Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
1
Helpful
18
Replies

No traffic in cisco asa

Go to solution
WamuMubiana1384
Level 1
Level 1

‎06-04-2024 04:21 AM

Hi All,

i need help.

i have configured a site to site VPN on Cisco ASA with partner who is using openswan. my configuration on ASA is as follows however traffic is not being encrypted to pass through the tunnel:

crypto ikev2 policy 60
encryption aes-256
integrity sha256
group 14
lifetime seconds 86400

----------IPsec Proposal (Transform set)--------------------

crypto ipsec ikev2 ipsec-proposal IB_PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256

--------Access-List for traffic to encrypt----------------------------------------------------
access-list ZECHL_IB extended permit ip 192.168.100.0 255.255.255.0 host 192.168.200.215
access-list ZECHL_IB extended permit ip host 192.168.100.18 host 192.168.200.215


--------Crypto map combining ACL, peer and IKEV2 Proposal----------------------------

crypto map TCIB_CRYPTO_MAP 1 match address ZECHL_IB
crypto map TCIB_CRYPTO_MAP 1 set peer public_address
crypto map TCIB_CRYPTO_MAP 1 set ikev2 ipsec-proposal IB_PROPOSAL
crypto map TCIB_CRYPTO_MAP interface OUTSIDE

------------------Tuunel group------------------------------------------
tunnel-group public_address type ipsec-l2l
tunnel-group public_address ipsec-attributes
ikev2 local-authentication pre-shared-key xxxxxxxxxxxxxxx
ikev2 remote-authentication pre-shared-key xxxxxxxxxxxxx

i can see incoming traffic from partner though when they attempt to reach 192.168.100.18

 

 

 

Labels:
0 Helpful
18 Replies 18

Go to solution
WamuMubiana1384
Level 1
Level 1
In response to Marvin Rhoads

‎06-04-2024 07:49 AM

I have Nat exemption ticked in the connection profile. I have also ticked NAT-T in the crypto map

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to WamuMubiana1384

‎06-04-2024 08:41 AM

@WamuMubiana1384 wrote:

I have Nat exemption ticked in the connection profile. I have also ticked NAT-T in the crypto map

 

Connection profile NAT exemption' 

Can I see how you config it.

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-04-2024 07:30 AM - edited ‎06-04-2024 07:31 AM

You need 

NO-NAT ( exemption NAT) for encrypt traffic

That all I think 

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-04-2024 09:03 AM

First comment I mention it NAT issue' you just make it hard to yourself 

MHM

0 Helpful
Customers Also Viewed These Support Documents