Solved: Re: VPN configuration assistance

grggyoung · ‎12-26-2018

We are upgrading our 5505 to a 5506 at our hub location Friday and doing some off-site configuration in preparation. I'm very 'green' and trying to save a call to tech support. We have simple VPN setup where the remote location connects to the hub, they have dynamic IPs so they have to initiate the traffic. It has been awhile since I did this but I thought all I had to was setup a PreShare key on the default tunnel group on the hub ASA. I tried to compare the screens between the 5505 and 5506 but they are slightly different.

Am I correct that if I use the same PreShare key I will not have to touch the remote ASAs?

Richard Burts · ‎01-01-2019

We do not have much information to work with here but my guess is that the one key is for IKEv1 and the two key are for IKEv2.

HTH

Rick

HTH

Rick

View solution in original post

Kasun Bandara · ‎12-26-2018

Hi,

yes. you can use same preshared keys to maintain connections.

regards,
*** Pls rate all useful responses ***
Good Luck

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Francesco Molino · ‎12-26-2018

Hi

You can view the full config of your actual asa 5505 running the command: more system:running-config

You'll then see all preshared keys and if you use the same config on your asa5506, you don't need to worry about far end devices.

At least, you can also just copy paste the vpn config from one asa to the other.
Hope you're not changing anything on your config like lan subnets, wan ip... Otherwise you'll need to adapt the config on the other end device.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sheraz.Salim · ‎12-27-2018

just to add what Francesco said.

you can run command

more system:running-config | gep preshared

please do not forget to rate.

grggyoung · ‎12-27-2018

I only know the ASDM interface and can't say I really know what the VPN lines are in the running config. When I tried through the ASDM the 5506 mentioned something about IKE1 and IKE2 but it doesn't look the same on the 5506. The 5506 has me entering a PreShare key for IKE1 and two PreShare keys.

Thank you for the responses

Kasun Bandara · ‎12-27-2018

Can you try same preshared key for both.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Francesco Molino · ‎12-28-2018

If you connect on 5505 over SSH and run the command, you’ll see the VPN configuration (crypto map, group-policy and tunnel sections), then you can paste it on your 5506.

I don’t get the issue you have using ASDM and preshared key, Can you maybe re-explain with some screenshots?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard Burts · ‎01-01-2019

We do not have much information to work with here but my guess is that the one key is for IKEv1 and the two key are for IKEv2.

HTH

Rick

HTH

Rick

grggyoung · ‎01-01-2019

Sorry for the poor post, I should have taken the time and put together some screen shots. I ended up calling TAC and they helped with the issue. I believe the issue was the old unit was setup for IKE1 and the new was using both IKE1 and IKE2. I just didn't know enough to spot the difference.

Thank you for everyone who took the time to assist.

Richard Burts · ‎01-02-2019

You are quite welcome. This community is an excellent place to ask questions and to learn about networking and is sometimes useful as a supplement to TAC. I hope to see you continue to be active in the community. Thank you for marking this question as solved. This will help other participants in the community to recognize discussions which have helpful information.

HTH

Rick

HTH

Rick