Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1743
Views
0
Helpful
2
Replies

ASA v9.3 IKEv2 L2L VPN not working

Go to solution
derrick
Level 1
Level 1

‎11-16-2015 09:52 AM

I'm try to connect two ASAs together using the following config, but unable to get it to work. Can someone let me know what I'm doing wrong?

ASA-1
crypto ikev2 policy 1
 encryption aes-256
 integrity sha512
 group 14
 prf sha512
 lifetime seconds 86400
!
crypto ikev2 enable outside
!
crypto ipsec ikev2 ipsec-proposal ikev2-proposal
 protocol esp encryption aes-256
 protocol esp integrity sha-512
!
object-group network LOCAL-SUBNET
 network-object 10.120.128.0 255.255.254.0
 network-object 10.120.0.0 255.255.254.0
 network-object 10.120.32.0 255.255.254.0
object-group network REMOTE-SUBNET
 network-object 10.130.222.0 255.255.254.0
 network-object 10.255.255.0 255.255.255.0
!
access-list ikev2-list extended permit ip object-group LOCAL-SUBNET object-group REMOTE-SUBNET
!
tunnel-group 207.130.222.11 type ipsec-l2l
tunnel-group 207.130.222.11 ipsec-attributes
 ikev2 local-authentication pre-shared-key key123!!
 ikev2 remote-authentication pre-shared-key key123!!
!
crypto map ikev2-map 1 match address ikev2-list
crypto map ikev2-map 1 set peer 207.130.222.11
crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal
crypto map ikev2-map interface outside
!
management-access inside
!
nat (inside,outside) source static LOCAL-SUBNET LOCAL-SUBNET destination static REMOTE-SUBNET REMOTE-SUBNET no-proxy-arp route-lookup

ASA-2
crypto ikev2 policy 1
 encryption aes-256
 integrity sha512
 group 14
 prf sha512
 lifetime seconds 86400
!
crypto ikev2 enable outside
!
crypto ipsec ikev2 ipsec-proposal ikev2-proposal
 protocol esp encryption aes-256
 protocol esp integrity sha-512
!
object-group network LOCAL-SUBNET
 network-object 10.130.222.0 255.255.254.0
 network-object 10.255.255.0 255.255.255.0
object-group network REMOTE-SUBNET
 network-object 10.120.128.0 255.255.254.0
!
access-list ikev2-list extended permit ip object-group LOCAL-SUBNET object-group REMOTE-SUBNET
!
tunnel-group 207.130.2.137 type ipsec-l2l
tunnel-group 207.130.2.137 ipsec-attributes
 ikev2 local-authentication pre-shared-key key123!!
 ikev2 remote-authentication pre-shared-key key123!!
!
crypto map ikev2-map 1 match address ikev2-list
crypto map ikev2-map 1 set peer 207.130.2.137
crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal
crypto map ikev2-map interface outside
!
management-access inside
!
nat (inside,outside) source static LOCAL-SUBNET LOCAL-SUBNET destination static REMOTE-SUBNET REMOTE-SUBNET no-proxy-arp route-lookup
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎11-16-2015 01:03 PM

Try adding the PSK to the crypto-map:

crypto map ikev2-map 1 set ikev2 pre-shared-key key123!!

And your crypto-ACLs are not mirrored.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎11-16-2015 01:03 PM

Try adding the PSK to the crypto-map:

crypto map ikev2-map 1 set ikev2 pre-shared-key key123!!

And your crypto-ACLs are not mirrored.

0 Helpful

Go to solution
derrick
Level 1
Level 1
In response to Karsten Iwen

‎11-17-2015 09:16 AM

It was the ACL can't believe I missed that. Thanks for pointing it out!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents