Devices:
MAX BR1 HW rev.2 firmware 7.1
Cisoc ASA 5585 running 9.6(4)3
BR1 uses Verizon cellular with dynamic public IPs
ASA has static public IP
We set up a dynamic VPN and even though it shows as established on both sides, it doesn’t pass any traffic between.
ASA configuration:
object-group network Pepwave-Subnets
network-object 10.254.12.0 255.255.255.240
access-list PHXIO-TO-Pepwave extended permit ip object PHXIO-Data object-group Pepwave-Subnets
nat (inside,outside) source static PHXIO-Data PHXIO-Data destination static Pepwave-Subnets Pepwave-Subnets no-proxy-arp route-lookup description Pepwave-VPN's
crypto dynamic-map Pepwave-DYNMAP 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_MAP 571 ipsec-isakmp dynamic Pepwave-DYNMAP
crypto map OUTSIDE_MAP interface outside
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key test123!
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ikev1 policy 135
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
BR-1 Config:
Name: test
Active: checked
IKE Version: IKEv1
Remote Gateway IP Address: 1.1.1.1
Local Networks: 10.254.12.0/28
Remote Networks: 10.83.201.0/24
Authentication: Preshared Key
test123!
Mode: Main Mode (All WANs need to have Static IP)
Force UDP Encapsulation: checked
Local ID: empty
Remote ID: empty
Phase 1 (IKE) Proposal: AES-256 & SHA1
Phase 1 DH Group: Group 5
Phase 1 SA Lifetime: 3600 seconds
Phase 2 (ESP) Proposal: AES-256 & SHA1
Phase 2 PFS Group: none
Phase 2 SA Lifetime: 28800 seconds
WAN Connection Priority: 1
WAN Selection: Cellular
Tunnel is established on the ASA:
sh crypto ipsec sa map Pepwave-DYNMAP
cryptomap: Pepwave-DYNMAP
Crypto map tag: Pepwave-DYNMAP, seq num: 10, local addr: 1.1.1.1
local ident (addr/mask/prot/port): (10.83.201.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.12.0/255.255.255.240/0/0)
current_peer: 2.2.2.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/4500, remote crypto endpt.: 2.2.2.2/8499
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C1674AA6
current inbound spi : 424C1D55
inbound esp sas:
spi: 0x424C1D55 (1112284501)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 25706496, crypto-map: Pepwave-DYNMAP
sa timing: remaining key lifetime (kB/sec): (3915000/28664)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xC1674AA6 (3244772006)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 25706496, crypto-map: Pepwave-DYNMAP
sa timing: remaining key lifetime (kB/sec): (3915000/28664)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
BR-1 also shows that the tunnel is established:
IPsec VPN
Profile: PHXIO
WAN Connection: Cellular
10.254.12.0/28 <-> 10.83.201.0/24
Apr 05 15:03:43|IPsec: PHXIO/1x1 - Connected
Apr 05 15:03:40|IPsec: PHXIO/1x1 - Initiating Main Mode connection to 1.1.1.1