cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1547
Views
0
Helpful
6
Replies

Site-to-Site VPN config not working

martino-cisco
Level 1
Level 1

Hi there,

I've just attempted to configure a test site to site VPN. Diagram of arrangement is attached. Router R2 is supposed to act like the 'Internet' just to allow connectivity between both networks.

My VPN configs on ASA1 and ASA2 are below:

ASA1

access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 extended permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.225.255.0

crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

tunnel-group 11.11.11.2 type ipsec-l2l
tunnel-group 11.11.11.2 ipsec-attributes
ikev1 pre-shared-key cisco

crypto ipsec ikev1 transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 11.11.11.2
crypto map outside_map 1 set transform-set AES-SHA
crypto map outside_map interface outside

 

ASA2

access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 extended permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.225.255.0


crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400 

tunnel-group 12.12.12.2 type ipsec-l2l
tunnel-group 12.12.12.2 ipsec-attributes
ikev1 pre-shared-key cisco

crypto ipsec ikev1 transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 12.12.12.2
crypto map outside_map 1 set transform-set AES-SHA
crypto map outside_map interface outside

 

I can ping from ASA1 to ASA2, but when I try to test the VPN by trying from one PC to the other, I get nothing.

I tried some show commands and they came out absolutely blank...like I configured nothing:

sh crypto isakmp sa detail

There are no IKEv1 SAs

There are no IKEv2 SAs

 

sh crypto ipsec sa

There are no ipsec sas

 

Any one have any ideas?

1 Accepted Solution

Accepted Solutions

 

Hi martin,

Your configs are absolutely right. I tested your scenario, its working super fine. Below are the configs & outputs.
What i mentioned in previous note follow this.


--------------------

ASA1

ASA1(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list vpn extended permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map cmap 1 match address vpn
crypto map cmap 1 set peer 11.11.11.2
crypto map cmap 1 set transform-set tset
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
tunnel-group 11.11.11.2 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA1(config)#
---------------------

ASA2(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list vpn extended permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map cmap 1 match address vpn
crypto map cmap 1 set peer 12.12.12.2
crypto map cmap 1 set transform-set tset
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
tunnel-group 12.12.12.2 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA2(config)#

 

 

 

 

 

 

 

-------------------------
OUTPUTS:

*********************

ASA1(config)# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 11.11.11.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


---------------------

ASA1(config)# sh crypto ipsec sa
interface: outside
    Crypto map tag: cmap, seq num: 1, local addr: 12.12.12.2

      access-list vpn permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
      current_peer: 11.11.11.2

      #pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
      #pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 50, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 12.12.12.2, remote crypto endpt.: 11.11.11.2

------------------------
ASA2(config)# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 12.12.12.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE


------------------------

ASA2(config)# sh crypto ipsec sa
interface: outside
    Crypto map tag: cmap, seq num: 1, local addr: 11.11.11.2

      access-list vpn permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      current_peer: 12.12.12.2

      #pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49
      #pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 49, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 11.11.11.2, remote crypto endpt.: 12.12.12.2
-------------------------

View solution in original post

6 Replies 6

Hi,

Did you apply nat exemption, if not please try to apply it:

On ASA1:

nat (inside,outside) source static lan1 lan1 destination static lan2 lan2

object network lan1
 subnet 10.10.10.0 255.255.255.0

object network lan2
 subnet 172.16.10.0 255.255.255.0

On ASA2:

nat (inside,outside) source static lan2 lan2 destination static lan1 lan1

object network lan1
 subnet 10.10.10.0 255.255.255.0

object network lan2
 subnet 172.16.10.0 255.255.255.0

If it did not work with that, please try if you can ping the router interface 11.11.11.x from pc 10.10.10.x behind the ASA1, if not try to check if the icmp inspection is set:

policy-map global_policy
 class inspection_default
  inspect icmp

If neither fixes the issue, please post your sanitized configs of both ASAs.
 

