11-16-2015 09:52 AM
I'm try to connect two ASAs together using the following config, but unable to get it to work. Can someone let me know what I'm doing wrong?
ASA-1 |
crypto ikev2 policy 1 encryption aes-256 integrity sha512 group 14 prf sha512 lifetime seconds 86400 ! crypto ikev2 enable outside ! crypto ipsec ikev2 ipsec-proposal ikev2-proposal protocol esp encryption aes-256 protocol esp integrity sha-512 ! object-group network LOCAL-SUBNET network-object 10.120.128.0 255.255.254.0 network-object 10.120.0.0 255.255.254.0 network-object 10.120.32.0 255.255.254.0 object-group network REMOTE-SUBNET network-object 10.130.222.0 255.255.254.0 network-object 10.255.255.0 255.255.255.0 ! access-list ikev2-list extended permit ip object-group LOCAL-SUBNET object-group REMOTE-SUBNET ! tunnel-group 207.130.222.11 type ipsec-l2l tunnel-group 207.130.222.11 ipsec-attributes ikev2 local-authentication pre-shared-key key123!! ikev2 remote-authentication pre-shared-key key123!! ! crypto map ikev2-map 1 match address ikev2-list crypto map ikev2-map 1 set peer 207.130.222.11 crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal crypto map ikev2-map interface outside ! management-access inside ! nat (inside,outside) source static LOCAL-SUBNET LOCAL-SUBNET destination static REMOTE-SUBNET REMOTE-SUBNET no-proxy-arp route-lookup |
ASA-2 |
crypto ikev2 policy 1 encryption aes-256 integrity sha512 group 14 prf sha512 lifetime seconds 86400 ! crypto ikev2 enable outside ! crypto ipsec ikev2 ipsec-proposal ikev2-proposal protocol esp encryption aes-256 protocol esp integrity sha-512 ! object-group network LOCAL-SUBNET network-object 10.130.222.0 255.255.254.0 network-object 10.255.255.0 255.255.255.0 object-group network REMOTE-SUBNET network-object 10.120.128.0 255.255.254.0 ! access-list ikev2-list extended permit ip object-group LOCAL-SUBNET object-group REMOTE-SUBNET ! tunnel-group 207.130.2.137 type ipsec-l2l tunnel-group 207.130.2.137 ipsec-attributes ikev2 local-authentication pre-shared-key key123!! ikev2 remote-authentication pre-shared-key key123!! ! crypto map ikev2-map 1 match address ikev2-list crypto map ikev2-map 1 set peer 207.130.2.137 crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal crypto map ikev2-map interface outside ! management-access inside ! nat (inside,outside) source static LOCAL-SUBNET LOCAL-SUBNET destination static REMOTE-SUBNET REMOTE-SUBNET no-proxy-arp route-lookup |
Solved! Go to Solution.
11-16-2015 01:03 PM
Try adding the PSK to the crypto-map:
crypto map ikev2-map 1 set ikev2 pre-shared-key key123!!
And your crypto-ACLs are not mirrored.
11-16-2015 01:03 PM
Try adding the PSK to the crypto-map:
crypto map ikev2-map 1 set ikev2 pre-shared-key key123!!
And your crypto-ACLs are not mirrored.
11-17-2015 09:16 AM
It was the ACL can't believe I missed that. Thanks for pointing it out!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: