04-18-2019 02:41 AM
Good day everyone. I faced with strange issue. My IPSEC tunnel won't initialise.
My initial data are following:
1. HQ ASA 5515 - 9.8(2)38 Security Plus license
2. BO ASA 5510 - 9.1(7)32 Base license
On both sides I configured L2L IPSEC VPN. Both sides have conectivity and able to ping each other.
On both sides have strong encryption.
I try to initiate VPN from HQ side by pinging host in BO. But do not get response(but I expect it).
I create on ASA capture, I see my ping reqests on internal side(inside interface). On Outside interface I do not see packets to BO asa. I check this by creating capture.
VPN was configured in text file first(to check all paramters) and then moved to device. After all I reboot both devices. Still no VPN connectifity and no logs in debug
deb crypto ikev2 protocol 7
deb crypto ipsec 7
Nothing logged in console. term mon enabled logging monitor debug.
It seems I do not configure something, but I do not see any errors.
Any suggestions ?
Solved! Go to Solution.
04-18-2019 02:45 AM
04-18-2019 02:45 AM
04-18-2019 03:13 AM
I have following in config:
crypto ikev2 enable outside
group-policy HQ-TUNNEL internal
group-policy HQ-TUNNEL attributes
vpn-idle-timeout 3600
vpn-tunnel-protocol ikev2
pfs enable
tunnel-group HQ_PUBLIC_IP general-attributes
default-group-policy HQ-TUNNEL
God bless packet-tracer. My issue was in access list on inside interface. All hosts with access to internet was routed though secondary internet link(and do not initiate vpn), hosts without internet access and access to secondary lan was dropped.
04-18-2019 03:02 AM
Hi,
The mentioned configuration looking that Crypto Ikev2 is not enabled on the outside interface? is it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide