cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
280
Views
10
Helpful
4
Replies
Highlighted
Beginner

IPSec tunnel not coming up for 5505 ver9.0

I am working on a simple ipsec tunnel config in a lab at home and cannot get the IPSec tunnel to come up between the two ASA's. Any help would be greatly appreciated

 

ASA2# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

So this entire set up was flawed from the start as I just completely did not think about routing in this lab. I got it to work but what I did was I put a 1841 in between the 2 ASA's to act as the internet. Then did the layer 2 tunnel between the 2 ASA's and was able to get it to work. My apologies for posting this as I am just diving into the CCNA security and trying to understand how vpn tunnels work. I was assuming that the ASA's (since they were directly connected together) would be able to talk to each other even though they were on different subnets. But I realized my mistake yesterday when I drew it out and worked on it and was able to get the tunnel up

View solution in original post

4 REPLIES 4
Highlighted
VIP Expert

Hello,

 

the configs look good. The only thing that might be missing could be:

 

crypto map outside_map 20 set pfs

 

Can you try and add that to both configs ?

 

 

 

Highlighted
Participant

Hi there!

 

As you try to pass traffic from one side of the tunnel to the other, can you run an debug crypto ikev1 on both sides, and share the output? 

Are the ASAs directly connected? Can you also paste a show route ?

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
Highlighted

So this entire set up was flawed from the start as I just completely did not think about routing in this lab. I got it to work but what I did was I put a 1841 in between the 2 ASA's to act as the internet. Then did the layer 2 tunnel between the 2 ASA's and was able to get it to work. My apologies for posting this as I am just diving into the CCNA security and trying to understand how vpn tunnels work. I was assuming that the ASA's (since they were directly connected together) would be able to talk to each other even though they were on different subnets. But I realized my mistake yesterday when I drew it out and worked on it and was able to get the tunnel up

View solution in original post

Highlighted

Glad that you figured it out.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.