IPSec VPN bt Cisco ASA behind Peplink-360 Passthrough and Peplink-310 in Aggressive Mode in

d404zeeiqb · July 29, 2012, 12:41am

Below is a picture of my topology

HQ has cisco ASA behind the peplink-360 which is in VPN passthrough mode and forwarding all the VPN request/response/traffic through it. Branch has only peplink-310. Site-to-site VPN are terminating at ciscoASA and peplink-310.

HQ Peplink-360 has a static IP and Branch peplink-310 has PPPoE dialer but a fixed IP. As the Cisco ASA on HQ has a private address 172.16.1.2 on outside public interface and its gateway is 172.16.1.1(which is LAN of HQ Peplink-360)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

things are not looking good as there is a double NAT here and a private IP on the ASA. troubleshooting results shows that on Branch Peplink-310: The peer ID is coming in as 172.16.1.2 (which is Cisco ASA outside and have crypto maps), and we require the ID to be 41.10.161.45(WAN IP on HQ Peplink-360) as per your configuration.

HQ Pepelink-360(which is in PASS through mode and has cisco ASA behind it for vpn termination)has a static IP. BUT the Branch Peplink-310(where VPN terminates) has a PPPoE dialer but a fixed IP address(can we count a fixed IP as a static IP and can have aggressive mode?)

we cannot use Drop in mode as cisco gateway is configured as 172.16.1.1 which is LAN of HQ peplink-2. and this will changed to a public ip in drop-in mode which requires to change cisco configuration like outside interface, NAT rules and much more…Agree???

I tried main mode for IKE1 but failed now configured the Branch Peplink-2 in aggressive mode by removing peer IP and having local ID mydevice@branch and remote ID mydevice@hq. but things are quite same…NO Success

do i need to do aggressive mode on the CiscoASA as well or keep it in main mode? any configuration on HQ Peplink-360 which in is Passthrough mode?

Thank you in advance.Below is a picture of my topology

HQ has cisco ASA behind the peplink-360 which is in VPN passthrough mode and forwarding all the VPN request/response/traffic through it. Branch has only peplink-310. Site-to-site VPN are terminating at ciscoASA and peplink-310.

HQ Peplink-360 has a static IP and Branch peplink-310 has PPPoE dialer but a fixed IP. As the Cisco ASA on HQ has a private address 172.16.1.2 on outside public interface and its gateway is 172.16.1.1(which is LAN of HQ Peplink-360)

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

things are not looking good as there is a double NAT here and a private IP on the ASA. troubleshooting results shows that on Branch Peplink-310: The peer ID is coming in as 172.16.1.2 (which is Cisco ASA outside and have crypto maps), and we require the ID to be 41.10.161.45(WAN IP on HQ Peplink-360) as per your configuration.

HQ Pepelink-360(which is in PASS through mode and has cisco ASA behind it for vpn termination)has a static IP. BUT the Branch Peplink-310(where VPN terminates) has a PPPoE dialer but a fixed IP address(can we count a fixed IP as a static IP and can have aggressive mode?)

we cannot use Drop in mode as cisco gateway is configured as 172.16.1.1 which is LAN of HQ peplink-2. and this will changed to a public ip in drop-in mode which requires to change cisco configuration like outside interface, NAT rules and much more…Agree???

I tried main mode for IKE1 but failed now configured the Branch Peplink-2 in aggressive mode by removing peer IP and having local ID mydevice@branch and remote ID mydevice@hq. but things are quite same…NO Success

do i need to do aggressive mode on the CiscoASA as well or keep it in main mode? any configuration on HQ Peplink-360 which in is Passthrough mode?

Thank you in advance.

Tim_S · July 30, 2012, 6:27am

Since you have a Peplink unit deployed on both sides, I recommend using our SpeedFusion VPN feature. It is far superior than IPSec because all of your WAN connections will be part of the VPN tunnel. This means that your VPN connection will not break in the event of a single WAN failure, and you can enjoy increased bandwidth as well! Military-grade 256 bit AES encryption ensures your data is secure.

Besides that, it is extremely easy to set up!

d404zeeiqb · July 30, 2012, 7:32pm

Thank you for your reply.

but this will construct tunnel between Peplink Lan interfaces? am i right ? bcz there is no option to filter trafffic

Issue is that LAN of HQ-peplink is connected to the outside interface of ASA (however in private domain 172.16.1.0/24) but i want to filter traffic of ASA LAN to pass through the tunnel (192.168.1.0/24).

tunnel should terminate at ASA or atleast tunnel only filter traffic from ASA LAN interface.

suggestions please

Tim_S · July 30, 2012, 11:42pm

Once you create the SpeedFusion VPN profile between the two Peplink devices, you can create custom outbound rules and force traffic across the tunnel.

Is this what you are looking to achieve?

d404zeeiqb · July 31, 2012, 1:00am

Thank you Tim for your reply

I am trying to understand a bit… you mean OUTBOUND RULES in FIREWALL section or OUTBOUND POLICY ?

please comment on the fact that public network 10.1.1.0/24 is behind the ASA, which has outside untrusted subnet on its outside interface towards peplink LAN interface (point to point connection; Peplink LAN is 172.16.1.1 and ASA outside is 172.16.1.1)

Cisco ASA is doing nat on its outside interface from 10.1.1.0 to 172.16.1.2 and it has a gateway of 172.16.1.1

do i need to have reverse nating on Peplink before sending the traffic through the tunnel

regards

Tim_S · July 31, 2012, 1:19am

I need you to send us a complete network diagram with IP addresses and what you are looking to achieve. You can start the ticket here:
http://www.peplink.com/contact/support/

