crypto map CRYPTO-MAP 1 set connection-type answer-only
crypto map CRYPTO-MAP 1 set peer 194.26.222.133
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP 1 set ikev2 pre-shared-key *****
crypto map CRYPTO-MAP 10 match address S2S
crypto map CRYPTO-MAP 10 set pfs group19
crypto map CRYPTO-MAP 10 set connection-type answer-only
crypto map CRYPTO-MAP 10 set peer 194.26.222.133
crypto map CRYPTO-MAP 10 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP 10 set ikev2 pre-shared-key *****
crypto map CRYPTO-MAP interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 fqdn vpn.learntotechsolutions.com
 subject-name CN=vpn.learntotechsolutions.com,O=Learntotechsolutions Limited,C=GB
 crl configure


  quit
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev2 policy 1
 encryption aes
 integrity sha256
 group 19
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
telnet 172.16.0.0 255.255.0.0 Inside
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.50.0 255.255.255.255 outside
ssh 192.168.1.0 255.255.255.0 outside
ssh 172.16.0.0 255.255.0.0 Inside
ssh 10.1.21.0 255.255.255.255 AlphaCertsNet
ssh 10.1.20.0 255.255.255.0 AlphaCertsNet
ssh timeout 5
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter enable
dynamic-filter enable interface outside
dynamic-filter enable interface Inside
dynamic-filter ambiguous-is-black
ntp server 172.16.2.16 source Inside prefer
ntp server 172.16.50.10 source Inside
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1.2 all
ssl cipher dtlsv1 custom "AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl dh-group group14
ssl trust-point ASDM_TrustPoint500 outside
ssl trust-point ASDM_TrustPoint500 Inside
ssl trust-point ASDM_TrustPoint500 SSLCerts
ssl trust-point ASDM_TrustPoint500 SecNet
ssl trust-point ASDM_TrustPoint500 AlphaCertsNet
webvpn
 port 8443
 enable outside
 dtls port 8443
 anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 2
 anyconnect profiles OnPrem_VPN disk0:/accessinsidenetonly.xml
 anyconnect profiles VPN_ACCESS disk0:/vpn_access.xml
 anyconnect profiles onPrem-VPN disk0:/onprem-vpn.xml
 anyconnect enable
 saml idp https://sts.windows.net/a3122ebd-2244-44ba-a555-06165ff203f0/
  url sign-in https://login.microsoftonline.com/a3122ebd-2244-44ba-a555-06165ff203f0/saml2
  url sign-out https://login.microsoftonline.com/common/wsfederationwa=wsignout1.0
  base-url https://vpn.learntotechsolutions.com:8443
  trustpoint idp AzureAD-AC-SAML
  no signature
  no force re-authentication
 tunnel-group-list enable
 tunnel-group-preference group-url
 cache
  disable
 error-recovery disable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_OnPrem-VPN internal
group-policy GroupPolicy_OnPrem-VPN attributes
 wins-server none
 dns-server value 172.16.50.10 172.16.2.16
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value OnPrem-VPN
 default-domain value learntotechsolutions.com
 webvpn
  anyconnect modules value nvm,vpngina,nam
  anyconnect profiles value onPrem-VPN type user
group-policy "GroupPolicy_VPN Access" internal
group-policy "GroupPolicy_VPN Access" attributes
 wins-server none
 dns-server value 172.16.50.10 172.16.2.16
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 default-domain value learntotechsolutions.com
 webvpn
  anyconnect modules value nvm,vpngina,nam
  anyconnect profiles value VPN_ACCESS type user
group-policy GroupPolicy_192.26.222.133 internal
group-policy GroupPolicy_192.26.222.133 attributes
 vpn-tunnel-protocol ikev2
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$v4Ny07hKsxRHAwtEJhSsYw==$RIUfQFcGD11lDtJEbdM5Yg== pbkdf2 privilege 15
tunnel-group "VPN Access" type remote-access
tunnel-group "VPN Access" general-attributes
 address-pool VPN_POOL
 default-group-policy "GroupPolicy_VPN Access"
tunnel-group "VPN Access" webvpn-attributes
 group-alias "VPN Access" enable
tunnel-group OnPrem-VPN type remote-access
tunnel-group OnPrem-VPN general-attributes
 address-pool OnPrem-VPN-Pool
 default-group-policy GroupPolicy_OnPrem-VPN
tunnel-group OnPrem-VPN webvpn-attributes
 group-alias OnPrem-VPN enable
tunnel-group 192.26.222.133 type ipsec-l2l
tunnel-group 192.26.222.133 general-attributes
 default-group-policy GroupPolicy_192.26.222.133
tunnel-group 192.26.222.133 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 194.26.222.133 type ipsec-l2l
tunnel-group 194.26.222.133 general-attributes
 default-group-policy GroupPolicy1
tunnel-group 194.26.222.133 ipsec-attributes
 peer-id-validate nocheck
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map traceroute
 match any
class-map class_default
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
 class traceroute
  set connection decrement-ttl
 class class-default
  user-statistics accounting
  set connection decrement-ttl
!
service-policy global_policy global
smtp-server 172.16.0.20

privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:728a31c24e5c363d204e726d9c374e57
: end
LON1CFWP1P#
 

 

Config on PFSENSE:

 

 

Spoiler

pfsense-s2s-1.PNG

 

 

 

pfsense-s2s-2.PNG

 

pfsense-s2s-3.PNG

 

 

 

 

 

 

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author

@Lurickany ideas?

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
53 minutes ago, Sir Asvald said:

@Lurickany ideas?

Been a while since I've done IKEv2 Site to Site so I'm a bit rusty. I would scale it back to just IKEv1, turn on debugs, and then clear the tunnel and see if you get anything useful such as negotiation failures or key mismatch, etc.

conf t

logging monitor debugging

exit

term mon

debug crypto ikev1 255

debug crypto ike-common 255

 

disable term mon with:

term no mon

 

 

could also try debug crypto ipsec 255

Current Network Layout:

Current Build Log/PC:

Prior Build Log/PC:

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
On 5/28/2022 at 5:41 PM, Lurick said:

Been a while since I've done IKEv2 Site to Site so I'm a bit rusty. I would scale it back to just IKEv1, turn on debugs, and then clear the tunnel and see if you get anything useful such as negotiation failures or key mismatch, etc.

conf t

logging monitor debugging

exit

term mon

debug crypto ikev1 255

debug crypto ike-common 255

 

disable term mon with:

term no mon

 

 

could also try debug crypto ipsec 255

So this what I get now.

 

 

 

ipsec.png

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
  • Solution

I have found another solution. I am using OpenVPN peer to peer. Everything is working. 🙂

 

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Networking

×