Hi, I'm looking for some help getting a site to site vpn tunnel up between a ASA 5508 and a IOS 2911 Router.
Attached are my configs for both devices.
#show crypto session (On 2911)
Session status: DOWN
Peer: x.x.x.18 port 500
IPSEC FLOW: permit ip 192.168.201.0/255.255.255.0 192.168.200.0/255.255.255.0
Active SAs: 0, origin: crypto map
Let me know what other info you need.
Hi, Thanks for the reply.
I corrected the ACL on the ASA to:
access-list SITE2SITE_ACL extended permit ip 192.168.200.0 255.255.255.0 192.168.201.0 255.255.255.0
However the vpn is still not coming up. When I ping from the router source interface 192.168.201.1 to 192.168.200.1 I see this in the debug on the ASA:
|4||Dec 13 2015||18:09:25||750003||Local:x.x.x.18:500 Remote:x.x.x.202:500 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired|
Yes i'm using NAT on both devices on the outside interface, should I be exempting the vpn tunnel traffic?
I applied a Nat exemption on both sides for the tunnel traffic.
I'm seeing this in the log now when i ping from 192.168.200.199 to 192.168.201.2
|5||Dec 14 2015||11:17:52||752003||Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CM.OUTSIDE. Map Sequence Number = 10.|
|4||Dec 14 2015||11:17:52||752011||IKEv1 Doesn't have a transform set specified|
|5||Dec 14 2015||11:17:52||750001||Local:x.x.x.18:500 Remote:x.x.x.202:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.200.199-192.168.200.199 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 192.168.201.2-192.168.201.2 Protocol: 0 Port Range: 0-65535|
Run "debug crypto ikev2 127" and corresponding debug command on the router.
You can initiate the tunnel on the ASA by running "packet-tracer input VOICE-LAN tcp 192.168.200.5 345 192.168.201.5 123".