cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
348
Views
0
Helpful
2
Replies

Issue with IKEv1/IPsec VPN Compatibility Between Two ASA Devices

Hello everyone,

I’m encountering an issue with establishing an IKEv1/IPsec VPN tunnel between two Cisco ASA devices. One ASA is located here where I work (ASA 1), and the other is in another country (ASA 2). The devices have different IKE policies, transform sets, and IPsec proposals, and it seems that the VPN tunnel cannot be established due to incompatibility between them.


The transform sets partially overlap, but I’m unsure if all necessary transform sets are included in the crypto map on both devices.

The IKE policies have different priorities on each device, which might cause a mismatch.

IPsec proposals are only defined on the ASA 1. There’s no information about IPsec proposals on the ASA 2.

How can I ensure that the transform sets, IKE policies, and IPsec proposals are aligned between these two ASA devices? What changes should I make to both devices to successfully establish the VPN tunnel?

Thank you in advance for your help!

2 Replies 2

Only match the group under policy 

MHM

ccieexpert
Spotlight
Spotlight

you have not attached the rest of the configuration, but whatever you have attached they match up.. the additional ikev2 policy has no bearing.

since the full config is missing, please follow this example and if you want post the entire config so we can review it:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

**Please mark as helpful if this is useful**