UTM 9 and Cisco ASA 3030 IPSec VPN

Hi, Matic, and welcome to the UTM Community!

First, if you're familiar with Cisco and new to the UTM, you need to read the definition of "1-to-1 NAT" for the UTM - it's not the same.

Apparently, you know that NAT "breaks" IPsec.  If the other side is not also behind a NAT, the easiest would be for the Cisco to be set to listen only instead of initiating the connection.  You would then just need to set the Remote Gateway in "Initiate Connection" mode.

I'm not sure what you were trying to accomplish with the NAT, but it's not only not necessary, it might be causing a problem.

If that's not enough information to get you to the result you want, please show a simple diagram with IP addresses (you can use fake ones, but please use reasonably-close ones so that we don't get confused about public/private, overlaps, etc.).

Cheers - Bob

Hi Bob,

Thank you for taking time and answering my question. I will do my best to provide you with all the details.

Actually this is the way that is set up. Cisco is on the other side and listening and Sophos on our side is the one initiating the connection. Also there is any NAT between Sophos and Cisco. Cisco is on public IP and so is Sophos so there should be no problems of NAT interfering. 

What I try to accomplish with NAT is what was I actually asked from the Cisco side. So the idea behind it is ( I'll try to explain and "draw" it ):

So we have internal network 172.17.x.x. By their guide we need to first make the IPSec VPN to cisco. As seen first phase auth is ok. Then the second one fails cause because the VPN is not NAT-ed ( 1:1 NAT ) so the IPSec VPN does not auth itself with the NAT-ed IP but with our internal one which is wrong and that is why seconds phase fails ( this was explained to me by Cisco guys on the other side). So theis request was to NAT the VPN to represent itself with 10.x.x.24 IPs so then the seconds phase will work. Now my problem is how to get this NAT working so I can achieve that. Hope that is possible with UTM 9. Here is also a diagram how should it look like:

172.17.x.x => 1:1 NAT ( so it represent it self with 10.x.x.24 IP ) => leaves Sophos and goes to Cisco on the other side => Whatever they had configured on their side.

Also it may help this log and explanation from their side ( I removed part of IPs for abvious reasons ):

The Problem ist with phase2. Propably incorrect entries in cryptomap

Nov 17 12:14:22 dres-fw-dmz-020_s138 %ASA-3-713119: Group = 195.226.x.x, IP = 195.226.x.x, PHASE 1 COMPLETED
Nov 17 12:14:22 dres-fw-dmz-020_s138 %ASA-3-713035: Group = 195.226.x.x, IP = 195.226.x.x, Received remote IP Proxy Subnet data in ID Payload: Address 172.17.0.0, Mask 255.255.252.0, Protocol 0, Port 0
Nov 17 12:14:22 dres-fw-dmz-020_s138 %ASA-3-713224: Group = 195.226.x.x, IP = 195.226.x.x, Static Crypto Map Check by-passed: Crypto map entry incomplete!
Nov 17 12:14:22 dres-fw-dmz-020_s138 %ASA-3-713224: Group = 195.226.x.x, IP = 195.226.x.x, Static Crypto Map Check by-passed: Crypto map entry incomplete!
Nov 17 12:14:22 dres-fw-dmz-020_s138 %ASA-3-713061: Group = 195.226.x.x, IP = 195.226.x.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.17.0.0/255.255.252.0/0/0 local proxy 10.205.x.x/255.255.255.255/0/0 on interface outside10.205
Nov 17 12:14:22 dres-fw-dmz-020_s138 %ASA-3-713902: Group = 195.226.x.x, IP = 195.226.x.x, QM FSM error (P2 struct &0x00002aaadf3731d0, mess id 0xeb5a068f)!
Nov 17 12:14:22 dres-fw-dmz-020_s138 %ASA-3-713902: Group = 195.226.x.x, IP = 195.226.x.x, Removing peer from correlator table failed, no match!
Nov 17 12:14:22 dres-fw-dmz-020_s138 %ASA-4-113019: Group = 195.226.x.x, Username = 195.226.x.x, IP = smartfrog_vpn_401532, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found

It seems that cryptomap are different (they should be like mirror image)

On our side cryptomap is configured:
access-list outside_cryptomap_39 line 2 extended permit ip host 10.x.x.70 host 10.x.x.24 (hitcnt=32) 0x831bf606
access-list outside_cryptomap_39 line 3 extended permit ip host 10.x.x.71 host 10.x.x.24 (hitcnt=0) 0x4284825f

So on your side should be something like that
permit ip host 10.x.x.24 host 10.x.x.71
permit ip host 10.x.x.24 host 10.x.x.70

Please check also if NAT on your side is correctly configured. We see in logs entries from network 172.17.0.0/22… the addresses should be NATted to 10.x.x.24

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.17.0.0/255.255.252.0/0/0 local proxy 10x.x.70/255.255.255.255/0/0 on interface outside

So this is from their side so maybe it could explain better what am I doing wrong here.

