Introduction
This documents describes the solution to connectivity failuere between site to site VPN.
What is Site to Site VPN?
A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.
There are two types of site-to-site VPNs:
- Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.
- Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.
Problem:
There are many reasons that the VPN tunnel can fail between the ASA and the Fortinet firewall, but one of the commonly known reasons is that the Fortinet device drops the /32 mask on the host access control lists (ACLs).
The debugs on the ASA suggest that the IPsec attributes do not match.
Resolution
In order to resolve this issue, complete these steps:
- Use a wider subnet mask in the crypto ACLs on both sides.
- Use a specific subnet as the source and destination rather than one specific host.
Refer to How to fix VPN tunnel-related issues on the PIX Firewall, Concentrator, ASA and Router in order to fix other VPN tunnel-related issues on the ASA.
ASA Software Version
7.1
7.2
ASA Models
ASA 5510
