Re: Changed IKEv1 from PSK to Certificate and routing stopped working

dougreid · ‎04-10-2019

My configurations was working with Site to Site VPN with IKEv1 using PSK. I created certificates and the connections are working. I can see some good debugging on the other side because it is Strongswan on a linux host. I shows everything is connected correctly. I can see data leaving the ASA 5506-X but nothing returns. It is the same on the other side.

Just wondering if there is oddity with certificate based that can cause issues.

Philip D'Ath · ‎04-10-2019

If the data is leaving the 5506 and nothing is returning then that suggests the issue is the other end.

dougreid · ‎04-10-2019

Both ends are having the same problem. Data goes out but nothing comes in.

dougreid · ‎04-10-2019

I had the same problem when I setup the PSK. It was missing NAT entries, but those entries are still active.

joseph.h.nguyen · ‎04-12-2019

You may want to verify your configuration against this configuration guide, see link https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html#step4.

If you believe your configuration is correct, double check your certificate and CA certificate. If you do a debug on your ASA when performing the test, it may give you a hint where the step is missing or incorrect.

dougreid · ‎04-15-2019

The other end had an firewall issue. It is working.