Regards,

Aref

Hi Aref,

Tried adding NAT exemption. Still no luck. Please see configs below:

 

 

ASA1

ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1
 nameif outside
 security-level 0
 ip address 12.12.12.2 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network lan1
 subnet 10.10.10.0 255.255.255.0
object network lan2
 subnet 172.16.10.0 255.255.255.0
access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 extended permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static lan1 lan1 destination static lan2 lan2
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 11.11.11.2
crypto map outside_map 1 set ikev1 transform-set AES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 11.11.11.2 type ipsec-l2l
tunnel-group 11.11.11.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:d46e1cbbe7aa39426950c6f4fda3613e
: end
ciscoasa# sh run | i nat
nat (inside,outside) source static lan1 lan1 destination static lan2 lan2
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http

 

ASA2

 

 


ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 11.11.11.2 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 172.16.10.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network lan1
 subnet 10.10.10.0 255.255.255.0
object network lan2
 subnet 172.16.10.0 255.255.255.0
access-list outside_cryptomap_1 remark Encrypt VPN traffic
access-list outside_cryptomap_1 extended permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static lan2 lan2 destination static lan1 lan1
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set AES-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 12.12.12.2
crypto map outside_map 1 set ikev1 transform-set AES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 12.12.12.2 type ipsec-l2l
tunnel-group 12.12.12.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:63dead7f8be3208d2f32cd25d2cc02a1
: end

Hi Martin,

 

Your VPN configs seems right. Do not use nat commands. Just make sure that both the host has default route or static route to their security gateways.

After config ASAs, initiate traffic from 1 host to another host. And after initiation then check on ASA whether tunnel is setup or not.

 

Hi martin,

Your configs are absolutely right. I tested your scenario, its working super fine. Below are the configs & outputs.
What i mentioned in previous note follow this.


--------------------

ASA1

ASA1(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 12.12.12.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list vpn extended permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 12.12.12.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map cmap 1 match address vpn
crypto map cmap 1 set peer 11.11.11.2
crypto map cmap 1 set transform-set tset
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 11.11.11.2 type ipsec-l2l
tunnel-group 11.11.11.2 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA1(config)#
---------------------

ASA2(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASA2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 11.11.11.2 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.16.10.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list vpn extended permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 11.11.11.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto map cmap 1 match address vpn
crypto map cmap 1 set peer 12.12.12.2
crypto map cmap 1 set transform-set tset
crypto map cmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
!
tunnel-group 12.12.12.2 type ipsec-l2l
tunnel-group 12.12.12.2 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA2(config)#

 

 

 

 

 

 

 

-------------------------
OUTPUTS:

*********************

ASA1(config)# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 11.11.11.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


---------------------

ASA1(config)# sh crypto ipsec sa
interface: outside
    Crypto map tag: cmap, seq num: 1, local addr: 12.12.12.2

      access-list vpn permit ip 10.10.10.0 255.255.255.0 172.16.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
      current_peer: 11.11.11.2

      #pkts encaps: 50, #pkts encrypt: 50, #pkts digest: 50
      #pkts decaps: 49, #pkts decrypt: 49, #pkts verify: 49
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 50, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 12.12.12.2, remote crypto endpt.: 11.11.11.2

------------------------
ASA2(config)# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 12.12.12.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE


------------------------

ASA2(config)# sh crypto ipsec sa
interface: outside
    Crypto map tag: cmap, seq num: 1, local addr: 11.11.11.2

      access-list vpn permit ip 172.16.10.0 255.255.255.0 10.10.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      current_peer: 12.12.12.2

      #pkts encaps: 49, #pkts encrypt: 49, #pkts digest: 49
      #pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 49, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 11.11.11.2, remote crypto endpt.: 12.12.12.2
-------------------------

martino-cisco
Level 1
Level 1

Thanks for the update Deepak. At least I know the config is correct. I'll do a final check on it

Hello Martin

 

We have the same problem, but I just can do ping from one site, the other doesn't recive or send any traffic, I have check my configuration with yours its the same but I have that problem.

If you resolve this please let me know

 

Thanks in advance.