Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
0
Helpful
5
Replies

Site2Site VPN Help (IOS-ASA)

Chris Gabel
Level 1
Level 1

‎12-12-2015 02:51 PM

Hi, I'm looking for some help getting a site to site vpn tunnel up between a ASA 5508 and a IOS 2911 Router. 

Attached are my configs for both devices.

#show crypto session (On 2911)

Interface: GigabitEthernet0/1
Session status: DOWN
Peer: x.x.x.18 port 500
IPSEC FLOW: permit ip 192.168.201.0/255.255.255.0 192.168.200.0/255.255.255.0
Active SAs: 0, origin: crypto map

Let me know what other info you need.

Thanks!!

Labels:
Preview file
2 KB
Preview file
2 KB
0 Helpful
5 Replies 5

Henrik Grankvist
Level 4
Level 4

‎12-13-2015 01:15 AM

Hi

The crypto ACL is correct on the router but incorrect on the ASA?

Are you using NAT?

0 Helpful

Chris Gabel
Level 1
Level 1
In response to Henrik Grankvist

‎12-13-2015 05:13 PM

Hi, Thanks for the reply.

I corrected the ACL on the ASA to:

access-list SITE2SITE_ACL extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0

However the vpn is still not coming up. When I ping from the router source interface 192.168.201.1 to 192.168.200.1 I see this in the debug on the ASA:

4 Dec 13 2015 18:09:25 750003 Local:x.x.x.18:500 Remote:x.x.x.202:500 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired

Yes i'm using NAT on both devices on the outside interface, should I be exempting the vpn tunnel traffic?

Thanks.

0 Helpful

Chris Gabel
Level 1
Level 1
In response to Chris Gabel

‎12-14-2015 10:22 AM

I applied a Nat exemption on both sides for the tunnel traffic.

I'm seeing this in the log now when i ping from 192.168.200.199 to 192.168.201.2

5 Dec 14 2015 11:17:52 752003 Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CM.OUTSIDE. Map Sequence Number = 10.
4 Dec 14 2015 11:17:52 752011 IKEv1 Doesn't have a transform set specified
5 Dec 14 2015 11:17:52 750001 Local:x.x.x.18:500 Remote:x.x.x.202:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.200.199-192.168.200.199 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 192.168.201.2-192.168.201.2 Protocol: 0 Port Range: 0-65535

0 Helpful

Henrik Grankvist
Level 4
Level 4
In response to Chris Gabel

‎12-14-2015 11:10 AM

Run "debug crypto ikev2 127" and corresponding debug command on the router.

You can initiate the tunnel on the ASA by running "packet-tracer input VOICE-LAN tcp 192.168.200.5 345 192.168.201.5 123".

0 Helpful

Chris Gabel
Level 1
Level 1
In response to Henrik Grankvist

‎12-14-2015 11:32 AM

Added the output from the packet-tracer command to the file debug.txt

Thanks!

Preview file
30 KB
0 Helpful
Customers Also Viewed These Support Documents