Also, this ACL outside_in  from "crypto map VENDOR1-cryptomap-1 1 match address outside_in"-- Should this be the same main ACL attached to interface outside1 that protects the enterprise from the www? 

#crypto map VENDOR1-cryptomap-1 1 set ikev2 ipsec-proposal VENDOR1-PROPOSAL-1 <<- this issue here why you use IKEv2 not IKEv1 ??

Enterprise VPN requirement is IKEv2. I followed config template from Cisco book "Cisco ASA, Third Edition"

There is mistake here?

I think I'm figuring out the root cause + solution.

Please tell me...

#crypto map VENDOR1-cryptomap-1 interface outside1
#crypto map VENDOR1-cryptomap-1 1 match address outside_in
#crypto map VENDOR1-cryptomap-1 1 set peer 2.2.2.2
#crypto map VENDOR1-cryptomap-1 1 set ikev2 ipsec-proposal VENDOR1-PROPOSAL-1

Should ACL "outside_in" be attached to interface "outside1" in, or should ACL "outside_in" be attached to nothing ?

@jmaxwellUSAF IMO, the ACL "outside_in" is poorly named if you are using this for the crypto ACL. This should ideally be named appropriately in relation to what it is used for, "VPN-TO-BRANCH" would be better. This ACL is then referenced under the crypto map sequence.

The crypto ACL is not attached to the interface, that is a separate and dedicated ACL.

Please can you turn on the IKEv2 debugs, attempt to establish a tunnel and then provide the full debug as an attachment rather than paste the full output in the body of the email.

Please, how do I remove an ACL from an interface on ASA1120?

@jmaxwellUSAF you remove an ACL on an interface using "no access-group <NAME> in interface <INTERFACENAME>" (replace "in" with "out" if outbound).

Bear in mind you can only have one ACL per direction per interface. So are you sure this ACL is not actually in use on the interface?

to create a route through the tunnel to the remote network, what do I place in the below template?

route <interface> 172.16.8.0 255.255.255.0 <next-hop>

Thank you.

@jmaxwellUSAF is there not a default route via the outside1 interface? I'd so you don't need a specific route for this destination.

Unless you've got multiple outside interfaces? In which case is the vpn communicating using the correct interface?

Provide your configuration?

Hello tech gods.

May you please answer following questions about below complete L2L VPN code, and current logs?...

__________

1. Enable IKE processing on the outside interface "outside1" 1.1.1.1 /24
#crypto ikev2 enable outside1

2. Create the ISAKMP policy
#crypto ikev2 policy 100
#encryption aes-256
#integrity sha-256
#group 14
#prf sha-256
#lifetime seconds 86400

3. Set tunnel group and tunnel type
#tunnel-group 2.2.2.2 type ipsec-l2l
#tunnel group 2.2.2.2 ipsec-attributes
#ikev2 local-authentication pre-shared-key KeY12345
#ikev2 remote-authentication pre-shared-key KeY12345

4. Define the IPsec policy
#crypto ipsec ikev2 ipsec-proposal VENDOR1-PROPOSAL-1
#protocol esp encryption aes-256
#protocol esp integrity sha-512

5. Append the existing crypto map ACL
#access-list VENDOR1-Cryptomap-ACL remark >>ACL REFERENCED BY CRYPTO-MAP<<
#access-list VENDOR1-Cryptomap-ACL extended permit ip 172.16.1.0 255.255.255.0 172.16.8.0 255.255.255.0

6. Configure the crypto map.
#crypto map VENDOR1-cryptomap-1 interface outside1
#crypto map VENDOR1-cryptomap-1 1 match address VENDOR1-Cryptomap-ACL
#crypto map VENDOR1-cryptomap-1 1 set peer 2.2.2.2
#crypto map VENDOR1-cryptomap-1 1 set ikev2 ipsec-proposal VENDOR1-PROPOSAL-1

