Solved: site-to-site tunnel between ASAs

Kashish_Patel · ‎10-07-2012

I have created a site-to-site tunnel between an ASA running 8.4 and other ASA running 8.2. But the tunnel is not coming up.

ASA running 8.4

++++++++++++

fw2# sh run crypto

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map inside_map 20 match address tunnel-from-1166-to-nyc1_dr

crypto map inside_map 20 set pfs

crypto map inside_map 20 set peer 10.224.2.178

crypto map inside_map 20 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-SHA

crypto map inside_map 20 set security-association lifetime seconds 28800

crypto map inside_map 20 set security-association lifetime kilobytes 4608000

crypto map inside_map 20 set nat-t-disable

crypto map inside_map 20 set reverse-route

crypto map inside_map interface inside

crypto isakmp identity address

no crypto isakmp nat-traversal

crypto ikev1 enable inside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

ASA running 8.2

++++++++++++

fw1# sh run crypto

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map tunnels_map 20 match address tunnel-to-fw2-nyc

crypto map tunnels_map 20 set pfs

crypto map tunnels_map 20 set peer 149.77.111.238

crypto map tunnels_map 20 set transform-set ESP-3DES-SHA ESP-AES-256-SHA

crypto map tunnels_map 20 set security-association lifetime seconds 28800

crypto map tunnels_map 20 set security-association lifetime kilobytes 4608000

crypto map tunnels_map 20 set nat-t-disable

crypto map tunnels_map 20 set reverse-route

crypto map tunnels_map interface tunnels

crypto isakmp identity address

crypto isakmp enable tunnels

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

crypto isakmp disconnect-notify

I see this in the output. Not sure what the problem is:

fw1# sh crypto isakmp sa

Active SA: 2

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1 IKE Peer: 149.77.111.238

Type : L2L Role : responder

Rekey : no State : MM_WAIT_MSG5

2 IKE Peer: 149.77.111.238

Type : L2L Role : responder

Rekey : no State : MM_WAIT_MSG5

fw1/nyc1.deshaw.com# sh cryptcry

fw1/nyc1.deshaw.com# sh crypt

fw1/nyc1.deshaw.com# sh crypto ipsec sa

There are no ipsec sas

cadet alain · ‎10-07-2012

Hi,

you've got a problem with authentication is ISAKMP Main Mode.

you should verify your preshared key on both sides.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎10-07-2012

Hi,

you've got a problem with authentication is ISAKMP Main Mode.

you should verify your preshared key on both sides.

Regards.

Alain

Don't forget to rate helpful posts.

Kashish_Patel · ‎10-07-2012

Thanks Alain. Reconfiguring shared secret brought up the tunnel.

Fikrat651 · ‎04-07-2013

hello I want to create site to site 8.4 and 8.2asa from asdm how can I do this can you help me?

Jouni Forss · ‎04-07-2013

Hi Fikrat,

You should be able to use the VPN Wizard in the ASDM of both ASA units to configure a L2L VPN. The wizard should provide every step needed to get a basic L2L VPN connection working.

Its usually best to start a totally new discussion about your on situation instead of using an old one. This question/discussion has already been marked as answered.

- Jouni