Solved: AWS to Cisco ASA 5505 Site to Site VPN problem

Leslie21 · ‎05-15-2021

Hi can anyone help me with this please? I'm having a hard time configuring the site to site vpn connection. Basically I'm just following instruction on some tutorials and videos, still I can't configure the connection to our ASA. Our network admin just resigned and this was assigned to me. Hope someone help me with this. Thank you!

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 169.254.231.14
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2

There are no IKEv2 SAs

Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 1276
In Packets: 7
In Drop Packets: 1
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 589400
Out Packets: 3417
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 857
Initiator Fails: 854
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 3
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Sheraz.Salim · ‎05-15-2021

you running a old code 9.1 you need to be on 9.7.1 in order to support vti. also 5505 IS EOL

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎05-15-2021

you running IKEV1 and you log message is

1 IKE Peer: 169.254.231.14
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2

MM_WAIT_MSG2 Initiator Initial DH public key sent to responder. Awaiting initial contact reply from other side. Initiator sends encr/hash/dh ike policy details to create initial contact. Initiator will wait at MM_WAIT_MSG2 until it hears back from its peer. If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down.

ask your remote side Engineer to give you a generated AWS file for ASA. mentioned him what software code you running on your ASA unit. once you have the AWS generate file for you ASA you just need to little bit of tewaking and all done.

please do not forget to rate.

Leslie21 · ‎05-15-2021

Hi sir,

Thank you for the reply it means a lot. The config file was already given to me and I'm having a hard time to configure the connection. It's my first job and also a beginner when it comes to this. It's been 5 days and I'm not moving forward. Any help is greatly appreciated.

Thank you!

Sheraz.Salim · ‎05-15-2021

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
crypto ipsec ikev1 transform-set AWS esp-aes esp-sha-hmac
!
crypto ipsec profile AWS
set ikev1 transform-set AWS
set pfs group2
set security-association lifetime seconds 3600
!
tunnel-group 13.211.248.98 type ipsec-l2l
tunnel-group 13.211.248.98 ipsec-attributes
ikev1 pre-shared-key tHteXMlO7YWKfgoImIE.GV4Lsfb6EGpI
isakmp keepalive threshold 10 retry 10
!
interface Tunnel1
nameif AWS1
ip address 169.254.231.14 255.255.255.252
tunnel source interface outside
tunnel destination 13.211.248.98
tunnel mode ipsec ipv4
tunnel protection ipsec profile AWS

please do not forget to rate.

Leslie21 · ‎05-15-2021

Hi Sir,
I'm getting an error while adding ipsec profile. Thank you so much for your help!

ciscoasa(config)# crypto ipsec ?

configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ciscoasa(config)# crypto ipsec profile AWS
^
ERROR: % Invalid input detected at '^' marker.

Sheraz.Salim · ‎05-15-2021

you running a old code 9.1 you need to be on 9.7.1 in order to support vti. also 5505 IS EOL

please do not forget to rate.