Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
394
Views
0
Helpful
2
Replies

SITE TO SITE VPN

Rohit Mangotra
Level 1
Level 1

‎02-19-2014 01:25 AM

Hi,

I am trying to setup site to site VPN and I am not able to establish connection. Could anyone see what is wrong with the code below? Thanks in advance.

On ASA 5525x 8.6

================

nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static theremote theremote no-proxy-arp route-lookup

access-list VPN2ASA extended permit ip object-group inside-subnet-source object theremote

route outside 192.168.210.32 255.255.255.224 200.180.60.65

crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL

protocol esp encryption aes-256 aes-192 aes

protocol esp integrity sha-1

crypto map ASA-REMOTE 10 match address VPN2ASA

crypto map ASA-REMOTE 10 set peer 200.80.180.20

crypto map ASA-REMOTE 10 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL

crypto map ASA-REMOTE interface outside

crypto ikev2 policy 10

encryption aes-256 aes-192 aes

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

tunnel-group 200.80.180.20 type ipsec-l2l

tunnel-group 200.80.180.20 ipsec-attributes

ikev2 remote-authentication pre-shared-key 123456789

ikev2 local-authentication pre-shared-key 123456789

On our 887va router

=========================

crypto ikev2 proposal AES256-192-128-PROPOSAL

encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha1

group 2

crypto ikev2 policy IKEv2-Policy

proposal AES256-192-128-PROPOSAL

crypto ikev2 keyring VPN-KEYS

peer ASA-DC

  address 202.189.68.66

  pre-shared-key local 123456789

  pre-shared-key remote 123456789

 

crypto ikev2 profile ASA-DC

match identity remote address 200.180.60.66 255.255.255.255

identity local address 200.80.180.20

authentication remote pre-share

authentication local pre-share

keyring local VPN-KEYS

controller VDSL 0

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode tunnel

crypto map REMOTE-ASA 10 ipsec-isakmp

set peer 200.180.60.66

set transform-set ESP-AES256-SHA

set ikev2-profile ASA-DC

match address VPN-ACL

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

interface ATM0.1 point-to-point

description ****PPoE WAN interface Link****

pvc 8/35

  pppoe-client dial-pool-number 1

interface Vlan1

ip address 192.168.210.33 255.255.255.224

ip nat inside

ip virtual-reassembly in

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp chap hostname xxxxxxxx

ppp chap password xxxxxxxx

crypto map REMOTE-ASA

ip nat inside source list nonat interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended VPN-ACL

permit ip 192.168.210.32 0.0.0.31 172.16.0.0 0.0.255.255

permit ip 192.168.210.32 0.0.0.31 192.168.0.0 0.0.255.255

ip access-list extended nonat

deny   ip 192.168.210.32 0.0.0.31 172.16.0.0 0.0.255.255

deny   ip 192.168.210.32 0.0.0.31 192.168.0.0 0.0.255.255

permit ip 192.168.210.32 0.0.0.31 any

Testing result

===============

********** On the ASA firewall

ciscoasa# sh crypto ipsec sa

There are no ipsec sas

ciscoasa# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

************On the 887va router

=========================

Remote#sh crypto ipsec sa

interface: Dialer1

    Crypto map tag: REMOTE-ASA, local addr 200.80.180.20

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.210.32/255.255.255.224/0/0)

   remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)

   current_peer 200.180.60.66 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 200.80.180.20, remote crypto endpt.: 200.180.60.6

     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Remote#sh crypto engine connections active

Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address

Remote#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

Labels:
0 Helpful
2 Replies 2

Poonam Garg
Level 3
Level 3

‎02-19-2014 04:46 AM

Hello Rohit,

Check whether VPN-3DES-AES license is enabled on ASA using show version command, as you are using aes as your encryption algorithm.

0 Helpful

Rohit Mangotra
Level 1
Level 1
In response to Poonam Garg

‎02-19-2014 05:51 PM

Hi Poonam,

Thanks for your reply. Yes the license are enabled on ASA.

VPN-DES                              : Enabled        perpetual

VPN-3DES-AES                      : Enabled        perpetual

Thank You,

Kind Regards

Rohit

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents