Showing results for 
Search instead for 
Did you mean: 

Site2Site VPN Help (IOS-ASA)

Chris Gabel
Level 1
Level 1

Hi, I'm looking for some help getting a site to site vpn tunnel up between a ASA 5508 and a IOS 2911 Router. 

Attached are my configs for both devices.

#show crypto session (On 2911)

Interface: GigabitEthernet0/1
Session status: DOWN
Peer: x.x.x.18 port 500
IPSEC FLOW: permit ip
Active SAs: 0, origin: crypto map

Let me know what other info you need.


5 Replies 5


The crypto ACL is correct on the router but incorrect on the ASA?

Are you using NAT?

Hi, Thanks for the reply.

I corrected the ACL on the ASA to:

access-list SITE2SITE_ACL extended permit ip

However the vpn is still not coming up. When I ping from the router source interface to I see this in the debug on the ASA:

4 Dec 13 2015 18:09:25 750003 Local:x.x.x.18:500 Remote:x.x.x.202:500 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired

Yes i'm using NAT on both devices on the outside interface, should I be exempting the vpn tunnel traffic?


I applied a Nat exemption on both sides for the tunnel traffic.

I'm seeing this in the log now when i ping from to

5 Dec 14 2015 11:17:52 752003 Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CM.OUTSIDE. Map Sequence Number = 10.
4 Dec 14 2015 11:17:52 752011 IKEv1 Doesn't have a transform set specified
5 Dec 14 2015 11:17:52 750001 Local:x.x.x.18:500 Remote:x.x.x.202:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: Protocol: 0 Port Range: 0-65535

Run "debug crypto ikev2 127" and corresponding debug command on the router.

You can initiate the tunnel on the ASA by running "packet-tracer input VOICE-LAN tcp 345 123".

Added the output from the packet-tracer command to the file debug.txt