cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1031
Views
10
Helpful
3
Replies

ASA to ASA IKev2 VPN

katheer4u
Level 1
Level 1

Hi

i have configured the VAN ASA to ASA allowing port 443 only but the tunnel not up 

please see the attached files and advise me 

thanks 

 

IKE Proposal Parameters
Key Exchange IKE V2
Authentication Mode:Preshared keys
Preshared Key:will be shared
Hash Algorithm:SHA256
Encryption Algorithm:AES 256
Diffie-Hellman Group:Group 21
Lifetime:28800
  
IPSEC Parameters
SA NegotiationESP
Hash Algorithm:SHA256
Encryption Algorithm:AES 256
Lifetime:3600 sec
1 Accepted Solution

Accepted Solutions

I assume you have no IKEv2 SAs "show crypto ikev2 sa" as you have the error message "Failed SA init exchange". Without IKEv2 established, you won't have IPSec SA, nor will packet-tracer test be successful.

Re-check your IKEv2 configuration and pre-shared keys on BOTH peers.

View solution in original post

3 Replies 3

Hi,
Have the IKEv2 and IPSec SAs been established?
Run the following commands:- "show crypto ikev2 sa" and "show crypto ipsec sa".

If they have not been established confirm the settings match with the peer, especially the ACL and enable debugs and provide the output.

When you say permitting only 443, do you have an ACL or VPN Filter applied?

HTH

hi

 

this the ACL

access-list site-server_AClist extended permit ip host 192.168.100.100 255.255.255.255 host 10.220.4.100 255.255.255.248

 

 

 

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

Please see the attached debug file  

I assume you have no IKEv2 SAs "show crypto ikev2 sa" as you have the error message "Failed SA init exchange". Without IKEv2 established, you won't have IPSec SA, nor will packet-tracer test be successful.

Re-check your IKEv2 configuration and pre-shared keys on BOTH peers.