Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1511
Views
0
Helpful
5
Replies

Changed IKEv1 from PSK to Certificate and routing stopped working

dougreid
Level 1
Level 1

‎04-10-2019 04:02 PM

My configurations was working with Site to Site VPN with IKEv1 using PSK.   I created certificates and the connections are working.  I can see some good debugging on the other side because it is Strongswan on a linux host.   I shows everything is connected correctly.  I can see data leaving the ASA 5506-X but nothing returns.  It is the same on the other side.

 

Just wondering if there is oddity with certificate based that can cause issues.

 

 

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎04-10-2019 08:14 PM

If the data is leaving the 5506 and nothing is returning then that suggests the issue is the other end.

0 Helpful

dougreid
Level 1
Level 1
In response to Philip D'Ath

‎04-10-2019 08:42 PM

Both ends are having the same problem.   Data goes out but nothing comes in.

0 Helpful

dougreid
Level 1
Level 1
In response to Philip D'Ath

‎04-10-2019 08:44 PM

I had the same problem when I setup the PSK.  It was missing NAT entries, but those entries are still active.   

0 Helpful

joseph.h.nguyen
Level 1
Level 1
In response to dougreid

‎04-12-2019 01:58 PM

You may want to verify your configuration against this configuration guide, see link https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html#step4.

 

If you believe your configuration is correct, double check your certificate and CA certificate.  If you do a debug on your ASA when performing the test, it may give you a hint where the step is missing or incorrect.

0 Helpful

dougreid
Level 1
Level 1
In response to joseph.h.nguyen

‎04-15-2019 01:01 PM

The other end had an firewall issue.  It is working.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card