Hello,
I have an Cisco ASA 9.9(1)2. I need to establich a VPN to a device not under my control (with IPsec IKEv2). On my ASA I have to use VTI. The VPN tunnel goes up and is working correctly only when it is initiated from the other side, traffic from my side does not start/establish the VPN. Perhaps someone can give me a hint why, please?
x.x.40.0/24 <-> Other VPN device <-> Internet <-> ASA <-> LAN
The relevant configuration of my ASA is:
crypto ipsec ikev2 ipsec-proposal IPSEC_PROPOSAL_AES256_SHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto ipsec profile IPSEC-PROFILE-001
set ikev2 ipsec-proposal IPSEC-PROPOSAL-AES256-SHA256
set pfs group2
set security-association lifetime kilobytes unlimited
set security-association lifetime seconds 3600
!
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 28800
!
crypto ikev2 enable OUTSIDE
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address a.a.a.a 255.255.255.240
!
interface GigabitEthernet0/2
nameif INSIDE
security-level 100
ip address 10.0.10.4 255.255.255.248
!
interface Tunnel1
nameif tuna
ip address 10.1.1.1 255.255.255.252
tunnel source interface OUTSIDE
tunnel destination b.b.b.b
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE-001
!
object network branch2
subnet x.x.44.0 255.255.255.0
object network branch1
subnet x.x.40.0 255.255.255.0
object network company1
subnet c.c.c.c 255.255.255.192
object network company3
subnet x.x.16.0 255.255.255.0
object network company2
subnet w.w.w.0 255.255.0.0
!
object-group network Group_L2L_company3_UK
network-object object company2
network-object object company1
network-object object company3
object-group network Group_L2L_company3_UK_remote
network-object object branch1
network-object object branch2
!
route OUTSIDE 0.0.0.0 0.0.0.0 a.a.a.x 1
route tuna x.x.40.0 255.255.255.0 10.1.1.2 1
route tuna x.x.44.0 255.255.255.0 10.1.1.2 1
route INSIDE 0.0.0.0 0.0.0.0 10.0.10.1 tunneled
!
tunnel-group b.b.b.b type ipsec-l2l
tunnel-group b.b.b.b ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****