Dynamic VPN between ASA and MAX BR1

Devices:
MAX BR1 HW rev.2 firmware 7.1
Cisoc ASA 5585 running 9.6(4)3

BR1 uses Verizon cellular with dynamic public IPs
ASA has static public IP

We set up a dynamic VPN and even though it shows as established on both sides, it doesn’t pass any traffic between.

ASA configuration:

object-group network Pepwave-Subnets
network-object 10.254.12.0 255.255.255.240

access-list PHXIO-TO-Pepwave extended permit ip object PHXIO-Data object-group Pepwave-Subnets 

nat (inside,outside) source static PHXIO-Data PHXIO-Data destination static Pepwave-Subnets Pepwave-Subnets no-proxy-arp route-lookup description Pepwave-VPN's

crypto dynamic-map Pepwave-DYNMAP 10 set ikev1 transform-set ESP-AES-256-SHA

crypto map OUTSIDE_MAP 571 ipsec-isakmp dynamic Pepwave-DYNMAP
crypto map OUTSIDE_MAP interface outside

tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key test123!

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ikev1 policy 135
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

BR-1 Config:

Name: test
Active: checked
IKE Version: IKEv1
Remote Gateway IP Address: 1.1.1.1
Local Networks:	10.254.12.0/28	
Remote Networks: 10.83.201.0/24
Authentication: Preshared Key 	
test123!
Mode: Main Mode (All WANs need to have Static IP)	
Force UDP Encapsulation: checked	
Local ID: empty
Remote ID: empty
Phase 1 (IKE) Proposal: AES-256 & SHA1
Phase 1 DH Group: Group 5 	
Phase 1 SA Lifetime: 3600 seconds
Phase 2 (ESP) Proposal: AES-256 & SHA1
Phase 2 PFS Group: none
Phase 2 SA Lifetime: 28800 seconds
WAN Connection Priority: 1
WAN Selection: Cellular

Tunnel is established on the ASA:

sh crypto ipsec sa map Pepwave-DYNMAP
cryptomap: Pepwave-DYNMAP
    Crypto map tag: Pepwave-DYNMAP, seq num: 10, local addr: 1.1.1.1

      local ident (addr/mask/prot/port): (10.83.201.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.12.0/255.255.255.240/0/0)
      current_peer: 2.2.2.2


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1/4500, remote crypto endpt.: 2.2.2.2/8499
      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: C1674AA6
      current inbound spi : 424C1D55

    inbound esp sas:
      spi: 0x424C1D55 (1112284501)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 25706496, crypto-map: Pepwave-DYNMAP
         sa timing: remaining key lifetime (kB/sec): (3915000/28664)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xC1674AA6 (3244772006)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 25706496, crypto-map: Pepwave-DYNMAP
         sa timing: remaining key lifetime (kB/sec): (3915000/28664)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

BR-1 also shows that the tunnel is established:

IPsec VPN
Profile:	PHXIO
WAN Connection: Cellular
 	  10.254.12.0/28 <-> 10.83.201.0/24

Apr 05 15:03:43|IPsec: PHXIO/1x1 - Connected
Apr 05 15:03:40|IPsec: PHXIO/1x1 - Initiating Main Mode connection to 1.1.1.1

It looks like you have the BR1 configured for Main Mode which requires a static IP on both sides. Try aggressive mode instead.

1 Like

Hmm, getting this error now:
Apr 05 15:40:08|IPsec: PHXIO/1x1 - IKE/ESP Proposal refused, please verify settings.
Apr 05 15:40:07|IPsec: PHXIO/1x1 - Initiating Aggressive Mode connection to 1.1.1.1

Does the following article help:

It is using Main Mode but you can still check the other settings.

1 Like

Hi Tim,
That was one of the articles I used to configure the tunnel. The tunnel is established, it’s just not passing any traffic.
When I use ping utility on Pepwave, it gives me this error:
ping: sendmsg: Operation not permitted
And quick search on Google shows it might be the firewall but I believe default firewall mode on Pepwave is to allow everything in and out.
Also, not sure if it matters or not but it looks like Verizon is doing double NATting of their public IP. For example, Pepwave shows something like 100.1.1.1 but I see tunnel on ASA is established with 2.2.2.2

I suggest to open a support ticket for further investigation. Thanks

1 Like