Solved: Need help with site-to-site VPN ikev1

mart.lubo · ‎02-06-2014

Hi Guys,

I have 2 asa's 5505, both running 8.4(4), with ASDM 6.4(9).

I've rebuild the config probalby 6 times now, with no clues what I'm doing wrong.

My main concer is, why asa aren't even initiating VPN negiotiation, no traffic at all.

I can ping both devices on their outside interfaces ok.

IKEv1 is enabled on outside interfaces.

I've checked connection profile, tunnel group, crypto maps, IKE policies, etc.

Still nothing withing the logs, that would indicate any negotiation attempts.

Please help!

Jouni Forss · ‎02-07-2014

Hi,

Well it depends on your setup really. Mostly in the amount of networks that are at each site that use the L2L VPN.

But generally you could configure it with

object-group network LOCAL

network-object

object-group network REMOTE

network-object

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

Naturally the "object-group" names can be different and your interfaces might not be named "inside" and "outside"

- Jouni

View solution in original post

Jouni Forss · ‎02-06-2014

Hi,

We would need to see configurations of both units to check for any problems with the configurations.

If your L2L VPN connections is configured correctly but there is no negotiation at all between the units then it would usually mean that there might be problems with the NAT configurations so that the traffic initiated from the LAN wont match the L2L VPN configurations and therefore wont initiate the negotiation.

- Jouni

mart.lubo · ‎02-07-2014

Hi Jouni,

How do I exempt lan traffic from NAT on this Cisco ASA version via crypto map?

Martin

Jouni Forss · ‎02-07-2014

Hi,

Well it depends on your setup really. Mostly in the amount of networks that are at each site that use the L2L VPN.

But generally you could configure it with

object-group network LOCAL

network-object

object-group network REMOTE

network-object

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

Naturally the "object-group" names can be different and your interfaces might not be named "inside" and "outside"

- Jouni

mart.lubo · ‎02-09-2014

Hi Jouni,

Thank you for your help, it gave enought info to troubleshoot the vpn.

I 've factory defaulted the device which I susspected to be the problem, and rebuild the config, adn VPN came up, still have to sort ACL issue, but I'm getting somewhere.

I'll let you know soon.

Thanks again

Martin

mart.lubo · ‎02-10-2014

Hi Jouni,

I got the tunnel up, but traffic is not passing through, when i run packet tracer, it all seems fine, whe i try to ping from inside interface of one asa to other i get:

Routing failed to locate next hop for icmp from NP Identity Ifc:192.168.0.250/0 to inside:192.168.8.10/0

Do I have to allow ICMP through for that?

Is that problem with a defualt route?

Jouni Forss · ‎02-10-2014

Hi,

If you want to ping an internal ASA interface through the L2L VPN then you need the command "management-access " command on the ASA to which you want to ICMP. Naturally you will have to replace the "nameif" in the command with the actual "nameif" of the internal interface. This can be configured only for a single interface.

You will also possibly need to have a look at the NAT0 configuration if it doesnt work after this.

By default you should no need access rules for traffic incoming from VPN

- Jouni

mart.lubo · ‎02-11-2014

Hi Jouni,

That's great it worked.

Thank you very much fro your help.

Kind rehards

Martin