Re: ASA 5520 - VPN Site to Site

dominoforever · ‎04-24-2012

Hi guys,

I have a Cisco ASA 5520 and I would like to create a VPN Site to Site.

I'm not a network administrator but I have to do this VPN. I'm using the Wizard, in the Remote Site Peer window I have to select a Pre Shared Key. Is this key mine or from the peer?

Do you have any suggestions to create this VPN?

Kind regards.

dougtraser · ‎04-24-2012

Hi Seb,

The Pre Shard Key (PSK) is a mutual password of sort defined by you and used in the tunnel configuration on both sides. When configuring your VPN, you will need to use the same PSK on both ends. I recommend making sure the PSK is complex

Hope this helps.

Bart Kersten · ‎04-24-2012

Thats right key must be the same on both sites and remember that the parameters you configure also much match on both sides.

Good luck!

Sent from Cisco Technical Support iPhone App

dominoforever · ‎04-25-2012

ok thank you for your answer.

The VPN must be configured to give access to a client to my Network. If I use the Wizard to create the VPN Site to Site, do I need to configure something else?

Thanks.

dougtraser · ‎04-25-2012

Hi Seb,

A Site to Site VPN is different thana Remote Access VPN. If you are using the wizards in ASDM there is an option for both when you start the VPN wizard (See attached screenshot). You can use a PSK in both scenarios and like stated before, the PSK has to be used on both ends. When using a PSK for remote access clients, there is an option for inserting that into the configuration on the client.

Configuring VPN for remote access does require answering some questions such as What policies do you want to enforce in Phase 1 and Phase 2? How do you want to authenticate users? What resources do you want to be made available to remote users? And many more. If you are relatively new to configuring VPNs, I suggest digging into the configuration examples and technotes to get a better understanding.

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

Good luck with everything. It's not too hard once you get your first one done.

dominoforever · ‎04-26-2012

Yes it is a VPN Site to Site that I want to create.

In wizard I checked VPN Tunnel type : Site to Site

VPN Tunnel Interface : OUTSIDE

Enable Inbound IPsec

IKE Policy :

Encryption AES-256

Authentication SHA

Diffie-Hellman Group 5

IPSec Rule :

AES-256 SHA Group 1

Enable PFS

Local Network : my server

Remote Network : subnet from client

After finished, I have a rule in ACL Manager in VPN for Outside_1_cryptomap with the netwoks which I selected.

Do I have to add some others rules in the firewall too?

Thanks.

dominoforever · ‎05-04-2012

The VPN Site to Site is configured.

I the Monitoring from ASA I have some errors like :

4|May 04 2012|11:57:01|402116|Client-PublicIP||212.211.158.77||IPSEC: Received an ESP packet (SPI= 0x2AF9D901, sequence number= 0x3) from Client-PublicIP (user= 212.211.158.77) to 212.205.125.88. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 212.205.125.88, its source as Client-PublicIP, and its protocol as 1. The SA specifies its local proxy as DMZ2/255.255.255.255/0/0 and its remote_proxy as Client-Subnet/255.255.255.0/0/0.

What is wrong?

Thanks.

Leon · ‎05-04-2012

seems like the way you and your partner defined the security parameters are different. You may want to verify the authentication method, shared key, crypto algorithm with your partner

dominoforever · ‎05-04-2012

thank you. I will check with him.

do you need any result for a special command from my ASA?

Leon · ‎05-04-2012

you can verify the result with command

show crypto isakmp sa

show crypto ip sa