4. IPsec tunnel mode with ASR

IPsec tunnel mode with ASR

  • T

    Hello eveyrone,

    I want to build a IPSec Tunnel with an ASR.

    ASR router is configured with IPSec tunnel method (tunnel protection) because the tunnel has to be mounted from a specific VRF (so crypto map is not possible)

    Here is the sanitized configuration of the ASR :

    hostname ASR
!
vrf definition INTERCO
 rd 10.107.254.18:1
 !
 address-family ipv4
  route-target export 10.107.254.18:1
  route-target import 10.107.254.18:1
 exit-address-family
!
!
crypto ikev2 proposal aes-cbc-256-proposal
 encryption aes-cbc-256
 integrity sha512
 group 24
!
crypto ikev2 policy policy_pfsense
 proposal aes-cbc-256-proposal
!
crypto ikev2 keyring mykeys-pfsense
 peer pfsense
  address 5.5.5.6
  pre-shared-key ##########
!
crypto ikev2 profile pfsense
 description IKEv2 profile
 match identity remote address 5.5.5.6 255.255.255.255
 identity local address 5.5.5.5
 authentication remote pre-share
 authentication local pre-share
 keyring local mykeys-pfsense
 lifetime 3600
!
crypto ikev2 dpd 10 2 on-demand
!
crypto logging ikev2
!
crypto ipsec transform-set ESP-AES256-SHA512 esp-aes 256 esp-sha512-hmac
 mode tunnel
!
crypto ipsec profile pfsense
 set transform-set ESP-AES256-SHA512
 set ikev2-profile pfsense
!
interface Loopback1
 vrf forwarding INTERCO
 ip address 10.15.30.140 255.255.255.128
!
interface Tunnel100
 vrf forwarding INTERCO
 no ip address
 tunnel source GigabitEthernet2
 tunnel destination 5.5.5.6
 tunnel protection ipsec profile pfsense
!
!
interface GigabitEthernet2
 ip address 5.5.5.5 255.255.255.252
 negotiation auto
 no mop enabled
 no mop sysid
!
!
!
ip route vrf INTERCO 172.16.5.0 255.255.255.0 Tunnel100
!
line con 0
 stopbits 1
line vty 0 4
 login local
 transport input ssh
end

    The IPsec configuration of PfSense is in tunnel IPv4 and the local network is the LAN subnet (172.16.5.0/24) and the remote network is 10.15.30.128/25
    0_1529918158028_pfsense_ipsec_phase_2.png

    In debug mode on the ASR, i have the error : "Failed to find a matching policy" and the IKEv2 SA is flapping between UP & DOWN...

    If I disable the IPsec Phase 2 entrie on PfSense, the IKEv2 and the interface tunnel 100 on the ASR turns to UP.

    I think it's because of the ACL sent by the Pfsense with the remote network and local network but i can't be sure of this...

    With a crypto map, we can make matching the IPSec traffic to an ACL but how can we do the same thing with the tunnel profile method ?

    Is anyone have an idea ? (or had already got the same problem ?)

    If you need more informations, feel free to ask me ! ;)

    Thanks to you !

    Trif

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy