Can my side initiate a L2L VPN tunnel?

rimbertr1 · ‎10-09-2009

We're using an ASA 7.0 to establish L2L VPN tunnels and I'd always have the remote side initiate the tunnel (say pinging our server from one of the customer's server) but I can never get the tunnel to establish by initiating it on our side (pinging the customer server from our server). I know about choosing the proper interface to ping from if using the ASA and that doesn't work either.

I remember finding a link that talked about this but I can't find it now. I think the link says the configurations on both sides have to match exactly but it still doesn't work for me.

It just seems that the tunnel can only be initiated by traffic from the remote side of the ASA (or the VPN Concentrator - which is what we used to use). But what is getting me more confused is, I have successfully set up two of our office sites with an ASA on both ends so where's the remote side of the ASA if both VPN peers are ASAs?

If someone can straighten this out or provide a link that can explain this, I'd really appreciate it!

m-ketchum · ‎10-10-2009

Remove "set connection-type originate-only" from your crypto maps, which will set it to the default of "set connection-type originate-only bidirectional"

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/c.html#wp1974970

http://www.ketchumits.com

rimbertr1 · ‎10-12-2009

It's already set to bidirectional (the default). I didn't specify originate only.

rimbertr1 · ‎10-12-2009

Sorry, I didn't realize this isn't a help forum.

I've created a thread on the Netpro forum:

http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&topicID=.ee6b2b8&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cd4b3c5