- Cisco Community
- Technology and Support
- Security
- VPN
- Hello Martin We have the same
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2014 09:47 AM
Hi there,
I've just attempted to configure a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act like the 'Internet' just to allow connectivity between both networks.
My VPN configs on ASA1 and ASA2 are below:
ASA1
access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 extended permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.225.255.0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group 11.11.11.2 type ipsec-l2l
tunnel-group 11.11.11.2 ipsec-attributes
ikev1 pre-shared-key cisco
crypto ipsec ikev1 transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 11.11.11.2
crypto map outside_map 1 set transform-set AES-SHA
crypto map outside_map interface outside
ASA2
access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 extended permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.225.255.0
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
tunnel-group 12.12.12.2 type ipsec-l2l
tunnel-group 12.12.12.2 ipsec-attributes
ikev1 pre-shared-key cisco
crypto ipsec ikev1 transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 12.12.12.2
crypto map outside_map 1 set transform-set AES-SHA
crypto map outside_map interface outside
I can ping from ASA1 to ASA2, but when I try to test the VPN by trying from one PC to the other, I get nothing.
I tried some show commands and they came out absolutely blank...like I configured nothing:
sh crypto isakmp sa detail
There are no IKEv1 SAs
There are no IKEv2 SAs
sh crypto ipsec sa
There are no ipsec sas
Any one have any ideas?
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2014 01:37 PM
Hi martin,
Your configs are absolutely right. I tested your scenario, its working super fine. Below are the configs & outputs.
What i mentioned in previous note follow this.
--------------------
ASA1
ASA1(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list vpn extended permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map cmap 1 match address vpn
crypto map cmap 1 set peer 11.11.11.2
crypto map cmap 1 set transform-set tset
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
tunnel-group 11.11.11.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA1(config)#
---------------------
ASA2(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list vpn extended permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map cmap 1 match address vpn
crypto map cmap 1 set peer 12.12.12.2
crypto map cmap 1 set transform-set tset
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
tunnel-group 12.12.12.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA2(config)#
-------------------------
OUTPUTS:
*********************
ASA1(config)# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 11.11.11.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
---------------------
ASA1(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: cmap, seq num: 1, local addr: 12.12.12.2
access-list vpn permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 11.11.11.2
#pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 50, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.12.12.2, remote crypto endpt.: 11.11.11.2
------------------------
ASA2(config)# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 12.12.12.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
------------------------
ASA2(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: cmap, seq num: 1, local addr: 11.11.11.2
access-list vpn permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 12.12.12.2
#pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49
#pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 49, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 11.11.11.2, remote crypto endpt.: 12.12.12.2
-------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2014 04:45 PM
Hi,
Did you apply nat exemption, if not please try to apply it:
On ASA1:
nat (inside,outside) source static lan1 lan1 destination static lan2 lan2
object network lan1
subnet 10.10.10.0 255.255.255.0
object network lan2
subnet 172.16.10.0 255.255.255.0
On ASA2:
nat (inside,outside) source static lan2 lan2 destination static lan1 lan1
object network lan1
subnet 10.10.10.0 255.255.255.0
object network lan2
subnet 172.16.10.0 255.255.255.0
If it did not work with that, please try if you can ping the router interface 11.11.11.x from pc 10.10.10.x behind the ASA1, if not try to check if the icmp inspection is set:
policy-map global_policy
class inspection_default
inspect icmp
If neither fixes the issue, please post your sanitized configs of both ASAs.
Regards,
Aref
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2014 09:41 AM
Hi Aref,
Tried adding NAT exemption. Still no luck. Please see configs below:
ASA1
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1
nameif outside
security-level 0
ip address 12.12.12.2 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network lan1
subnet 10.10.10.0 255.255.255.0
object network lan2
subnet 172.16.10.0 255.255.255.0
access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 extended permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static lan1 lan1 destination static lan2 lan2
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 11.11.11.2
crypto map outside_map 1 set ikev1 transform-set AES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 11.11.11.2 type ipsec-l2l
tunnel-group 11.11.11.2 ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d46e1cbbe7aa39426950c6f4fda3613e
: end
ciscoasa# sh run | i nat
nat (inside,outside) source static lan1 lan1 destination static lan2 lan2
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
ASA2
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 11.11.11.2 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 172.16.10.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network lan1
subnet 10.10.10.0 255.255.255.0
object network lan2
subnet 172.16.10.0 255.255.255.0
access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 extended permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static lan2 lan2 destination static lan1 lan1
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 12.12.12.2
crypto map outside_map 1 set ikev1 transform-set AES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 12.12.12.2 type ipsec-l2l
tunnel-group 12.12.12.2 ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:63dead7f8be3208d2f32cd25d2cc02a1
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2014 11:31 AM
Hi Martin,
Your VPN configs seems right. Do not use nat commands. Just make sure that both the host has default route or static route to their security gateways.
After config ASAs, initiate traffic from 1 host to another host. And after initiation then check on ASA whether tunnel is setup or not.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2014 01:37 PM
Hi martin,
Your configs are absolutely right. I tested your scenario, its working super fine. Below are the configs & outputs.
What i mentioned in previous note follow this.
--------------------
ASA1
ASA1(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list vpn extended permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map cmap 1 match address vpn
crypto map cmap 1 set peer 11.11.11.2
crypto map cmap 1 set transform-set tset
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
tunnel-group 11.11.11.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA1(config)#
---------------------
ASA2(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list vpn extended permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map cmap 1 match address vpn
crypto map cmap 1 set peer 12.12.12.2
crypto map cmap 1 set transform-set tset
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
tunnel-group 12.12.12.2 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA2(config)#
-------------------------
OUTPUTS:
*********************
ASA1(config)# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 11.11.11.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
---------------------
ASA1(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: cmap, seq num: 1, local addr: 12.12.12.2
access-list vpn permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
current_peer: 11.11.11.2
#pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
#pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 50, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.12.12.2, remote crypto endpt.: 11.11.11.2
------------------------
ASA2(config)# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 12.12.12.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
------------------------
ASA2(config)# sh crypto ipsec sa
interface: outside
Crypto map tag: cmap, seq num: 1, local addr: 11.11.11.2
access-list vpn permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 12.12.12.2
#pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49
#pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 49, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 11.11.11.2, remote crypto endpt.: 12.12.12.2
-------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2014 03:03 AM
Thanks for the update Deepak. At least I know the config is correct. I'll do a final check on it
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-10-2014 01:35 PM
Hello Martin
We have the same problem, but I just can do ping from one site, the other doesn't recive or send any traffic, I have check my configuration with yours its the same but I have that problem.
If you resolve this please let me know
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide