Point to Point VPN connection

Shaun McCloud · ‎09-19-2013

Ok after we had this working my remote site changed hardware and IP address, we have gotten the tunnel back up but site B can not ping the inside of site A. Am I missing something?

Shaun McCloud · ‎09-23-2013

This was poorly posted.

More details and maybe someone could help.

I have established a Site to Site connection between two 5520 ASAs. We got the tunnel up. But we can not ping from either side to the other.

The purpose of this link is for all traffic from site B to go through to site A. I have been stumped and was hoping someone could give me a bit of help on this.

We had the site working but my remote site changed the hardware they had and now its not working again. The part that drives me the most batty is that it was working before the hardware change and now I can't seem to see what is broken.

Thanks

shine pothen · ‎09-24-2013

Hello Shaun,

i was just going through config of siteA and siteB and found out that there is lot of thing which you have to work on.

1)Ttransformset on both the sites are showing different it is not matching.try to change both to same transform set.

in site A you have used

crypto ipsec transform-set sA2sB esp-aes-256 esp-sha-hmac

crypto map vpn-map 35 match address A2B

crypto map vpn-map 35 set peer 84.194.24.89

crypto map vpn-map 35 set transform-set sA2sB

in site B you have used

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map Outside_map2 1 match address sA2sB

crypto map Outside_map2 1 set peer 182.166.60.6

crypto map Outside_map2 1 set transform-set ESP-AES-256-SHA

-----------------------------------------------------------------------------------------------------

check site A

inside interface IP address

10.4.253.66 255.255.255.252

shine pothen · ‎09-24-2013

otherwise what we can suggest is you can create a new site to site tunnel between the firewall.Pleas follow the below check list

crypto map outside_map (Order number) match address outside_cryptomap_20

crypto map outside_map (Order number) set peer x.x.x.x

crypto map outside_map (Order number) set transform-set (Eg:ESP-3DES-MD5)

use the transform set correctly on both the firewall

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key *************

access-list outside_cryptomap_20 extended permit ip (Inside IP) X.X.X.X (outside ip) X.X.X.X

access-list inside_nat0_outbound extended permit ip (Inside IP) X.X.X.X object-(outside ip) X.X.X.Xp

nat (inside) 0 access-list inside_nat0_outbound (this statement would already be there in the firewall the no nat statement)

and now your tunnel should be working.

checking commands

sh cry isa sa

sh cry ipsec sa

Please let us know if this is working for you.

shine pothen · ‎09-25-2013

please give the output of the below two commands

sh cry ipsec sa

sh cry isa sa

Shaun McCloud · ‎09-25-2013

Please correct me if i am wrong but thses match :

crypto ipsec transform-set sA2sB esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

isnt the basic format:

crypto ipsec transform-set NAME types

Do the names really have to match or aren't they names that are unique to each router?

shine pothen · ‎09-25-2013

yes you are right the transformset is matching. i checked the config once again. it was confusing because it had lots of transform set.

the transformset name can be any things it need not be same on both device