Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4318
Views
0
Helpful
7
Replies

Site to Site IKEv2 VPN between ASA and Barracuda Firewall

obarhar
Level 1
Level 1

‎03-15-2019 02:47 PM

Hello, 

 

i need help to setup a S2S VPN Tunnel using IKEv2 between ASA and Barracuda Firewall. Please find the Barracuda configuration attached below. This is my config on the ASA which is not working:


!
crypto ikev2 policy 60
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable WAN1
!
object network OBJ_CompA
subnet 10.20.1.0 255.255.255.0
object network OBJ_CompB
subnet 10.68.1.0 255.255.255.0
!
access-list S2S_VPN_tunnel extended permit ip object OBJ_CompA object OBJ_CompB
nat (inside,outside) source static OBJ_CompA OBJ_CompA destination static OBJ_CompB OBJ_CompB no-proxy-arp route-lookup
!
tunnel-group 99.99.99.99 type ipsec-l2l
tunnel-group 99.99.99.99 ipsec-attributes
ikev2 remote-authentication pre-shared-key *********
ikev2 local-authentication pre-shared-key *********
!
crypto ipsec ikev2 ipsec-proposal VPN_TRANSFORM_Ph2
protocol esp encryption aes-256
protocol esp integrity sha-256
!
crypto map outside_map 60 match address S2S_VPN_tunnel
crypto map outside_map 60 set peer 99.99.99.99
crypto map outside_map 60 set ikev2 ipsec-proposal VPN_TRANSFORM_Ph2
crypto map outside_map 60 interface outside
!

 

Labels:
0 Helpful
7 Replies 7

balaji.bandi
Hall of Fame
Hall of Fame

‎03-15-2019 02:56 PM

Not sure (we missed some attachement of Barcudda FW config)

 

here is barcudda document :

 

https://campus.barracuda.com/product/cloudgenfirewall/doc/53248930/how-to-configure-a-site-to-site-ipsec-ikev2-vpn-tunnel/

 

post the debug output :

 

#debug cry condition peer <peerip>

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

obarhar
Level 1
Level 1
In response to balaji.bandi

‎03-15-2019 03:05 PM

Pls finde the Barracuda IKEv2 config below in my reply. This is the only information I received from the company that uses the Barracuda FW.
0 Helpful

obarhar
Level 1
Level 1

‎03-15-2019 02:58 PM

Barracuda_FW_config.jpeg

0 Helpful

Rob Ingram
VIP
VIP
In response to obarhar

‎03-15-2019 03:03 PM

You have Group 5 configured in your Barracuda configuration, but Group 19 configured on your ASA. They need to match
0 Helpful

obarhar
Level 1
Level 1
In response to Rob Ingram

‎03-15-2019 03:11 PM

Sorry, its a mistake in the pasted config, the Group 5 is configured on the ASA FW conf.
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to obarhar

‎03-15-2019 03:39 PM

After changing the Gr5 , if all working ? if not please post the debug as suggested on other post to help you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rob Ingram
VIP
VIP
In response to balaji.bandi

‎03-15-2019 03:55 PM

You also do not have all of the subnets defined in the crypto ACL "S2S_VPN_tunnel" - you are missing 10.17.4.0/24 network - you will need to amend the ACL to include this.

The tunnel will only come up once you generate traffic from either of your networks defined in the ACL, so from a device in those networks ping a device on the remote end. If that fails, as suggest please provide a debug

Debug commands:-
"debug crypto condition peer X.X.X.X" < this is the remote peer ip address
"debug crypto ikev1 100"

Please upload the output here for review.
0 Helpful
Customers Also Viewed These Support Documents