So for clarity just once more:

Sophos(with FW, VPN,.. ) with Public IP configured on it=> internet => Cisco ASA 3030 ( again accessible with public IP no FW inbetween )

Hope that explains better what we are trying to achieve.

BR,

Matic M

"Sophos(with FW, VPN,.. ) with Public IP configured on it=> internet => Cisco ASA 3030 ( again accessible with public IP no FW in between )"

"We see in logs entries from network 172.17.0.0/22… the addresses should be NATted to 10.x.x.24"

Ahhh, I suspected that that was what they wanted!

Everything is fine with the tunnel, they just want you to define it differently.

1. The IPsec Connection must have only a Host for the IP 10.?.?.24 in 'Local Networks'.  Do not include the subnet 172.17.0.0/22 or any part of it.
2. Do not select 'Strict Routing' in the IPsec Connection.
3. In the Remote Gateway definition, if I understand them correctly, you want to have a Network definition for 10.?.?.70/31 in 'Remote Networks'.
4. Now, to make this all work, you need a rule that NATs traffic into the tunnel:

SNAT : {172.17.0.0/22} -> Any -> {10.?.?.70/31} : from {10.?.?.24}

It sounds like they have two internal IPs that your company needs to reach and they only want to deal with a single IP from your location.  This is not an uncommon requirement.  Are they happy now?

Cheers - Bob

Hi Bob,

OMG but this is just pure magic :) hehe

What I want to say is thank you for the help, I was 95% close to this but just did not know that SNAT is the right one and not the 1:1 NAT. Now VPN is up and running as it supposed to be :)

Keep the great support going and wish you a pleasant week!

Cheers! MM

Hi Bob,

I am reporting again cause I may have said it works too fast. SO I got the VPN in green state so IPSec is connected. In logs of Sophos I can clearly see that:

2016:11:30-11:08:59 gw01 pluto[29341]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitComarch" address="195.226.x.x" local_net="10.x.x.24/32" remote_net="10.x.x.71/32"

2016:11:30-11:08:59 gw01 pluto[29341]: "S_REF_IpsSitComarch_1" #42: sent QI2, IPsec SA established {ESP=>0x1480991b <0x9b54d8ba DPD}

2016:11:30-11:08:59 gw01 pluto[29341]: "S_REF_IpsSitComarch_0" #43: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME

2016:11:30-11:08:59 gw01 pluto[29341]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="REF_IpsSitComarch" address="195.226.x.x" local_net="10.x.x.24/32" remote_net="10.x.x.70/32"

2016:11:30-11:08:59 gw01 pluto[29341]: "S_REF_IpsSitComarch_0" #43: sent QI2, IPsec SA established {ESP=>0x86800e48 <0x8a84be12 DPD}

But for some reason the routing does not work, meaning if I traceroute the IP 10.x.x.70 I get to the sohpos ( 172.17.0.1 ) and there is stops. Is there any other config I must do?

If I choose the option "Strict routing" in connection I can see that it gets to our GW switch ( optic fiber connection ) but that means it is not going over VPN. It was advised to me not to enable this option anyways. 

I would really like to hear if you have any more ideas about this. Thanks a lot!

BR,

Matic M

The 'Any' Service object includes only TCP and UDP, not ICMP or other protocols. When you choose 'Automatic firewall rules', you get the 'Any' object as you can confirm by looking on the 'Firewall' tab.

Pinging and Traceroute are regulated on the 'ICMP' tab of 'Firewall', or you can make Firewall rules allowing them in only single directions.

Cheers - Bob

Hey Bob, 

i be a colleague from Matic Molek,

as you can see from here, we have setup the firewall rules and added IPsec Protocol to all 3 . 

Additional we checked the IMCP config, as you can see all is active:

We think we have a problem in the routing of the packets. If you look on the routes in the sophos you get this,

Destination | Gateway | Genmask | Flags | Metric | Ref | Use Iface

10.x.x.70 * 255.255.255.255 UH 0 0 0 eth1
10.x.x.71 * 255.255.255.255 UH 0 0 0 eth1

the question's are:

1. Why it's send the packets to eth1 (Uplink Interfaces) and not like the rest of the VPN's to the vpc interface?

2. Why we have a 100 % packet lost by an established connection from the cisco logs (so cisco is not receiving any traffic) ?

Hi, Stefan, and welcome to the UTM Community!

Instead of the "IPsec" Services Group in your firewall rules, you want "Ping" and "Traceroute" - any better luck with those?

Cheers - Bob

Hey Bob, thank you for the friendly welcome.

I changed the firewall rules to include "Ping" and "Traceroute".

Result:

from my local computer:

traceroute to 10.x.x.70 (10.x.x.70), 64 hops max, 52 byte packets
1 172.17.0.1 (172.17.0.1) 1.097 ms 0.855 ms 0.923 ms
2 172.17.0.1 (172.17.0.1) 3038.931 ms !H 2999.435 ms !H 3041.274 ms !H

from the router:

traceroute to 10.x.x.70 (10.x.x.70), 30 hops max, 40 byte packets using UDP
1 gw01 (195.226.181.251)(H!) 2999.231 ms (H!) 2998.115 ms (H!) 2996.973 ms

Route Table Sophos:

Destination | Gateway | Genmask | Flags | Metric | Ref | Use Iface

10.x.x.70 * 255.255.255.255 UH 0 0 0 eth1
10.x.x.71 * 255.255.255.255 UH 0 0 0 eth1

Thank you very much for helping us.

Best Stefan

This time, I looked back at the earlier posts.  If you still have the boxes checked on the 'ICMP' tab and are using 'Automatic Firewall Rules' in the IPsec Connection, then all three of those Firewall rules in your last post can be deleted.

I suspect that the trace routes stop where they do because the Comarch device blocks inbound ICMP messages from transiting.

Cheers - Bob

This time, I looked back at the earlier posts.  If you still have the boxes checked on the 'ICMP' tab and are using 'Automatic Firewall Rules' in the IPsec Connection, then all three of those Firewall rules in your last post can be deleted.

I suspect that the trace routes stop where they do because the Comarch device blocks inbound ICMP messages from transiting.

Cheers - Bob

Hey Bob,

my apologies for the confusions.

The boxes for 'ICMP' are still checked and the  'Automatic Firewall Rules'  are offline.

Thanks Bob we will contact Comarch then.

Best Stefan

Hi Bob,

As you could see my friend took over when I was out of the office but I think we got stuck at a point which is not that important. So as I see you guys were talking about the FW rules for ICMP and telnet. What I would like to clear out here is the following:

We got VPN up and running but there is no traffic flow between this two endpoints. So my thinking was:

- It may be the FW rules, but what happens if I do this: telnet 10.x.x.70 443 or telnet 10.x.x.70 8888 my understanding is that FW should not block this? Or am I wrong? :) Either way I also made FW rules for this two ports and it did not help.

But my thoughts were going more in a way that routing is somehow not working as it should. As I can take from the AWS example ( we have IPsec to VPC on AWS also ) I can see on sophos that each individual connection also creates a virtual interface, like it can be seen here:

10.0.0.0        169.254.20.93   255.255.0.0     UG    100    0        0 vpc0.1
10.1.0.0        169.254.21.1    255.255.0.0     UG    100    0        0 vpc1.1
10.2.0.0        169.254.20.109  255.255.0.0     UG    100    0        0 vpc3.1
10.3.0.0        169.254.20.217  255.255.0.0     UG    100    0        0 vpc2.0

And therefore also routing is working to AWS VPC's.

But on the other hand I cannot find the virtual interface from Comarch VPN ( I am guessing that there should be one but I may be wrong ) so I would like you to clarify this. The other thing is also that I can see routes for Comarch pointing to eth1

10.x.x.70   0.0.0.0         255.255.255.255 UH    0      0        0 eth1

10.x.x.71   0.0.0.0         255.255.255.255 UH    0      0        0 eth1

Should this actually route traffic to VPN or not? 

So my question is if you can see/find anything wrong with this? 

If you need any additional info please let me know and I will be happy to provide you with it. I just want to get his working.

Also we contacted Comarch to see if they have some ideas too.

Thanks!

BR,

Matic M

There is no virtual interface in UTM for IPsec tunnels, Matic.  I bet the problem is on the Comarch side.  Watch the traffic in the tunnel when you try to access things.  Assuming that the name of the IPsec Connection is "Comarch" - get its REF_ with:

cc get_object_by_name 'ipsec_connection' 'site_to_site' 'Comarch'|grep 'ref'

Assume that you found REF_IpsSitComarch, watch traffic in the tunnel with:

espdump -n --conn REF_IpsSitComarch -vv

What did you learn?

Cheers - Bob

HI Bob,

Ok understood, I was just guessing, sorry. OK than this makes it clear. 