Thanks -Tim

d404zeeiqb · July 31, 2012, 4:50pm

I have already started the ticket 2-weeks ago 731133. but really frustrating after getting the cold response from your engineers. they just focused on firmware update all the time which i did but nothing happened and gave me the overview as i mentioned in my first post here. I still have questions being unanswered

I have asked my sales team to hault any further purchase due to cold customer support. and I will not receomend Peplink to my professional friends as it is just an expensive load balancer…

anyhow Thank you for your time

Tim_S · July 31, 2012, 11:46pm

I do see that you started a support ticket last Monday. Your comments about our customer support are unwarranted and invalid. Your issue has nothing to do with the Peplink Balance, rather this is a network design issue. Since you are over in the UK, why don’t you contact your reseller for more localized support?
Where is the network diagram with IP addresses?
Why are you double NATing?
Have you even tried the SpeedFusion VPN yet? It usually takes around 90 seconds to get it set up…

d404zeeiqb · August 1, 2012, 12:51am

this is the peplink issue because when i replaced it with any draytek or cisco device… VPN connection established wihout any problem.

I would like to say that your last message is totally invalid. may i ask you why your engineer did not reply back to my email since last week ?? why he did not ask for network diagram ? why he did not ask for ip addresses ? I did not do double nating. i just exempt the NAT for tunnel traffic in cisco firewall. your engineer suggested that double nating is going on before he got absolute silence…

yes i have tried speed fusion and i am going to add diagram now

zee

Ron_Case · August 1, 2012, 1:16am

Hi Zee,

You mentioned in the ticket that you cannot use Drop in mode as the Cisco gateway is configured as 192.168.1.1 which is LAN of HQ peplink-2. Where is this in your diagram?

Ron

Tim_S · August 1, 2012, 1:41am

What is the subnet mask of 41.10.161.45?

d404zeeiqb · August 1, 2012, 1:42am

I changed all the real IP addresses while posting the diagram on Net. Everyone have access to that diagram so please dont publish private information here.

But i gave you the real ones. the default gateway of cisco is the LAN interface of HQ peplink-2.
zee

d404zeeiqb · August 1, 2012, 1:45am

255.255.255.254

Martin_Langmaid · August 1, 2012, 2:50am

Hi Zee,
Just wondering what you’re looking to filter with the ASA? Are you ultimately looking at the Peplink Balance with its Speedfusion VPN as an alternative to IPsec VPN for the remote sites, and is your config above about you trying to make both work at the same time? Or is it that you plan to just use the Peplink devices for load balancing and to maintain the CISCO ASA as the Ipsec VPN concentrator?

I ask because we went through a phased migration from Draytek IPsec to Peplink Speedfusion VPN a while ago and migrated the Draytek IPsec remote sites to Peplink Speedfusion in a site by site process and I can share how we did that, but maybe I’ve got the wrong end of the stick.

Do let me know, would love to help if I can,

Martin

d404zeeiqb · August 3, 2012, 1:29am

Hi Martin,

Thank you for your reply. we are using ASA as a firewall and peplink as gateway and load balancer.

I have nothing against to terminate the tunnel at peplink but the issue is that LAN interface of peplink is ASA outside interface(means it is unprotected) and anyone can reach upto ASA outside interface. All the rules on ASA has been configured according to its outside interface and its not an easy and feasible task to change them.

I just waiting for response from peplink guys…if there will be any response…

zee

Martin_Langmaid · August 3, 2012, 2:29am

Hi Zee,

I think I understand now… you’re looking to maintain the existing (before Peplink was connected) external IP of the ASA on its wan side so that its configuration doesn’t need to change right? But you want it to use the Peplink as its gateway so that you can do load balancing? Is that right?

If so then there is the Drop in Mode of the balance which is designed for this usage scenario. It allows you to add a peplink balance to the wan side of your existing firewalls/routers (the ASA in your case), without having to change the ASA WAN side IP. There is a useful document here that explains it: http://www.peplink.com/document/Peplink_appnote-Drop-in.pdf.

Does that help?

Martin

Martin_Langmaid · August 3, 2012, 2:42am

And an another article here with more / better diagrams. http://www.peplink.com/index.php?view=faq&id=69&path=18.

The important bit in your case is this paragraph :

When operating, Peplink Balance forwards the traffic between LAN and WAN1 of the Balance unit without performing any IP address translation. The Firewall will not notice any change in the IP addresses of the hosts on WAN1, and vice-versa. Because the Firewall is remaining same configuration, firewall default gateway will still be ISP gateway 210.10.10.1. (Do NOT change the Firewall Default Gateway to Peplink’s IP 210.10.10.3).

d404zeeiqb · August 5, 2012, 9:32pm

thank you for your post but we have discussed this earlier and this solution is not feasible as we have only one public IP add
zee

Martin_Langmaid · August 5, 2012, 10:18pm

Ah yes, that stuffs that idea. Shame really as I think its the most elegant way…

So if you can’t do that you’re left with two options as I see it. Ask for a new WAN IP range from your ISP so you have enough for the drop in mode (which would be a little messy as all of your remote VPN endpoints will need reconfiguring to point at the new WAN IP from this new range), or use VPN passthrough on the Peplink to your CISCO ASA in its private IP range (as you are currently trying to do) and reconfigure the ASA settings so that it uses that private LAN IP (between it and the peplink) as its WAN IP and the Peplink as its WAN Gateway.

This would be my preferred method since you wouldn’t have to reconfigure the remote end points. There is a forum post here with some info about a CISCO ASA behind a third party router which might be of use: https://supportforums.cisco.com/thread/2031334

Have fun.