02-19-2014 01:25 AM
Hi,
I am trying to setup site to site VPN and I am not able to establish connection. Could anyone see what is wrong with the code below? Thanks in advance.
On ASA 5525x 8.6
================
nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static theremote theremote no-proxy-arp route-lookup
access-list VPN2ASA extended permit ip object-group inside-subnet-source object theremote
route outside 192.168.210.32 255.255.255.224 200.180.60.65
crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-1
crypto map ASA-REMOTE 10 match address VPN2ASA
crypto map ASA-REMOTE 10 set peer 200.80.180.20
crypto map ASA-REMOTE 10 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL
crypto map ASA-REMOTE interface outside
crypto ikev2 policy 10
encryption aes-256 aes-192 aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 200.80.180.20 type ipsec-l2l
tunnel-group 200.80.180.20 ipsec-attributes
ikev2 remote-authentication pre-shared-key 123456789
ikev2 local-authentication pre-shared-key 123456789
On our 887va router
=========================
crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL
crypto ikev2 keyring VPN-KEYS
peer ASA-DC
address 202.189.68.66
pre-shared-key local 123456789
pre-shared-key remote 123456789
crypto ikev2 profile ASA-DC
match identity remote address 200.180.60.66 255.255.255.255
identity local address 200.80.180.20
authentication remote pre-share
authentication local pre-share
keyring local VPN-KEYS
controller VDSL 0
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto map REMOTE-ASA 10 ipsec-isakmp
set peer 200.180.60.66
set transform-set ESP-AES256-SHA
set ikev2-profile ASA-DC
match address VPN-ACL
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description ****PPoE WAN interface Link****
pvc 8/35
pppoe-client dial-pool-number 1
interface Vlan1
ip address 192.168.210.33 255.255.255.224
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname xxxxxxxx
ppp chap password xxxxxxxx
crypto map REMOTE-ASA
ip nat inside source list nonat interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended VPN-ACL
permit ip 192.168.210.32 0.0.0.31 172.16.0.0 0.0.255.255
permit ip 192.168.210.32 0.0.0.31 192.168.0.0 0.0.255.255
ip access-list extended nonat
deny ip 192.168.210.32 0.0.0.31 172.16.0.0 0.0.255.255
deny ip 192.168.210.32 0.0.0.31 192.168.0.0 0.0.255.255
permit ip 192.168.210.32 0.0.0.31 any
Testing result
===============
********** On the ASA firewall
ciscoasa# sh crypto ipsec sa
There are no ipsec sas
ciscoasa# sh crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
************On the 887va router
=========================
Remote#sh crypto ipsec sa
interface: Dialer1
Crypto map tag: REMOTE-ASA, local addr 200.80.180.20
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.210.32/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
current_peer 200.180.60.66 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.80.180.20, remote crypto endpt.: 200.180.60.6
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Remote#sh crypto engine connections active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address
Remote#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
02-19-2014 04:46 AM
Hello Rohit,
Check whether VPN-3DES-AES license is enabled on ASA using show version command, as you are using aes as your encryption algorithm.
02-19-2014 05:51 PM
Hi Poonam,
Thanks for your reply. Yes the license are enabled on ASA.
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Thank You,
Kind Regards
Rohit
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: