I am not sure what is wrong with my config. I can't get the Ikev2 site to site vpn up.
I have before configured with Ikev1 and was working excellent. with Ikev2 nothing.
ASA 8.4.1 on both devices
Site A - 5505 basic , Site B - 5510 Security Plus
=====================================================================
Site A config:
ASA Version 8.4(1)
!
hostname ASA5505
enable password MNW1QPlXnaEBz0Jm encrypted
passwd MNW1QPlXnaEBz0Jm encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.130.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Utorrent-inside
host 10.100.130.5
object network INSIDE
subnet 10.100.130.0 255.255.255.0
object network REMOTE
subnet 192.168.200.0 255.255.255.0
object network REMOTE2
subnet 172.16.200.0 255.255.255.0
object network REMOTE3
subnet 172.16.100.0 255.255.255.0
access-list l2l_list extended permit ip 10.100.130.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list l2l_list extended permit ip 10.100.130.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list l2l_list extended permit ip 10.100.130.0 255.255.255.0 172.16.100.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static REMOTE REMOTE
nat (inside,outside) source static INSIDE INSIDE destination static REMOTE2 REMOTE2
nat (inside,outside) source static INSIDE INSIDE destination static REMOTE3 REMOTE3
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.100.130.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer x.x.x.x
crypto map abcmap 1 set ikev2 ipsec-proposal secure
crypto map abcmap interface outside
crypto ikev2 enable outside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 10.100.130.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password 1qmfDjQLVALFWP4Q encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 local-authentication pre-shared-key *****
!
prompt hostname context
password encryption aes
hpm topN enable
Cryptochecksum:69aa37a1ebe9583a4f41469437b053e9
: end
ASA5505#
===========================================================================
Site B:
: Saved
:
ASA Version 8.4(1)
!
hostname ASA5510
enable password MNW1QPlXnaEBz0Jm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
!
boot system disk0:/asa841-k8.bin
ftp mode passive
object network INSIDE
subnet 192.168.200.0 255.255.255.0
object network REMOTE
subnet 10.100.130.0 255.255.255.0
object network LOCAL
subnet 172.16.200.0 255.255.255.0
object network ANY_OUTSIDE
subnet 0.0.0.0 0.0.0.0
object network LOCAL2
subnet 172.16.100.0 255.255.255.0
access-list l2l_list extended permit ip 192.168.200.0 255.255.255.0 10.100.130.0 255.255.255.0
access-list l2l_list extended permit ip 172.16.200.0 255.255.255.0 10.100.130.0 255.255.255.0
access-list l2l_list extended permit ip 172.16.100.0 255.255.255.0 10.100.130.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static REMOTE REMOTE
nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE
nat (inside,outside) source static LOCAL2 LOCAL2 destination static REMOTE REMOTE
!
object network ANY_OUTSIDE
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 172.16.100.0 255.255.255.0 192.168.200.253 1
route inside 172.16.200.0 255.255.255.0 192.168.200.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer x.x.x.x
crypto map abcmap 1 set ikev2 ipsec-proposal secure
crypto map abcmap interface outside
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 43200
crypto ikev2 enable outside
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password 1qmfDjQLVALFWP4Q encrypted
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
Cryptochecksum:90ae3328f0f2b91420037de6ddef1c73
: end
