Solved: ASA to ASA IKev2 VPN

katheer4u · ‎05-16-2020

Hi

i have configured the VAN ASA to ASA allowing port 443 only but the tunnel not up

please see the attached files and advise me

thanks

IKE Proposal Parameters
Key Exchange	IKE V2
Authentication Mode:	Preshared keys
Preshared Key:	will be shared
Hash Algorithm:	SHA256
Encryption Algorithm:	AES 256
Diffie-Hellman Group:	Group 21
Lifetime:	28800

IPSEC Parameters
SA Negotiation	ESP
Hash Algorithm:	SHA256
Encryption Algorithm:	AES 256
Lifetime:	3600 sec

Rob Ingram · ‎05-16-2020

I assume you have no IKEv2 SAs "show crypto ikev2 sa" as you have the error message "Failed SA init exchange". Without IKEv2 established, you won't have IPSec SA, nor will packet-tracer test be successful.

Re-check your IKEv2 configuration and pre-shared keys on BOTH peers.

View solution in original post

Rob Ingram · ‎05-16-2020

Hi,
Have the IKEv2 and IPSec SAs been established?
Run the following commands:- "show crypto ikev2 sa" and "show crypto ipsec sa".

If they have not been established confirm the settings match with the peer, especially the ACL and enable debugs and provide the output.

When you say permitting only 443, do you have an ACL or VPN Filter applied?

HTH

katheer4u · ‎05-16-2020

hi

this the ACL

access-list site-server_AClist extended permit ip host 192.168.100.100 255.255.255.255 host 10.220.4.100 255.255.255.248

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Please see the attached debug file

Rob Ingram · ‎05-16-2020

I assume you have no IKEv2 SAs "show crypto ikev2 sa" as you have the error message "Failed SA init exchange". Without IKEv2 established, you won't have IPSec SA, nor will packet-tracer test be successful.

Re-check your IKEv2 configuration and pre-shared keys on BOTH peers.