So your prediction was right about the name so I did the espdump and what I got was:

Running: tcpdump -ieth1 -Efile /tmp/espdump.30422/sas -s0 -n -vv (esp) and ((host 195.226.181.251 and host 188.191.128.1))

tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes

^C

0 packets captured4 packets received by filter

0 packets dropped by kernel

The contents of the sepdump file are:

0xef6648bf@195.226.181.251 aes-256-cbc-hmac96:0x9b3e9**************************e641928d658346

0x357b22f1@188.191.128.1 aes-256-cbc-hmac96:0xa387d9a5ace**************************4f6401dcac753a3fc

0xb5109ac5@195.226.181.251 aes-256-cbc-hmac96:0x3b5985514**************************1e23811068106750927

0xd7681822@188.191.128.1 aes-256-cbc-hmac96:0x38ae4**************************97c983633905

That is all I could capture. Please note that I also tried reaching their services on 443 and 8888 port and traceroute and ping/telnet to 10.x.x.70 IP. 

I am still waiting for the reply on their site. You said that this problem is on their site, can you maybe give me a hing what to could it be, as of your opinion? That would make it easyer to convince them that the problem is actually on their site.

Thank you!

Cheers - MM

I think they haven't done their configuration yet, Matic, or that they have a mistake.  I would send them the output of the espdump command.

Cheers - Bob

Ok, so what they did now it to reconfigure SAS to the following:

DRES-FW-DMZ-020-S138/pri/act# clear crypto ipsec sa peer 195.226.181.251

DRES-FW-DMZ-020-S138/pri/act#

DRES-FW-DMZ-020-S138/pri/act# sh crypto ipsec sa peer 195.226.181.251  

There are no ipsec sas for peer xyz_vpn_401532

But I also found this in logs from sohpos, could this be causing this issues?

2016:12:08-14:09:27 gw01 pluto[29341]: ERROR: "S_REF_IpsSitComarch_0" #3990: sendto on eth1 to 188.191.128.1:500 failed in main_outI1. Errno 1: Operation not permitted

MM

"188.191.128.1:500 failed" - Good catch!  Someone's firewall appears to be blocking port UDP 500 - was that it?

I might have seen that in your original post, but skipped over the line because of all the words like REMOTE_IP instead of an obfuscated IP like 188.xxx.yyy.1 or 10.x.y.1 or 192.168.xx.1.  Those preserve secrecy but also clearly communicate whether addresses are private or public.

Cheers - Bob

Hi,

Well actually was more like a question towards you cause the traffic is still not flowing in any direction and I though this could be the issue but am still not sure if it is true. I was more asking on how to get the rid of this error :) :)

If you want/if it will help I can post the FW rules from sophos but we opened all the ports/services in both directions. Sorry for masking the IP's am kind of paranoid about sharing this data. Will try to get more clear from now on. 

Is there any way that existing AWS VPN binded to port 500 ( as I can see with netstat on sophos) is preventing Comarch to be binded to the same port?

NOTE: I also noticed that this connection is reconnecting every 30 min, as FW notifications tell me ( send over email ).

Cheers - MM

Sorry, Matic, I didn't intend to be confusing.  I think Comarch is probably the problem.  Now , if this is a UTM in AWS and you didn't use the default "all-open" AWS firewall, it could be blocked by that.

Cheers - Bob

No worries its also my lack of VPN knowledge that could cause this confusion :)/

The UTM we have is in our office and its a physical device ( not the EC2 instance in AWS ) but it also has 10 AWS VPC VPN  connection already running. I also got answer from Comarch and they said that they reconfigured ASA to:

Please try to clear the tunnel on your side.
We did this on our side:
DRES-FW-DMZ-020-S138/pri/act# clear crypto ipsec sa peer 195.226.181.251
DRES-FW-DMZ-020-S138/pri/act#
DRES-FW-DMZ-020-S138/pri/act# sh crypto ipsec sa peer 195.226.181.251
There are no ipsec sas for peer ourcompanyname_vpn_401532

And trying this was unsuccessful also. After this their reply was:

That could mean that your routing is not configured to this network. ==> Is there any way that "some" routing is missing?
Do you have maybe some proxy on the way? ==> No there is no proxy 
Or you are connected to switch and there is ACL which filter traffic? ==> This we need to check but as of your opinion could this also be a reason?
What is also possible that you have layer 3 switch and there is already NAT. ==> no there is no NAT 

We don’t see packets on our side, so we can’t debug.
In case we block the traffic, you should receive refused notification.
Please check (I don’t know if it is on Sophos possible, on ASA it is possible) in Sophos logs if there are packets received on LAN interface– with source IP 172.17.x.x
and on WAN/internet interface with IP 10.205.176.24

This is the latest info I have hope it helps.

Cheers - MM