Do the pre-shared keys

alex.romaya1 · ‎02-08-2016

Hi All,

I have been working on two ASA550s trying to get the site to site working I get no output at all.

sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

I have followed all guides etc but nothing seems to work. My set up is a 1841 router in between the two ASA 5550s connecting the two outside interfaces, Site A connects to a switch on the inside interface and site B connects to my laptop on the inside interface.

No reason why this shouldn't suffice right.

Configs attached. Code running is 8.4.7 (29)

I can't see any issues but would appreciate it if anyone could point any out.

Thanks

Alex

Philip D'Ath · ‎02-08-2016

On site b change this:

access-list VPN extended permit ip object Site_B object Site_A 
access-list VPN extended permit icmp object Site_B object Site_A 
access-list VPN extended permit ip object Site_A object Site_B

to:

access-list VPN extended permit ip object Site_B object Site_A

On site a change this:

access-list VPN extended permit ip object Site_Aobject Site_B 
access-list VPN extended permit icmp object Site_Aobject Site_B 
access-list VPN extended permit ip object Site_B object Site_A

to:

access-list VPN extended permit ip object Site_A object Site_B

Philip D'Ath · ‎02-08-2016

Do the pre-shared keys definitely match?

I'm not sure you can ping the firewalls inside interface on the remote side. Try pinging the switch behind it or another machine.

If still not working, post the output while trying to do a ping:

debug crypto ikev1 (or if running old code "debug crypto isakmp")
debug crypto ipsec

Site to Site L2L VPN not working