Hi,

I have got an issue where SPOKE1 and SPOKE 2 cannot communicate with each other. However, SPOKE1 and SPOKE 2 can communicate with HUB. Please see configuration below for spoke and hub. I'll really appreciate if anyone could please guide me in right direction.

SPOKE 1  (Cisco SRST881, v. 12.4)

SPOKE 2  (Cisco 887VA, v.12.4(22r)

HUB          (ASA5525, v.8.6(1)2)

** Spoke 1 (Cisco SRST881, v. 12.4) **

crypto ikev2 proposal AES256-192-128-PROPOSAL
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha1
 group 2

crypto ikev2 policy IKEv2-Policy
 proposal AES256-192-128-PROPOSAL

crypto ikev2 keyring VPN-KEYS
 peer ASA-DC
  address 200.200.200.1
  pre-shared-key local 12345678
  pre-shared-key remote 12345678

crypto ikev2 profile ASA-DC
 match identity remote address 200.200.200.1 255.255.255.255
 identity local address 50.50.50.1
 authentication local pre-share
 authentication remote pre-share
 keyring VPN-KEYS

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto map SPOKE1-ASA 10 ipsec-isakmp
 set peer 200.200.200.1
 set transform-set ESP-AES256-SHA
 set ikev2-profile ASA-DC
 match address SPOKE1-VPN-ACL

interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SPOKE1-ASA

interface Vlan1
 ip address 192.168.210.225 255.255.255.224
 ip nat inside
 ip virtual-reassembly in

ip nat inside source list NONAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 50.50.50.1

ip access-list extended NONAT
 deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
 permit ip 192.168.210.64 0.0.0.31 any

ip access-list extended SPOKE1-VPN-ACL
 permit ip 192.168.210.224 0.0.0.31 172.16.0.0 0.0.255.255
 permit ip 192.168.210.224 0.0.0.31 192.168.210.64 0.0.0.31
-----------------------------------------------------------------------------

** SPOKE2 (Cisco 887VA, v.12.4(22r) **

crypto ikev2 proposal AES256-192-128-PROPOSAL
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha1
 group 2

crypto ikev2 policy IKEv2-Policy
 proposal AES256-192-128-PROPOSAL

crypto ikev2 keyring VPN-KEYS
 peer ASA-DC
  address 200.200.200.1
  pre-shared-key local 12345678
  pre-shared-key remote 12345678

crypto ikev2 profile ASA-DC
 match identity remote address 200.200.200.1 255.255.255.255
 identity local address 100.100.100.1
 authentication local pre-share
 authentication remote pre-share
 keyring VPN-KEYS

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

crypto map SPOKE2-ASA 10 ipsec-isakmp
 set peer 200.200.200.1
 set transform-set ESP-AES256-SHA
 set ikev2-profile ASA-DC
 match address SPOKE2-VPN-ACL

interface Vlan1
 ip address 192.168.210.65 255.255.255.224
 ip helper-address 172.16.5.32
 ip nat inside
 ip virtual-reassembly in

interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname zzz@zzz.com
 ppp chap password 7 zzzzzzzzz
 crypto map SPOKE2-ASA

ip nat inside source list NONAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended SPOKE2-VPN-ACL
 permit ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
 permit ip 192.168.210.64 0.0.0.31 192.168.210.224 0.0.0.31

ip access-list extended NONAT
 deny   ip 192.168.210.64 0.0.0.31 172.16.0.0 0.0.255.255
 permit ip 192.168.210.64 0.0.0.31 any
-----------------------------------------------------------------------------

** HUB (ASA5525, v.8.6(1)2) **

object network SPOKE1
 subnet 192.168.210.224 255.255.255.224

object network SPOKE2
 subnet 192.168.210.64 255.255.255.224

object-group network INSIDE-SUBNET
 network-object 172.16.0.0 255.255.0.0

access-list VPN-SPOKE1 extended permit ip object-group INSIDE-SUBNET object SPOKE1
access-list VPN-SPOKE1 extended permit ip object SPOKE2 object SPOKE1
access-list VPN-SPOKE2 extended permit ip object-group INSIDE-SUBNET object SPOKE2
access-list VPN-SPOKE2 extended permit ip object SPOKE1 object SPOKE2

nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp route-lookup
nat (inside,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp route-lookup
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE1 SPOKE1 no-proxy-arp
nat (any,outside) source static inside-subnet-source INSIDE-SUBNET destination static SPOKE2 SPOKE2 no-proxy-arp

route outside 192.168.210.64 255.255.255.224 200.200.200.1 1
route outside 192.168.210.224 255.255.255.224 200.200.200.1 1

crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL
 protocol esp encryption aes-256 aes-192 aes
 protocol esp integrity sha-1

crypto map ASA-VPN-SITE 10 match address VPN-SPOKE1
crypto map ASA-VPN-SITE 10 set peer 50.50.50.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL

crypto map ASA-VPN-SITE 20 match address VPN-SPOKE2
crypto map ASA-VPN-SITE 20 set peer 100.100.100.1
crypto map ASA-VPN-SITE 20 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL

tunnel-group 50.50.50.1 type ipsec-l2l
tunnel-group 50.50.50.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

same-security-traffic permit intra-interface

-----------------------------------------------------------------------------

Thanks & Regards

Rohit Mangotra.
- See more at: https://supportforums.cisco.com/discussion/12535306/asa5525-v8612-spoke-1-2-not-communicating-each-other#sthash.ycTKQl6m.dpuf