Hi,
I'm trying to connect two sites using IPSec site-to-site VPN tunnel. below is my configuration for both site.
ASA-01
show running-config crypto
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map UK_VPN_MAP 1 match address UK-L2L-VPN
crypto map UK_VPN_MAP 1 set pfs
crypto map UK_VPN_MAP 1 set peer 1.1.1.1
crypto map UK_VPN_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600 tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key ***** crypto map UK_VPN_MAP 1 match address UK-L2L-VPN
crypto map UK_VPN_MAP 1 set pfs
crypto map UK_VPN_MAP 1 set peer 1.1.1.1
crypto map UK_VPN_MAP interface outside object-group network IPSEC-L2L-LAN
network-object 172.16.10.0 255.255.255.0
object-group network IPSEC-L2L-REMOTE
network-object 192.168.10.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0 Spoiler (Highlight to read) nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any interfacenat (inside,outside) source static ANYCONNECT-LOCAL ANYCONNECT-LOCAL destination static ANYCONNECT-REMOTE ANYCONNECT-REMOTEnat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTEaccess-list UK-L2L-VPN line 1 extended permit ip 172.16.10.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0xce8839d5 access-list UK-L2L-VPN line 2 extended permit icmp 172.16.10.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0x44eb4dd0
Site B
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map US_VPN_MAP 1 match address UK-L2L-VPN
crypto map US_VPN_MAP 1 set pfs
crypto map US_VPN_MAP 1 set peer 2.2.2.1
crypto map US_VPN_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 ipsec-attributes
ikev1 pre-shared-key *****
crypto map US_VPN_MAP 1 match address UK-L2L-VPN
crypto map US_VPN_MAP 1 set pfs
crypto map US_VPN_MAP 1 set peer 2.2.2.1
crypto map US_VPN_MAP interface outside
object-group network IPSEC-L2L-LAN
network-object 192.168.10.0 255.255.255.0
object-group network IPSEC-L2L-REMOTE
network-object 172.16.10.0 255.255.255.0
network-object 172.16.1.0 255.255.255.0
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE
access-list UK-L2L-VPN line 1 extended permit ip 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 (hitcnt=0) 0x1d73c29a
access-list UK-L2L-VPN line 2 extended permit icmp 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 (hitcnt=0) 0x83d4a79d
I don't know what I'm missing and why I'm not be able to connect the tunnel.
show crypto ipsec sa peer 1.1.1.1
There are no ipsec sas
show crypto ikev1 sa
There are no IKEv1 SAs
Global IKEv1 Statistics Active Tunnels: 0 Previous Tunnels: 0 In Octets: 0 In Packets: 0 In Drop Packets: 0 In Notifys: 0 In P2 Exchanges: 0 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 0 Out Octets: 0 Out Packets: 0 Out Drop Packets: 0 Out Notifys: 0 Out P2 Exchanges: 0 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 0 Initiator Tunnels: 0 Initiator Fails: 0 Responder Fails: 0 System Capacity Fails: 0 Auth Fails: 0
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Please advise!
