cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

4822
Views
20
Helpful
17
Replies
Highlighted
Beginner

Re:Configuring Site-to-Site VPN on two ASA5505

The tunnel is up now. I will post the detail and the complete config later, but just want to post my status and thank everyone for all the help everyone has contributed.

Many thanks again


Sent from Cisco Technical Support Android App

Beginner

Configuring Site-to-Site VPN on two ASA5505

Again, I really appreciate everyone's contribution to this Site-to-Site VPN lab issue that I've been struggling with for the last couple of days. Because of everyone's help, I now have a running Site-to-Site VPN tunnel. Provided below is a minor revision to the original config from my first post. Basically what is added to the revised config below is the command "crypto ikev1 enable outside". The rest of the config has been not changed. Althought I'm not certain if the command "crypto ikev1 enable outside" did the trick, maybe someone can confirm this.

Anyhow, after the ASAs were put to its factory-default config (#configure factory-default), I connected a workstation to the Inside Interface of each of the ASA to verify internet access. And that was confirmed prior to applying the configs below.

And here is my mistake. I failed to realize that in order for the VPN tunnel to establish a connection, I must first issue a ping command from a host on the local LAN to a host on the remote LAN (Interesting Traffic).  Instead, I kept on issuing pings from the ASA to a host on the remote LAN, unlike routers. Yep, the ICMP deny any outside statement was removed for testing purposes. 

And finally I have an active message.

ASA1# sh crypto isakmp sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 200.200.200.1

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

Here is the complete Site-to-Site VPN configurations:

ASA1:

crypto ikev1 enable outside

crypto isakmp enable outside

object network net-local

subnet 192.168.1.0 255.255.255.0

object network net-remote

subnet 192.168.2.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 200.200.200.1 type ipsec-l2l

tunnel-group 200.200.200.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 200.200.200.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

ASA2:

crypto ikev1 enable outside

crypto isakmp enable outside

object network net-local

subnet 192.168.2.0 255.255.255.0

object network net-remote

subnet 192.168.1.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 100.100.100.1 type ipsec-l2l

tunnel-group 100.100.100.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 100.100.100.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

Verification:

#show crypto isakmp sa

#show crypto ipsec sa

Hall of Fame Master

Configuring Site-to-Site VPN on two ASA5505

Thanks for the update.

Bottom line - add one command and realize the ASA doesn't count self-generated traffic as interesting since it will just send it out sourced from its outside interface (based on its routing table) and never atempt to establish a VPN for that traffic.

Happy studies.