cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
882
Views
0
Helpful
0
Replies

ASA VTI IKEv2 Site to Site VPN to non VTI device: VPN only up when initiated from other device

nissinneuss
Level 1
Level 1

Hello,

 

I have an Cisco ASA 9.9(1)2. I need to establich a VPN to a device not under my control (with IPsec IKEv2). On my ASA I have to use VTI. The VPN tunnel goes up and is working correctly only when it is initiated from the other side, traffic from my side does not start/establish the VPN. Perhaps someone can give me a hint why, please?

 

x.x.40.0/24 <-> Other VPN device <-> Internet <-> ASA <-> LAN

 

The relevant configuration of my ASA is:

 

crypto ipsec ikev2 ipsec-proposal IPSEC_PROPOSAL_AES256_SHA256
 protocol esp encryption aes-256
 protocol esp integrity sha-256
!
crypto ipsec profile IPSEC-PROFILE-001
 set ikev2 ipsec-proposal IPSEC-PROPOSAL-AES256-SHA256
 set pfs group2
 set security-association lifetime kilobytes unlimited
 set security-association lifetime seconds 3600
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 2
 prf sha256
 lifetime seconds 28800

!

crypto ikev2 enable OUTSIDE

!

interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address a.a.a.a 255.255.255.240
!
interface GigabitEthernet0/2
 nameif INSIDE
 security-level 100
 ip address 10.0.10.4 255.255.255.248
!
interface Tunnel1
 nameif tuna
 ip address 10.1.1.1 255.255.255.252
 tunnel source interface OUTSIDE
 tunnel destination b.b.b.b
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE-001

!

object network branch2
 subnet x.x.44.0 255.255.255.0
object network branch1
 subnet x.x.40.0 255.255.255.0
object network company1
 subnet c.c.c.c 255.255.255.192
object network company3
 subnet x.x.16.0 255.255.255.0
object network company2
 subnet w.w.w.0 255.255.0.0
!
object-group network Group_L2L_company3_UK
 network-object object company2
 network-object object company1
 network-object object company3
object-group network Group_L2L_company3_UK_remote
 network-object object branch1
 network-object object branch2
!
route OUTSIDE 0.0.0.0 0.0.0.0 a.a.a.x 1
route tuna x.x.40.0 255.255.255.0 10.1.1.2 1
route tuna x.x.44.0 255.255.255.0 10.1.1.2 1
route INSIDE 0.0.0.0 0.0.0.0 10.0.10.1 tunneled

!

tunnel-group b.b.b.b type ipsec-l2l
tunnel-group b.b.b.b ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

 

0 Replies 0