Showing results for 
Search instead for 
Did you mean: 

ASA 5520 - VPN Site to Site


Hi guys,

I have a Cisco ASA 5520 and I would like  to create a VPN Site to Site.

I'm  not a network administrator but I have to do this VPN. I'm using the  Wizard, in the Remote Site Peer window I have to select a Pre Shared  Key. Is this key mine or from the peer?

Do you have any suggestions to create this VPN?

Kind regards.

9 Replies 9


Hi Seb,

The Pre Shard Key (PSK) is a mutual password of sort defined by you and used in the tunnel configuration on both sides. When configuring your VPN, you will need to use the same PSK on both ends. I recommend making sure the PSK is complex

Hope this helps.

Bart Kersten

Thats right key must be the same on both sites and remember that the parameters you configure also much match on both sides.

Good luck!

Sent from Cisco Technical Support iPhone App

ok thank you for your answer.

The VPN must be configured to give access to a client to my Network. If I use the Wizard to create the VPN Site to Site, do I need to configure something else?


Hi Seb,

A Site to Site VPN is different thana Remote Access VPN. If you are using the wizards in ASDM there is an option for both when you start the VPN wizard (See attached screenshot). You can use a PSK in both scenarios and like stated before, the PSK has to be used on both ends. When using a PSK for remote access clients, there is an option for inserting that into the configuration on the client.

Configuring VPN for remote access does require answering some questions such as What policies do you want to enforce in Phase 1 and Phase 2? How do you want to authenticate users? What resources do you want to be made available to remote users? And many more. If you are relatively new to configuring VPNs, I suggest digging into the configuration examples and technotes to get a better understanding.

Good luck with everything. It's not too hard once you get your first one done.

Yes it is a VPN Site to Site that I want to create.

In wizard I checked VPN Tunnel type : Site to Site

VPN Tunnel Interface : OUTSIDE

Enable Inbound IPsec

IKE Policy :

Encryption AES-256

Authentication SHA

Diffie-Hellman Group 5

IPSec Rule :

AES-256 SHA Group 1

Enable PFS

Local Network : my server

Remote Network : subnet from client

After finished, I have a rule in ACL Manager in VPN for Outside_1_cryptomap with the netwoks which I selected.

Do I have to add some others rules in the firewall too?


The VPN Site to Site is configured.

I the Monitoring from ASA I have some errors like :

4|May 04 2012|11:57:01|402116|Client-PublicIP||||IPSEC: Received an ESP packet (SPI= 0x2AF9D901, sequence number= 0x3) from Client-PublicIP (user= to  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as, its source as Client-PublicIP, and its protocol as 1.  The SA specifies its local proxy as DMZ2/ and its remote_proxy as Client-Subnet/

What is wrong?


seems like the way you and your partner defined the security parameters are different. You may want to verify the authentication method, shared key, crypto algorithm with your partner

thank you. I will check with him.

do you need any result for a special command from my ASA?

you can verify the result with command

show crypto isakmp sa

show crypto ip sa

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers