Hi, VPN Filters are configured inbound direction, but they are bi-directional/stateful as the outbound rule is automatically compiled.   No interface level ACLs need to be configured, the sysopt connection permit-vpn command (which is default) allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists.   Your examples therefore look correct if applied to ASA1, they would be incorrect if applied to ASA2.   HTH ... View more

Yes, it looks that way. Another useful command is "show crypto session brief" it doesn't give you the total (you'd have to manually count), but it does confirm the status, as in is the tunnel UP and the uptime for each tunnel. HTH ... View more

Ok, on an IOS router the command "show crypto sockets" this would identify the number of active connections/VPN tunnels:-   R1#show crypto sockets Number of Crypto Socket connections 2    Vi2 Peers (local/remote): 1.1.1.1/3.3.3.1        Local Ident  (addr/mask/port/prot): (1.1.1.1/255.255.255.255/0/47)        Remote Ident (addr/mask/port/prot): (3.3.3.1/255.255.255.255/0/47)        IPSec Profile: "IPSEC_PROFILE"        Socket State: Open        Client: "TUNNEL SEC" (Client State: Active)    Vi1 Peers (local/remote): 1.1.1.1/2.2.2.1        Local Ident  (addr/mask/port/prot): (1.1.1.1/255.255.255.255/0/47)        Remote Ident (addr/mask/port/prot): (2.2.2.1/255.255.255.255/0/47)        IPSec Profile: "IPSEC_PROFILE"        Socket State: Open        Client: "TUNNEL SEC" (Client State: Active)   ... View more

Hi, Are you referring to VPN's on an ASA firewall? If so, you can use the command "show vpn-sessiondb" this will display the VPN session information. HTH ... View more

SHA is the default hashing algorithm, it doesn't appear in the running config. Even if you manually define SHA as the hashing algorithm it would not be displayed in the runnning config, only an algorithm other than the default would be displayed in the running config. You can confirm the actual hashing algorithm by running "show crypto isakmp policy" it would appear as Secure Hash Standard. The errors provided still look like Phase 2 issues, confirm with 3rd party exactly what they have configured.   HTH ... View more

Well you have partially established Phase 2 for both the crypto map and Tunnel 2 - but no inbound or outbound esp sas for either crypto map or VTI....so tunnel not fully established. Tunnel2 does not have an IP address configured either, if you haven't agreed an IP address for the tunnel interface with the 3rd party I assume a VTI was not intended. I don't believe you can create a VTI without an ip address, whether specified either manually or using a loopback. If you don't have an IP address for the tunnel, disable the tunnel interface and troubleshoot the crypto map. Bounce the tunnel and generate some debugs:- debug crypto ipsec debug crypto isakmp Upload debug output here as attachments. Also confirm with the 3rd party the configuration, especially the crypto map ACL and Phase 2 settings. HTH ... View more

Hi, If you establish Phase 2 only when using the VTI, then the other end is probably not configured as expected. As you have established an IPSec SA (Phase 2) then you pretty much have a tunnel established, you probably just need to add the static route via Tunnel2. Establish a tunnel again and then please provide the full output of "show crypto ipsec sa detailed" - this will confirm whether packets are being encrypted/decrypted. If not this will provide clues as to where the issue could be. You have "tunnel mode ipsec ipv4" configured under Tunnel2, this means you are using ipsec encapsulation NOT gre. HTH ... View more

Hi, If using tftp how about increasing the tftp blocksize on the switch - "ip tftp blocksize 8192" HTH ... View more

Hi, In your previous post, you appeared to not have modified the crypto map ACL (#120) exactly as per @Georg Pauwen's instruction. You left the existing ACE in place   Remove this:- access-list 120 permit ip 10.213.16.0 0.0.0.255 any   Leaving just this:- access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.110 access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.111 access-list 120 permit ip 10.213.16.0 0.0.0.255 host 10.16.1.112   HTH ... View more

See this link, you can define ospf as non-broadcast and statically define the neighbor. HTH ... View more

Hi, Even in the latest ASA version 9.10 only BGP is supported on VTI's, reference here. HTH ... View more

Hi, What about using DAP to scan windows reigstry for the Domain Registry key in order to determine the domain membership? Alhough I can anyone could just create the key with the correct entry, a domain issue certificate would be as easy to circumvent.   HTH ... View more

Hi, You'll need to configure the following:- - IKEv2 Proposal/Policy (optional, you can use smart defaults) - IKEv2 Keyring (if using PSK) - IKEv2 Profile - define authentication (local/remote), identities (local/remote), PSK/Certificates, DPD - IPSec Transform Set - IPsec Profile - reference the IKEv2 Profile and Transform Set - Modify the tunnel interface to use the new IPSec Profile   There are plenty of FlexVPN (IKEv2) configuration guides here with example configuration.   IKEv2 and IKEv1 are not compatible, if you change your end of the VPN to IKEv2 you will need to co-ordinate with the 3rd party in order for them to re-configure their end to establish a tunnel.   HTH ... View more

Hi, I believe this is only achievable using a VTI, it would be configured under the ipsec profile. E:g-   crypto ipsec profile IPSEC_PROFILE  responder-only   Your ASA version 9.6.4 doesn't support VTI, as this was introduced in 9.7   HTH ... View more