7. Bypass NAT
#object network MY-LAN-NETWORK-1
#subnet 172.16.1.0 255.255.255.0
#object network VENDOR1-LAN-NETWORK-1
#subnet 172.16.8.0 255.255.255.0
#exit
#nat (inside,outside1) source static MY-LAN-NETWORK-1 MY-LAN-NETWORK-1 destination static VENDOR1-LAN-NETWORK-1 VENDOR1-LAN-NETWORK-1

8. Configure Internal Group Policy & attributes.
#group-policy 2.2.2.2 internal
#group-policy 2.2.2.2 attributes
#vpn-tunnel-protocol ikev2
#pfs enable
---&&&&&&&&&---

%ASA-5-750001: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 1.1.1.1-1.1.1.1 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 224.0.0.10-224.0.0.10 Protocol: 0 Port Range: 0-65535

%ASA-5-750001: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 1.1.1.1-1.1.1.1 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 3.3.3.3-3.3.3.3 Protocol: 0 Port Range: 0-65535

%ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = VENDOR1-cryptomap-1. Map Sequence Number = 1.
%ASA-4-752011: IKEv1 Doesn't have a transform set specified.
%ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = VENDOR1-cryptomap-1. Map Sequence Number = 1.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= VENDOR1-cryptomap-1. Map Sequence Number = 1.
---&&&&&&&&&---

QUESTIONS:
1. "%ASA-4-752011: IKEv1 Doesn't have a transform set specified." -My config only has IKEv2. Why is this referring to IKEv1?

2. "All configured IKE versions failed to establish the tunnel." - there exist not only my specific and verified...
"crypto ikev2 policy 100
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400"
... but also about ten other preceding IKE policies. Does this symptom mean the remote peer IKE config doesn't match?

3. "remote traffic selector = Address Range: 3.3.3.3-3.3.3.3" I don't recognize public IP 3.3.3.3. This IP is not in "show run | inc 3.3.3.3" From where might originate this injection of data "3.3.3.3"?

Thank you.

@jmaxwellUSAF The IKE (v1 or v2) are defined globally and not tied to a specific tunnel. All IKE policies would be sent and selected on a match.

Do you control the other side of the VPN tunnel? If not, have they mirrored your crypto ACL? They should source traffic from 172.16.8.0/24 to 172.16.1.0/24. Have they mis-configured their NAT, of 3.3.3.3 < or whatever the real IP address is?

Can you provide the full debug information please?

Can you provide the full configuration? Change the public IP address and sensitive information.

Thank you for your response.

I do not have access to the remote vendor network.
 
I will ask the vendor...
1. if they have mirrored my crypto ACL
2. are they sourcing traffic from 172.16.8.0/24 to 172.16.1.0/24
3. Have they mis-configured their NAT regarding 3.3.3.3

What debug commands shall I execute now?
In my last response was the full VPN config. What do you mean by "provide full config"?

@jmaxwellUSAF run the IKEv2 debug commands, attempt to establish the VPN and provide the full output.

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html

I wanted to see the rest of the ASA configuration to determine whether something might be conflicting or unintentially causing an issue with these VPN.

Before I email the vendor with above three questions, please view below config data already told to me by vendor...

!! This VENDOR1 device is a V1000 router !!
=====

ip access-list extended ENTERPRISE1
10 permit ip 172.16.8.0 0.0.0.255 172.16.1.0 0.0.0.255
 
crypto ikev2 keyring ENTERPRISE1
peer 1.1.1.1
  address 1.1.1.1
  pre-shared-key KeY12345
!
crypto ikev2 profile ENTERPRISE1
match address local 10.0.0.4
match identity remote address 1.1.1.1 255.255.255.255 
authentication remote pre-share
authentication local pre-share
keyring local ENTERPRISE1
!

crypto map ipsec-map 24 ipsec-isakmp 
description ENTERPRISE1
set peer 1.1.1.1
set security-association lifetime seconds 28800

!
set transform-set aes256-sha 
set pfs group2
set ikev2-profile ENTERPRISE1
match address ENTERPRISE1

Are you now able to determine the source of the failing tunnel?

(For convenience, below is my recent reply with full VPN config, and also logs and questions.)...

__________

!! ENTERPRISE1 VPN config !!...

1. Enable IKE processing on the outside interface "outside1" 1.1.1.1 /24
#crypto ikev2 enable outside1

2. Create the ISAKMP policy
#crypto ikev2 policy 100
#encryption aes-256
#integrity sha-256
#group 14
#prf sha-256
#lifetime seconds 86400

3. Set tunnel group and tunnel type
#tunnel-group 2.2.2.2 type ipsec-l2l
#tunnel group 2.2.2.2 ipsec-attributes
#ikev2 local-authentication pre-shared-key KeY12345
#ikev2 remote-authentication pre-shared-key KeY12345

4. Define the IPsec policy
#crypto ipsec ikev2 ipsec-proposal VENDOR1-PROPOSAL-1
#protocol esp encryption aes-256
#protocol esp integrity sha-512

5. Append the existing crypto map ACL
#access-list VENDOR1-Cryptomap-ACL remark >>ACL REFERENCED BY CRYPTO-MAP<<
#access-list VENDOR1-Cryptomap-ACL extended permit ip 172.16.1.0 255.255.255.0 172.16.8.0 255.255.255.0

6. Configure the crypto map.
#crypto map VENDOR1-cryptomap-1 interface outside1
#crypto map VENDOR1-cryptomap-1 1 match address VENDOR1-Cryptomap-ACL
#crypto map VENDOR1-cryptomap-1 1 set peer 2.2.2.2
#crypto map VENDOR1-cryptomap-1 1 set ikev2 ipsec-proposal VENDOR1-PROPOSAL-1

7. Bypass NAT
#object network MY-LAN-NETWORK-1
#subnet 172.16.1.0 255.255.255.0
#object network VENDOR1-LAN-NETWORK-1
#subnet 172.16.8.0 255.255.255.0
#exit
#nat (inside,outside1) source static MY-LAN-NETWORK-1 MY-LAN-NETWORK-1 destination static VENDOR1-LAN-NETWORK-1 VENDOR1-LAN-NETWORK-1

8. Configure Internal Group Policy & attributes.
#group-policy 2.2.2.2 internal
#group-policy 2.2.2.2 attributes
#vpn-tunnel-protocol ikev2
#pfs enable
---&&&&&&&&&---

%ASA-5-750001: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 1.1.1.1-1.1.1.1 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 224.0.0.10-224.0.0.10 Protocol: 0 Port Range: 0-65535

%ASA-5-750001: Local:1.1.1.1:500 Remote:2.2.2.2:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 1.1.1.1-1.1.1.1 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 3.3.3.3-3.3.3.3 Protocol: 0 Port Range: 0-65535

%ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = VENDOR1-cryptomap-1. Map Sequence Number = 1.
%ASA-4-752011: IKEv1 Doesn't have a transform set specified.
%ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = VENDOR1-cryptomap-1. Map Sequence Number = 1.
%ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= VENDOR1-cryptomap-1. Map Sequence Number = 1.
---&&&&&&&&&---

QUESTIONS:
1. "%ASA-4-752011: IKEv1 Doesn't have a transform set specified." -My config only has IKEv2. Why is this referring to IKEv1?

2. "All configured IKE versions failed to establish the tunnel." - there exist not only my specific and verified...
"crypto ikev2 policy 100
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400"
... but also about ten other preceding IKE policies. Does this symptom mean the remote peer IKE config doesn't match?

3. "remote traffic selector = Address Range: 3.3.3.3-3.3.3.3" I don't recognize public IP 3.3.3.3. This IP is not in "show run | inc 3.3.3.3" From where might originate this injection of data "3.3.3.3"?