02-18-2020 09:37 PM - edited 02-18-2020 10:20 PM
Configured the following on ASAv:
object network LOCAL
host <local private address>
object network REMOTE
host <remote private address>
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp
access-list outside_cryptomap_25 extended permit ip object LOCAL object REMOTE
crypto ikev2 policy 10
enc aes-256
int sha256
group 5
prf sha256
lifetime seconds 5400
crypto ipsec ikev2 ipsec-proposal AES256-SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
group-policy GroupPolicy_<remote public ip> internal
group-policy GroupPolicy_<remote public ip> attributes
vpn-tunnel-protocol ikev2
tunnel-group <remote public ip> type ipsec-l2l
tunnel-group <remote public ip> ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group <remote public ip> general-attributes
default-group-policy GroupPolicy_<remote public ip>
crypto map MYMAP 25 match address outside_cryptomap_25
crypto map MYMAP 25 set peer <remote public ip>
crypto map MYMAP 25 set ikev2 ipsec-proposal AES256-SHA256
crypto map MYMAP 25 set pfs group5
crypto map MYMAP 25 set security-association lifetime seconds 3600
crypto map MYMAP 25 set security-association lifetime kilobytes unlimited
crypto map MYMAP interface outside
crypto ikev2 enable outside
The following logs were observed after running packet-tracer output:
%ASA-vpn-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = MYMAP. Map Sequence Number = 25.
%ASA-vpn-4-752011: IKEv1 Doesn't have a transform set specified
%ASA-vpn-5-750001: Local:XXXX Remote:XXXX Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: XXXX Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: XXXX Protocol: 0 Port Range: 0-65535
%ASA-vpn-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MYMAP. Map Sequence Number = 25.
%ASA-vpn-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MYMAP. Map Sequence Number = 25.
Solved! Go to Solution.
02-18-2020 10:44 PM
Hi Suhel,
It look like on Sophos, you have ikev1 configured only for the tunnel. can you check ikev2 is configured on sophos or ikev1 ?
02-18-2020 10:44 PM
Hi Suhel,
It look like on Sophos, you have ikev1 configured only for the tunnel. can you check ikev2 is configured on sophos or ikev1 ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide