Showing results for 
Search instead for 
Did you mean: 

Site2Site VPN Help (IOS-ASA)

Chris Gabel

Hi, I'm looking for some help getting a site to site vpn tunnel up between a ASA 5508 and a IOS 2911 Router. 

Attached are my configs for both devices.

#show crypto session (On 2911)

Interface: GigabitEthernet0/1
Session status: DOWN
Peer: x.x.x.18 port 500
IPSEC FLOW: permit ip
Active SAs: 0, origin: crypto map

Let me know what other info you need.


5 Replies 5

Henrik Grankvist


The crypto ACL is correct on the router but incorrect on the ASA?

Are you using NAT?

Hi, Thanks for the reply.

I corrected the ACL on the ASA to:

access-list SITE2SITE_ACL extended permit ip

However the vpn is still not coming up. When I ping from the router source interface to I see this in the debug on the ASA:

4 Dec 13 2015 18:09:25 750003 Local:x.x.x.18:500 Remote:x.x.x.202:500 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired

Yes i'm using NAT on both devices on the outside interface, should I be exempting the vpn tunnel traffic?


I applied a Nat exemption on both sides for the tunnel traffic.

I'm seeing this in the log now when i ping from to

5 Dec 14 2015 11:17:52 752003 Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CM.OUTSIDE. Map Sequence Number = 10.
4 Dec 14 2015 11:17:52 752011 IKEv1 Doesn't have a transform set specified
5 Dec 14 2015 11:17:52 750001 Local:x.x.x.18:500 Remote:x.x.x.202:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: Protocol: 0 Port Range: 0-65535

Run "debug crypto ikev2 127" and corresponding debug command on the router.

You can initiate the tunnel on the ASA by running "packet-tracer input VOICE-LAN tcp 345 123".

Added the output from the packet-tracer command to the file debug.txt


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: