02-19-2014 01:25 AM
Hi,
I am trying to setup site to site VPN and I am not able to establish connection. Could anyone see what is wrong with the code below? Thanks in advance.
On ASA 5525x 8.6
================
nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static theremote theremote no-proxy-arp route-lookup
access-list VPN2ASA extended permit ip object-group inside-subnet-source object theremote
route outside 192.168.210.32 255.255.255.224 200.180.60.65
crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-1
crypto map ASA-REMOTE 10 match address VPN2ASA
crypto map ASA-REMOTE 10 set peer 200.80.180.20
crypto map ASA-REMOTE 10 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL
crypto map ASA-REMOTE interface outside
crypto ikev2 policy 10
encryption aes-256 aes-192 aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 200.80.180.20 type ipsec-l2l
tunnel-group 200.80.180.20 ipsec-attributes
ikev2 remote-authentication pre-shared-key 123456789
ikev2 local-authentication pre-shared-key 123456789
On our 887va router
=========================
crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL
crypto ikev2 keyring VPN-KEYS
peer ASA-DC
address 202.189.68.66
pre-shared-key local 123456789
pre-shared-key remote 123456789
crypto ikev2 profile ASA-DC
match identity remote address 200.180.60.66 255.255.255.255
identity local address 200.80.180.20
authentication remote pre-share
authentication local pre-share
keyring local VPN-KEYS
controller VDSL 0
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto map REMOTE-ASA 10 ipsec-isakmp
set peer 200.180.60.66
set transform-set ESP-AES256-SHA
set ikev2-profile ASA-DC
match address VPN-ACL
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description ****PPoE WAN interface Link****
pvc 8/35
pppoe-client dial-pool-number 1
interface Vlan1
ip address 192.168.210.33 255.255.255.224
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxxxx
ppp chap password xxxxxxxx
crypto map REMOTE-ASA
ip nat inside source list nonat interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended VPN-ACL
permit ip 192.168.210.32 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.32 0.0.0.31 192.168.0.0 0.0.255.255
ip access-list extended nonat
deny ip 192.168.210.32 0.0.0.31 172.16.0.0 0.0.255.255
deny ip 192.168.210.32 0.0.0.31 192.168.0.0 0.0.255.255
permit ip 192.168.210.32 0.0.0.31 any
Testing result
===============
********** On the ASA firewall
ciscoasa# sh crypto ipsec sa
There are no ipsec sas
ciscoasa# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
************On the 887va router
=========================
Remote#sh crypto ipsec sa
interface: Dialer1
Crypto map tag: REMOTE-ASA, local addr 200.80.180.20
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.210.32/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
current_peer 200.180.60.66 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.80.180.20, remote crypto endpt.: 200.180.60.6
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Remote#sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
Remote#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
02-19-2014 04:46 AM
Hello Rohit,
Check whether VPN-3DES-AES license is enabled on ASA using show version command, as you are using aes as your encryption algorithm.
02-19-2014 05:51 PM
Hi Poonam,
Thanks for your reply. Yes the license are enabled on ASA.
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Thank You,
Kind Regards
Rohit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide