Windows Server 2012 R2 VPN Interoperability with Cisco ASA

The IKEv2 implementation difference between Windows RRAS Gateway and Cisco ASA results in the non-interoperability between the two VPN devices (documented in this VPN Interoperability guide). This interoperability is affecting a number of customers as Cisco ASA has a large user base. However, Cisco ASA being an End-Of-Line product, the OS update for these devices seem unlikely. So, to help the customers use Cisco ASA devices with Windows Server 2012 R2 RRAS Gateways, Microsoft has released a hotfix, which enables the VPN interoperability between these VPN solutions. This articles provides details on the problem, and the solution this hotfix offers and about the configuration that is required with this.

IKEv2 Traffic Selectors and Cisco ASA devices

Section 2.9 of Internet Key Exchange Protocol Version 2 (IKEv2) RFC suggests the Traffic Selector Negotiation during IKEv2 setup, and indicates that if the responder’s policy does not allow it to accept any part of the proposed Traffic Selectors, it responds with a TS_UNACCEPTABLE Notify message.

Microsoft Windows RRAS Gateway is configured to initiate the IKEv2 tunnel with a proposal with “any” (*) as the Traffic Selector (TS) – indicating the responder to narrow it down to the value configured on their end. However Cisco ASA implementation does not narrow down for a “*” Traffic Selector proposal and treats it as an unacceptable offer, thereby sends a notify message and the tunnel is not established.

On the other hand if a Cisco ASA device sends the TS configured on it to the Microsoft Windows gateway in the proposal, it will accept the proposal and narrow it down to Cisco ASA’s proposed TS (because Windows Server Gateway is configured to accept all the TS (value “*”) by default) and the tunnel is established.

This basically translates into the IKEv2 S2S VPN tunnel being established when initiated from Cisco ASA end but failing in the opposite direction.

S2S VPN hotfix for Windows Server 2012 R2

Earlier this year, Microsoft released a hotfix (Fix4157731, available for download here) to address this incompatibility by enabling the Traffic Selector configuration on a Windows Server 2012 R2 RRAS Gateway. After installing this update, the Network Administrator can manually configure the required IKEv2 VPN Traffic Selector Address Ranges for both Local and Remote sites as per the configuration required by the Third party devices (Cisco ASA). When configured so, the Cisco ASA devices accept the incoming proposal with the acceptable Traffic Selector values and the Tunnel gets established.

Traffic Selector configuration on Windows Server 2012 R2

The traffic selector configuration is available via PowerShell commandlets in WS 2012 R2 (The SC-VMM update to retrieve or configure Traffic Selector for WS 2012 R2 is not yet available). These PowerShell commandlets become available after installing the hotfix for the Windows Server 2012 R2.

This syntax for the Traffic Selector PowerShell commandlet is as follows –

# create a new VPN Ttraffic Selector object

$TS = New-VpnTrafficSelector –Type IPv4 –IPAddressRange “<<Start IP Address>>”, “<<End IP Address>>”

So, assuming that your Cisco ASA Traffic Selector configuration looks like this –

TSi  Next payload: TSr, reserved: 0x0, length: 40
          Num of TSs: 2, reserved 0x0, reserved 0x0
          TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
          start port: 0, end port: 65535
          start addr: 10.10.10.10, end addr: 10.10.10.10
          TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
          start port: 0, end port: 65535
          start addr: 10.10.10.0, end addr: 10.10.10.255
TSr  Next payload: NOTIFY, reserved: 0x0, length: 40
          Num of TSs: 2, reserved 0x0, reserved 0x0
          TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
          start port: 0, end port: 65535
          start addr: 20.20.20.20, end addr: 20.20.20.20
          TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
          start port: 0, end port: 65535
          start addr: 20.20.20.0, end addr: 20.20.20.255
TSi Initiator’s (Cisco ASA’s) Traffic Selector
TSr Responder’s Traffic Selector

 

The corresponding Traffic Selectors on Windows RRAS Gateway must be the exact replica of Cisco’s configuration, i.e.

# TS for Initiator (Local TS) at Windows RRAS Gateway

$TSi1 = New-VpnTrafficSelector –Type IPv4 –IPAddressRange @(“20.20.20.20”, “20.20.20.20”)

$TSi2 = New-VpnTrafficSelector –Type IPv4 –IPAddressRange @(“20.20.20.0”, “20.20.20.255”)

# TS for Responder (Remote TS) at Windows RRAS Gateway 

$TSr1 = New-VpnTrafficSelector –Type IPv4 –IPAddressRange @(“10.10.10.10”, “10.10.10.10”)

$TSr2 = New-VpnTrafficSelector –Type IPv4 –IPAddressRange @(“10.10.10.0”, “10.10.10.255”)

After creating these Traffic Selector objects, they need to be applied to the corresponding VPN S2S Tunnel on Windows RRAS Gateway. The commandlet examples for doing so are as follows –

 # 1. Add a new VPN S2S Tunnel on Windows RRAS Gateway (with Traffic Selectors)

Add-VpnS2SInterface –Name ContosoVpn” –Destination “10.10.10.10” –Protocol IKEv2 –AuthenticationMode PSKOnly –SharedSecret P@ssw0rd” –IPv4Subnet “20.20.20.0/24:10” –LocalVpnTrafficSelector @($TSi1, $TSi2) –RemoteVpnTrafficSelector @($TSr1, $TSr2) –Persistent -PassThru

# 2. Apply Traffic Selectors to an existing VPN S2S Tunnel on Windows RRAS Gateway

Set-VpnS2SInterface –Name ContosoVpn” –LocalVpnTrafficSelector @($TSi1, $TSi2) –RemoteVpnTrafficSelector @($TSr1, $TSr2) –Force

# 3. Retrieve an existing VPN S2S Tunnel on Windows RRAS Gateway and apply Traffic Selectors to it

Get-VpnS2SInterface | ? {$_.Destination -eq “10.10.10.10”} | Set-VpnS2SInterface –LocalVpnTrafficSelector @($TSi1, $TSi2) –RemoteVpnTrafficSelector @($TSr1, $TSr2) –Force

 

Note: Hotfix 4157731 allows configuration of Traffic Selector(s) for a single Security Association. For configuration of Traffic Selectors for multiple Quick Mode Security Associations of a VPN Tunnel, the hotfix will be available shortly. Please watch this space for the update.