cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
173
Views
10
Helpful
4
Replies
Highlighted
Beginner

IPSec tunnel not coming up for 5505 ver9.0

I am working on a simple ipsec tunnel config in a lab at home and cannot get the IPSec tunnel to come up between the two ASA's. Any help would be greatly appreciated

 

ASA2# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: IPSec tunnel not coming up for 5505 ver9.0

So this entire set up was flawed from the start as I just completely did not think about routing in this lab. I got it to work but what I did was I put a 1841 in between the 2 ASA's to act as the internet. Then did the layer 2 tunnel between the 2 ASA's and was able to get it to work. My apologies for posting this as I am just diving into the CCNA security and trying to understand how vpn tunnels work. I was assuming that the ASA's (since they were directly connected together) would be able to talk to each other even though they were on different subnets. But I realized my mistake yesterday when I drew it out and worked on it and was able to get the tunnel up

4 REPLIES 4
VIP Mentor

Re: IPSec tunnel not coming up for 5505 ver9.0

Hello,

 

the configs look good. The only thing that might be missing could be:

 

crypto map outside_map 20 set pfs

 

Can you try and add that to both configs ?

 

 

 

Participant

Re: IPSec tunnel not coming up for 5505 ver9.0

Hi there!

 

As you try to pass traffic from one side of the tunnel to the other, can you run an debug crypto ikev1 on both sides, and share the output? 

Are the ASAs directly connected? Can you also paste a show route ?

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
Beginner

Re: IPSec tunnel not coming up for 5505 ver9.0

So this entire set up was flawed from the start as I just completely did not think about routing in this lab. I got it to work but what I did was I put a 1841 in between the 2 ASA's to act as the internet. Then did the layer 2 tunnel between the 2 ASA's and was able to get it to work. My apologies for posting this as I am just diving into the CCNA security and trying to understand how vpn tunnels work. I was assuming that the ASA's (since they were directly connected together) would be able to talk to each other even though they were on different subnets. But I realized my mistake yesterday when I drew it out and worked on it and was able to get the tunnel up

Participant

Re: IPSec tunnel not coming up for 5505 ver9.0

Glad that you figured it out.

Remember to rate helpful posts and/or mark as a solution if your issue is resolved.
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards