11-16-2015 09:52 AM
I'm try to connect two ASAs together using the following config, but unable to get it to work. Can someone let me know what I'm doing wrong?
ASA-1 |
crypto ikev2 policy 1 encryption aes-256 integrity sha512 group 14 prf sha512 lifetime seconds 86400 ! crypto ikev2 enable outside ! crypto ipsec ikev2 ipsec-proposal ikev2-proposal protocol esp encryption aes-256 protocol esp integrity sha-512 ! object-group network LOCAL-SUBNET network-object 10.120.128.0 255.255.254.0 network-object 10.120.0.0 255.255.254.0 network-object 10.120.32.0 255.255.254.0 object-group network REMOTE-SUBNET network-object 10.130.222.0 255.255.254.0 network-object 10.255.255.0 255.255.255.0 ! access-list ikev2-list extended permit ip object-group LOCAL-SUBNET object-group REMOTE-SUBNET ! tunnel-group 207.130.222.11 type ipsec-l2l tunnel-group 207.130.222.11 ipsec-attributes ikev2 local-authentication pre-shared-key key123!! ikev2 remote-authentication pre-shared-key key123!! ! crypto map ikev2-map 1 match address ikev2-list crypto map ikev2-map 1 set peer 207.130.222.11 crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal crypto map ikev2-map interface outside ! management-access inside ! nat (inside,outside) source static LOCAL-SUBNET LOCAL-SUBNET destination static REMOTE-SUBNET REMOTE-SUBNET no-proxy-arp route-lookup |
ASA-2 |
crypto ikev2 policy 1 encryption aes-256 integrity sha512 group 14 prf sha512 lifetime seconds 86400 ! crypto ikev2 enable outside ! crypto ipsec ikev2 ipsec-proposal ikev2-proposal protocol esp encryption aes-256 protocol esp integrity sha-512 ! object-group network LOCAL-SUBNET network-object 10.130.222.0 255.255.254.0 network-object 10.255.255.0 255.255.255.0 object-group network REMOTE-SUBNET network-object 10.120.128.0 255.255.254.0 ! access-list ikev2-list extended permit ip object-group LOCAL-SUBNET object-group REMOTE-SUBNET ! tunnel-group 207.130.2.137 type ipsec-l2l tunnel-group 207.130.2.137 ipsec-attributes ikev2 local-authentication pre-shared-key key123!! ikev2 remote-authentication pre-shared-key key123!! ! crypto map ikev2-map 1 match address ikev2-list crypto map ikev2-map 1 set peer 207.130.2.137 crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal crypto map ikev2-map interface outside ! management-access inside ! nat (inside,outside) source static LOCAL-SUBNET LOCAL-SUBNET destination static REMOTE-SUBNET REMOTE-SUBNET no-proxy-arp route-lookup |
Solved! Go to Solution.
11-16-2015 01:03 PM
Try adding the PSK to the crypto-map:
crypto map ikev2-map 1 set ikev2 pre-shared-key key123!!
And your crypto-ACLs are not mirrored.
11-16-2015 01:03 PM
Try adding the PSK to the crypto-map:
crypto map ikev2-map 1 set ikev2 pre-shared-key key123!!
And your crypto-ACLs are not mirrored.
11-17-2015 09:16 AM
It was the ACL can't believe I missed that. Thanks for pointing it out!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide