Ok, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.
The original, VPN1 is still connected though.
I've varified the preshared keys on both ends match.
Here's an error from the debug of the second ASA, VPN2
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!
Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!
As far as the ASA configs, everything is the exactly the same, except;
NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.
I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ
object-group network DM_INLINE_NETWORK_1
network-object 192.168.26.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.26.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 192.168.27.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
Working ASA VPN1 - not sure exactly how the bolded line works
no crypto isakmp nat-traversal
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
HQ 2811 -----------------------------------------------------------------------
Hope I included enough of the router config. Again, VPN1 is working.
crypto isakmp key VPN1PW address 99.x.x.x
crypto isakmp key VPN2PW address 108.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 99.x.x.x VPN1
set peer 99.x.x.x
set transform-set ESP-AES-128-SHA
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 108.x.x.x VPN2
set peer 108.x.x.x
set transform-set ESP-AES-128-SHA
match address 105
!
****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2. I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 105
match protocol user-protocol--2
interface FastEthernet0/1
description T1 to Internet$FW_OUTSIDE$
ip address 64.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
