Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1236
Views
0
Helpful
2
Replies

IKEv2 VPN - Multiple Networks

Sakun Sharma
Level 1
Level 1

‎09-10-2019 10:16 PM - edited ‎09-10-2019 10:18 PM

Hello,

 

I have configured IKEv2 between 3945 and ASA. On 3945 end I have only 1 network, but on ASA end I have 3 networks. When the VPN connection is formed, I only see 1 subnet on each end, I cannot reach other two subnets from 3945 end. Yesterday after sometime, I was able to reach one of the other subnet, but again after sometime I can't? Any idea or suggestions?

 

When I do 'show crypto ipsec sa' on 3945, I see all three subnets, but on ASA only 1 subnet.

 

Thanks

 

Labels:
0 Helpful
2 Replies 2

Karsten Iwen
VIP
VIP

‎09-11-2019 07:45 AM

One typical config-problem that can cause situations like these, is when the crypto ACLs on both ends do not mirror. Please check this first. And if you migrate to route based VPNs (virtual tunnel interfaces, VTIs), this config-problem can not happen.

0 Helpful

Sakun Sharma
Level 1
Level 1
In response to Karsten Iwen

‎09-11-2019 08:53 PM

Hi

 

Thank you for your response. ACL are exactly same on both end.


One thing I have obsevered that when I initiate the traffic from ASA end, the network tunnel comes up. But when I try to initiate the traffic from 3945, ASA doesn't bring the second IPSEC tunnel for the network. How can I make 3945 as traffic initiator?

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents