12-18-2018 09:10 AM - edited 02-21-2020 09:31 PM
Good morning All
I have been looking at this all morning now and am at a lost. I am trying to configure a ikev2 l2l ipsec tunnel but
when I send interesting traffic the tunnel doesn't even attempt to come up. The tunnel terminates on my ASA5520
runnning Cisco Adaptive Security Appliance Software Version 8.4(7)30 Cisco Adaptive Security Appliance Software Version 8.4(7)30 Device Manager Version 6.4(9). My config is as follows:
object network Seed.Peer
host 38.14.65.15
object-group network Seed-Local-host
network-object 10.16.10.0 255.255.255.0
object-group network Seed-Remote-host
network-object 10.50.10.0 255.255.255.128
network-object 10.60.10.0 255.255.255.128
object-group network Seed-PAT
network-object 10.77.0.112 255.255.255.248
object-group network GW-Seed-Nat
network-object 10.16.10.73 255.255.255.255
object-group network Seed-NAT
network-object 10.77.0.113 255.255.255.255
access-list OUTSIDE_cryptomap_2 extended permit ip object-group Seed-Local-host object-group Seed-Remote-host
access-list SEED-VPN extended permit ip object-group Seed-Local-host object-group Seed-Remote-host
access-list SEED-VPN extended permit ip host 38.14.65.15 host 207.12.15.10
nat (INSIDE,OUTSIDE) source dynamic GW-Seed-Nat Seed-NAT destination static Seed-Remote-host Seed-Remote-host
group-policy SEED internal
group-policy SEED attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value SEED-VPN
vpn-tunnel-protocol ikev2
crypto map OUTSIDE_map 4 match address OUTSIDE_cryptomap_2
crypto map OUTSIDE_map 4 set peer 38.14.65.15
crypto map OUTSIDE_map 4 set ikev2 ipsec-proposal ikev2-proposal DES 3DES AES AES192 AES256
tunnel-group 38.14.65.15 type ipsec-l2l
tunnel-group 38.14.65.15 general-attributes
default-group-policy SEED
tunnel-group 38.14.65.15 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
crypto ikev2 policy 50
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
I don't see what I am doing wrong at the moment, any guidance or help would be greatly appreciated.
Thank you in advance!!!
Warren
Solved! Go to Solution.
12-18-2018 09:23 AM
12-18-2018 09:23 AM
12-18-2018 09:33 AM
oh my if it was a snake it would of bit me in the behind!!!!! Thank you sir the tunnel isn't up yet but at least
now I see phase1 activated which is a lot better from where I started, Let me see what is going on
let you know but thank you for now RJI!!!!!
12-18-2018 09:46 AM
Just an update phase 1 and phase 2 are up the distant end has verified the tunnel is up but
I cannot ping across but at least we got the tunnel up. Thank you again for your help!!!
12-18-2018 09:54 AM
12-18-2018 10:16 AM
hmm ok let me find out what he is terminating his tunnel on and if it is an ASA like you said I will add that
"management-access inside".
12-18-2018 10:22 AM
just in case where do I need to add this? management-access inside".
12-18-2018 10:27 AM
nevermind I got it thank you!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide