Hey all,

I'm attempting to set up a site-to-site IPsec VPN tunnnel between two ASAs in a test environment. I'm attempting to recreate my production environment (to a degree), with the ultimate goal of testing OSPF static neighbors between the test ASAs in hopes of rolling that out to my production network eventually. Before I can do that, however, I need to get the tunnel working in my test network. Right now, the tunnel is the problem. OSPF can wait.

As I'm sure you will be able to tell, I'm not super well versed in the ASA or creating VPN tunnels.

The two test ASAs are 5510s. One is running IOS 8.4(7) and the other is running 9.1(5). Both are using ASDM 7.3.

I've been through multiple setup guides, instructions, blogs, forums, etc and one would think by reading that stuff that setting up a simple IPSec tunnel is as easy as just using the Site-to-Site VPN wizard (which I've tried multiple times), but apparently not.

I have a Windows server 2012r2 box running RRAS sitting between the two test ASAs to act as my faux-internet connection (bascially to give me a hop between the two ASAs). RRAS just has static routes set up for connectivity between the two ASAs. This has been tested and is working.

In attempting to set up the site-to-site VPN, I've tested a number of configurations, none of which have worked so far. I've tried using both IKEv1 and IKEv2, individually and with both enabled, with a simple pre-shared key. I've tried using PFS with D-H group 2 and 5. I've tried using specific IKE proposals. I've tried using specific group policy as well as the default. It doesn't need to NAT, since it's not actually going to the internet, so I've disabled NAT-T (although I've tried it both ways).

Since this is a test environment, the ACLs are all permit any any for IP and ICMP.

I'm sending interesting traffic by pinging from two different devices across the connection where I want the VPN to form. However, from what I can tell, it's not even forming the phase 1 tunnel.When wiresharking on the interfaces on the Windows server the two ASAs are connected to, I don't see any packets that look like they're trying to establish a tunnel or exchange keys, etc.

Also, I've got debugging turned on for IKEv1, IPsec and the crypto engine and I'm only seeing the following messages:
[IKEv1]Ignoring msg to mark SA with specified coordinates <outside_map, 1> dead
and
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565

I've done research on both errors but haven't found anything so far that has helped.

This morning I wiped both test ASAs back to factory defaults. Since then, I've added the basic config for addressing and accessing ASDM and to allow ICMP, in addition to attempting to set up the VPN yet again. I've attached the configs for both of my test ASAs. The configs reflect a pretty simple VPN configuration attempt, with just IKEv1 enabled. As I've mentioned, I've tried multiple other variations on the configuration. What is reflected in the configs is what I would consider my "base"config.

Additionally, here is how the RRAS static routing is configured:
NIC 1: 192.168.99.2/30
NIC 2: 192.168.100.2/30
Routes:
10.1.1.0/24 GW: 192.168.100.1
10.1.2.0/24 GW: 192.168.100.1
192.168.56.0/29 GW: 192.168.100.1
172.20.1.0/24 GW: 192.168.99.1
172.20.1.0/24 GW: 192.168.99.2
192.168.55.0/29 GW: 192.168.99.2
*** The 172.20.x.x and 10.1.x.x networks are the networks I want to send through the VPN

Any and all help and suggestions are appreciated. If more details, configs, etc, are needed, I am happy to oblige.