We have a site-to-site VPN tunnel to AWS which was working great until I added another subnet to the ACL list for interesting traffic which was causing a strange issue. It is only allowing me to add a single ACL subnet for interesting traffic, if I try to add another one then my tunnel goes down.
currently i have the following ACL and its working great!
access-list ACL-VPN extended permit tcp 10.0.0.0 255.0.0.0 10.100.1.0 255.255.255.0
but as soon as i add my other public subnet to route data over the VPN tunnel it brought the new tunnel up because it is seeing the new IP for interesting traffic which i can see in show crypto ipsec sa, as soon as it see new interesting traffic it drop traffic for old tunnel which is 10.0.0.0/24 subnet. look like it only allow single ACL subnet for interesting traffic, i tried any but it is throwing error.
access-list ACL-VPN extended permit tcp 60.x.x.x 255.255.255.0 10.100.1.0 255.255.255.0
How do i route multiple subnet over the existing VPN tunnel?
This is my crypto map
crypto map AWS-VPN 1 match address ACL-VPN
crypto map AWS-VPN 1 set pfs
crypto map AWS-VPN 1 set peer 34.xx.xx.xx 52.xx.xx.xx
crypto map AWS-VPN 1 set ikev1 transform-set AWS-ESP-AES-SHA
crypto map AWS-VPN 1 set security-association lifetime seconds 3600
EDIT
You can see in following output all three subnet tunnel, and currently 70 network tunnel i can ping other are not pingable, but if i pick 10 network and ping it will break 70 network ping and start 10 network. so strange
fw1/pri/act# sh crypto ipsec sa peer 13.xx.xx.30
peer address: 13.xx.xx.30
Crypto map tag: AWS-VPN, seq num: 1, local addr: 66.xx.xx.51
access-list ACL-VPN extended permit ip 10.0.0.0 255.255.255.0 10.100.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.100.1.0/255.255.255.0/0/0)
current_peer: 13.xx.xx.30
#pkts encaps: 635, #pkts encrypt: 635, #pkts digest: 635
#pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 635, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 66.xx.xx.51/4500, remote crypto endpt.: 13.xx.xx.30/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 2C59F831
current inbound spi : 574D3919
inbound esp sas:
spi: 0x574D3919 (1464678681)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
sa timing: remaining key lifetime (kB/sec): (4373993/1587)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00001FFF 0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2C59F831 (744093745)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
sa timing: remaining key lifetime (kB/sec): (4373946/1580)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
Crypto map tag: AWS-VPN, seq num: 1, local addr: 66.xx.xx.51
access-list ACL-VPN extended permit ip 60.xx.xx.0255.255.255.0 10.100.1.0 255.255.255.0
local ident (addr/mask/prot/port): (60.xx.xx.100/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.100.1.0/255.255.255.0/0/0)
current_peer: 13.xx.xx.30
#pkts encaps: 549, #pkts encrypt: 549, #pkts digest: 549
#pkts decaps: 149, #pkts decrypt: 128, #pkts verify: 128
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 549, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 21
local crypto endpt.: 66.xx.xx.51/4500, remote crypto endpt.: 13.xx.xx.30/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A42787FD
current inbound spi : FF78BA5E
inbound esp sas:
spi: 0xFF78BA5E (4286102110)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
sa timing: remaining key lifetime (kB/sec): (4373989/1662)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF 0xFFFFFD55 0x557FFFFF
outbound esp sas:
spi: 0xA42787FD (2754054141)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
sa timing: remaining key lifetime (kB/sec): (4373954/1655)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
Crypto map tag: AWS-VPN, seq num: 1, local addr: 66.xx.xx.51
access-list ACL-VPN extended permit ip 70.xx.x.0 255.255.255.0 10.100.1.0 255.255.255.0
local ident (addr/mask/prot/port): (70.xx.x.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.100.1.0/255.255.255.0/0/0)
current_peer: 13.xx.xx.30
#pkts encaps: 327, #pkts encrypt: 327, #pkts digest: 327
#pkts decaps: 1024, #pkts decrypt: 20, #pkts verify: 20
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 327, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 1004
local crypto endpt.: 66.xx.xx.51/4500, remote crypto endpt.: 13.xx.xx.30/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 9F4A80A9
current inbound spi : C87A19F0
inbound esp sas:
spi: 0xC87A19F0 (3363445232)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
sa timing: remaining key lifetime (kB/sec): (4373998/2417)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x09200000 0x00000000
outbound esp sas:
spi: 0x9F4A80A9 (2672459945)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 1126400, crypto-map: AWS-VPN
sa timing: remaining key lifetime (kB/sec): (4373973/2416)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
Best Answer
You can try to put all subnets under single network object-group, then modify your ACL, crypto ACL and NAT Exemption rules accordingly. This make the configuration look nicer.
For example:
And please ensure to reflect the same setup at AWS end.
I hope it is helpful.