09-01-2017 03:37 PM - edited 03-12-2019 04:31 AM
Hi,
I'm trying to connect two sites using IPSec site-to-site VPN tunnel. below is my configuration for both site.
ASA-01
show running-config crypto crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-aes esp-sha-hmac crypto ipsec security-association pmtu-aging infinite crypto map UK_VPN_MAP 1 match address UK-L2L-VPN crypto map UK_VPN_MAP 1 set pfs crypto map UK_VPN_MAP 1 set peer 1.1.1.1 crypto map UK_VPN_MAP interface outside crypto ca trustpool policy crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 3600
tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes ikev1 pre-shared-key *****
crypto map UK_VPN_MAP 1 match address UK-L2L-VPN crypto map UK_VPN_MAP 1 set pfs crypto map UK_VPN_MAP 1 set peer 1.1.1.1 crypto map UK_VPN_MAP interface outside
object-group network IPSEC-L2L-LAN network-object 172.16.10.0 255.255.255.0 object-group network IPSEC-L2L-REMOTE network-object 192.168.10.0 255.255.255.0 network-object 192.168.100.0 255.255.255.0
Site B
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map US_VPN_MAP 1 match address UK-L2L-VPN
crypto map US_VPN_MAP 1 set pfs
crypto map US_VPN_MAP 1 set peer 2.2.2.1
crypto map US_VPN_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 ipsec-attributes
ikev1 pre-shared-key *****
crypto map US_VPN_MAP 1 match address UK-L2L-VPN
crypto map US_VPN_MAP 1 set pfs
crypto map US_VPN_MAP 1 set peer 2.2.2.1
crypto map US_VPN_MAP interface outside
object-group network IPSEC-L2L-LAN
network-object 192.168.10.0 255.255.255.0
object-group network IPSEC-L2L-REMOTE
network-object 172.16.10.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE
access-list UK-L2L-VPN line 1 extended permit ip 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 (hitcnt=0) 0x1d73c29a
access-list UK-L2L-VPN line 2 extended permit icmp 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 (hitcnt=0) 0x83d4a79d
I don't know what I'm missing and why I'm not be able to connect the tunnel.
show crypto ipsec sa peer 1.1.1.1
There are no ipsec sas
show crypto ikev1 sa
There are no IKEv1 SAs
Global IKEv1 Statistics Active Tunnels: 0 Previous Tunnels: 0 In Octets: 0 In Packets: 0 In Drop Packets: 0 In Notifys: 0 In P2 Exchanges: 0 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 0 Out Octets: 0 Out Packets: 0 Out Drop Packets: 0 Out Notifys: 0 Out P2 Exchanges: 0 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 0 Initiator Tunnels: 0 Initiator Fails: 0 Responder Fails: 0 System Capacity Fails: 0 Auth Fails: 0
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Please advise!
Solved! Go to Solution.
09-01-2017 06:47 PM
Firewall with IP address 1.1.1.1 can ping Fw with IP 2.2.2.1?
Also, male sure to ping from one subnet to another. VPN tunnel only establish when there's traffic initiated from networks.
09-01-2017 07:21 PM
09-01-2017 07:29 PM
09-01-2017 06:44 PM
09-01-2017 06:47 PM
Firewall with IP address 1.1.1.1 can ping Fw with IP 2.2.2.1?
Also, male sure to ping from one subnet to another. VPN tunnel only establish when there's traffic initiated from networks.
09-01-2017 07:08 PM
09-01-2017 07:10 PM
09-01-2017 07:21 PM
09-02-2017 04:34 AM
09-01-2017 07:24 PM
09-01-2017 07:29 PM
09-02-2017 04:36 AM
09-02-2017 05:53 AM
09-02-2017 12:22 PM
09-02-2017 12:42 PM
09-02-2017 01:52 PM
09-02-2017 01:57 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide