03-30-2011 08:55 PM
I am not sure what is wrong with my config. I can't get the Ikev2 site to site vpn up.
I have before configured with Ikev1 and was working excellent. with Ikev2 nothing.
ASA 8.4.1 on both devices
Site A - 5505 basic , Site B - 5510 Security Plus
=====================================================================
Site A config:
ASA Version 8.4(1)
!
hostname ASA5505
enable password MNW1QPlXnaEBz0Jm encrypted
passwd MNW1QPlXnaEBz0Jm encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.130.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Utorrent-inside
host 10.100.130.5
object network INSIDE
subnet 10.100.130.0 255.255.255.0
object network REMOTE
subnet 192.168.200.0 255.255.255.0
object network REMOTE2
subnet 172.16.200.0 255.255.255.0
object network REMOTE3
subnet 172.16.100.0 255.255.255.0
access-list l2l_list extended permit ip 10.100.130.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list l2l_list extended permit ip 10.100.130.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list l2l_list extended permit ip 10.100.130.0 255.255.255.0 172.16.100.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static INSIDE INSIDE destination static REMOTE REMOTE
nat (inside,outside) source static INSIDE INSIDE destination static REMOTE2 REMOTE2
nat (inside,outside) source static INSIDE INSIDE destination static REMOTE3 REMOTE3
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.100.130.0 255.255.255.0 inside
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer x.x.x.x
crypto map abcmap 1 set ikev2 ipsec-proposal secure
crypto map abcmap interface outside
crypto ikev2 enable outside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 10.100.130.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username admin password 1qmfDjQLVALFWP4Q encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 local-authentication pre-shared-key *****
!
prompt hostname context
password encryption aes
hpm topN enable
Cryptochecksum:69aa37a1ebe9583a4f41469437b053e9
: end
ASA5505#
03-31-2011 01:57 AM
On first look you are double natting - add on both sides :-
nat 0 (inside) access-list l2l_list
03-31-2011 09:32 AM
That's correct.
As I said the config with Ikev1 worked perfectly.
04-01-2011 01:23 AM
Errrmm IKEPhase 1 has nothing to do with the layer 3 traffic, it's negotiating the encryption settings for Phase 2.
04-01-2011 12:17 PM
Well I ended up getting v2 to work. Looks like the official config guide was missing the ikev2 remote-authentication pre-shared-key
Once I added that line on each side of the tunnel the vpn came up.
I posted this message on another forum and a user there was able to help me out,
thanks
04-01-2011 12:21 PM
Where's the crypto policy?
Firewall A:
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto map abcmap 1 match address l2l_list
crypto map abcmap 1 set peer x.x.x.x
crypto map abcmap 1 set ikev2 ipsec-proposal secure
crypto map abcmap interface outside
crypto ikev2 enable outside
telnet timeout 5
Firewall B:
04-01-2011 06:11 PM
Sorry, I missed copying that into my configs examples but it was on both my ASA's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide