Site to Site VPN tunnel between two ASA

I use the Site Wizard to Site on an ASA 5520, and ASA 5505 of the ADSM. Both are using 8.4 (5). When you create configurations. You follow the wizard configurations with manual what ACL s to allow the traffic of every subnet connected to talk to each other? Or they are automatically generated in the configuration file? Have not been to school yet to understand how to create the CLI VPN tunnels and what to look for.

Thank you

Carlos

Hello

First, I would like to say that I don't personally use ASDM for the configuration.

But you should be able to configure all the necessary elements for a connection VPN L2L base through the wizard.

I guess that typical problems to do so could relate to the lack of configuration NAT exempt or might not choose the setting "Bypass Interface Access List" that would mean you would allow traffic from the remote site in the 'external' ACL of ASA local interface. Like all other traffic coming from behind the 'outer' interface

If you share format CLI configurations and say what networks must be able to connect via VPN L2L then I could give the required CLI format configurations.

-Jouni

Tags: Cisco Security

Similar Questions

VPN tunnel between 2 ASA 5505 with the same default gateway

Hello

Is it possible to create a vpn ipsec site to site (laboratory environment) between two 5505 (ASA IOS 8.2 (5) & asdm-645-206) with the same default gateway. That is a VPN tunnel or a back to back-to-one site that I have to deploy a router and hang each 5505 out a different interface? We have a lot of public IP but only one gateway our ISP (Internet). Any suggestions or recommendations are very appeciated!

d

Yes - you can even do it with a xover cable and a 30 ip on both external interfaces.

SBS 2008 office1 Serv2008 Office 2 need to share assets between them via a site to site VPN tunnel

Hi all.

I really need help on this one.

The office 1 installer running SBS2008 Office 2 running Server 2008.

Each firm has its own FQDN Office 1 CompanyABC 2 A_B_C of the company office.

Each firm has its own internal IP address pool Office 1 192.168.69.xxx and office 192.168.20.xxx 2.

Site to site VPN tunnel between 2 office routers Netgear SRX5308 1 and 2 Netgear FVS318G Office established and working.

Each firm has its own DNS server and acts as a domain controller

How to configure the 2 networks to see each other and be able to use assets on every network (files, printers)?

Is it so simple that the addition of another pool internal IP for each DNS server?

Thanks in advance for your help.

Hello

Your Question is beyond the scope of this community.

I suggest that repost you your question in the Forums of SBS.

https://social.technet.Microsoft.com/forums/en-us/home?Forum=smallbusinessserver

"Windows Small Business Server 2011 Essentials online help"

https://msdn.Microsoft.com/en-us/library/home-client.aspx

TechNet Server forums.

http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

See you soon.

IPSec Tunnel permanent between two ASA

Hello

I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.

What should I do?

Thanks for any help

Yves

Disables keepalive IKE processing, which is enabled by default.

(config) #tunnel - 10.165.205.222 group ipsec-attributes

KeepAlive (ipsec-tunnel-config) #isakmp disable

Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:

attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - idle - timeout no

attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - session - timeout no

Thank you

Ajay

VPN tunnel between 3 places

Expertise of expensive

Recently we hava configured vpn tunnel between two locations. Want to create a tunnel vpn on a third location. What configuration will be valid on the version of firewall cisco PIX 501 6.3.4.

Please see thr existing pix config at two location.

Please post the latest config?

Traffic is failed on plain IPSec tunnel between two 892 s

Have a weird case and you are looking for some suggestions/thougs where to dig because I have exhausted the options.

Note: I replaced the Networkid real to a mentined below.

Topology: a classic IPSec VPN tunnel between two 892 s of Cisco, with pre-shared key and no GRE. A 892 (branch_892) has access to the Internet using PPPoE and has three network / VLAN behind it. A VLAN is coordinated to the PPPoE internet access. Access to the other two VLAN - VL92 (100.100.200.0/24) and VL93 (100.100.100.0/24) is performed via the VPN tunnel.

Second 892 (892_DC) has just one interface - WAN on Gigabit enabled/connected and a static route to the default GW. It doesn't have any defined interal network. If the router is strictly used to send traffic to VL92/VL93 to the domestic 892 via IPSec tunnel.

Here's the problem: access to VL93 (100.100.100.0/24) works, however for VL92 (100.100.100.0/24) - does not work.

Devices in VL92 I ping IP address of 892_DC through the VPN tunnel. The 892_DC router I can ping devices in VL92. However, I can't VL92 ping any device beyond the 892_DC and at the same time the packets arriving on 892_DC for VL92 are not sent through the VPN tunnel.

I took the package trace on 892_DC using capture point/buffer to nathalie caron to VL92 packages and saw that the traffic coming to the 892_DC. I run the nathalie caron even on Branch_892, and there was not a single package.

So... What's the problem? More interesting, I modified the way left on VL92 access list and still - no packets are sent through the tunnel.

Any idea? Two routers config are below

-------

892_DC #show ru

!

crypto ISAKMP policy 10

BA aes 256

hash sha256

preshared authentication

Group 2

isakmp encryption key * address 1.2.3.4

ISAKMP crypto keepalive 10 periodicals

!

address of 1.2.3.4 crypto isakmp peers

Description of-COIL-892

!

!

Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

Crypto ipsec df - bit clear

!

map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

defined peer 1.2.3.4

disable the kilobytes of life together - the security association

86400 seconds, life of security association set

the transform-set IT-IPSec-Transform-Set value

match a lists 101

market arriere-route

QoS before filing

!

interface GigabitEthernet0

IP 10,20,30,40 255.255.255.240

IP 1400 MTU

IP tcp adjust-mss 1360

automatic duplex

automatic speed

card crypto IT-IPSec-Crypto-map

!

IP route 0.0.0.0 0.0.0.0 10.20.30.41

!

access list 101 ip allow any 100.100.100.0 0.0.0.255 connect

access list 101 ip allow any 100.100.200.0 0.0.0.255 connect

-------------------------------------------------------------------------------------

Branch_892 #sh run

!

crypto ISAKMP policy 10

BA aes 256

hash sha256

preshared authentication

Group 2

isakmp encryption key * address 10,20,30,40

ISAKMP crypto keepalive 10 periodicals

!

address peer isakmp crypto 10,20,30,40

!

!

Crypto ipsec transform-set IT-IPSec-Transform-Set esp - aes 256 sha256-esp-hmac

Crypto ipsec df - bit clear

!

map IT ipsec - IPSec crypto - Crypto - map 10-isakmp

defined peer 10,20,30,40

disable the kilobytes of life together - the security association

86400 seconds, life of security association set

the transform-set IT-IPSec-Transform-Set value

match address 101

market arriere-route

QoS before filing

!

FastEthernet6 interface

Description VL92

switchport access vlan 92

!

interface FastEthernet7

Description VL93

switchport access vlan 93

!

interface GigabitEthernet0

Description # to WAN #.

no ip address

automatic duplex

automatic speed

PPPoE-client dial-pool-number 1

!

interface Vlan1

Description # local to #.

IP 192.168.1.254 255.255.255.0

IP nat inside

IP virtual-reassembly in

!

interface Vlan92

Description fa6-nexus e100/0/40

IP 100.100.200.1 255.255.255.0

!

interface Vlan93

Description fa7-nexus e100/0/38

IP 100.100.100.1 255.255.255.0

!

interface Dialer0

no ip address

No cdp enable

!

interface Dialer1

IP 1.2.3.4 255.255.255.248

IP mtu 1454

NAT outside IP

IP virtual-reassembly in max-pumping 256

encapsulation ppp

IP tcp adjust-mss 1414

Dialer pool 1

Dialer-Group 1

Authentication callin PPP chap Protocol

PPP chap hostname ~ ~ ~

PPP chap password =.

No cdp enable

card crypto IT-IPSec-Crypto-map

!

Dialer-list 1 ip protocol allow

!

access-list 101 permit ip 100.100.100.0 0.0.0.255 any

access-list 101 permit ip 100.100.200.0 0.0.0.255 any

!

IP route 0.0.0.0 0.0.0.0 Dialer1

Yes correct sounds - so another possible problem is the routing is routing 100% correct on both sides? Can you put the two sides config for review?

Unable to pass traffic between ASA Site to Site VPN Tunnel

Hello

I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.

I've also attached the ASA5505 config and the ASA5510.

This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.

Thank you

Adam

Hello

Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
```
 access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.* 
```
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.

So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.

I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.

THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.

-Jouni

Problem with Tunnel VPN L2L between 2 ASA´s

Hi guys,.

I have some problems with my VPN Site to site tunnel between 2 ASA (5520/5505).

I watched a lot of videos on youtube, but I can't find out why the tunnel does not...

Both devices can ping eachothers WAN IP address (outside interfaces), but I don't see any traffic between the 2 sites. It seems that the tunnel is not open to everyone. When i PING from the local to the Remote LAN (which should be an interesting traffic for the tunnel...), the its IKEv1 remains empty...

Am I missing something? I can't understand it more why same phase 1 is not engaged.

You NAT won't. In your config file traffic is NATted initially and then does not match any more crypto ACL. You must move the rule dynamic NAT/PAT until the end of the table on two ASAs NAT:
```
 no nat (INSIDE,OUTSIDE) source dynamic any interface nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
```

SA520w routing through site-to-site VPN tunnels

I have several offices that are connected using site-to-site VPN tunnels and all will use the SA520W (firmware 2.1.18). I currently have 3 routers in place, router tunnels created for the router B and c of router. I need assistance with the configuration to allow the guests to router site B get to the router site C. I have attempted to add a static route, but get a destination unreachable host trying to ping. Also, if I connect to the router site has via the Cisco VPN client, I'm not able to get resources on each site, B, or C.

A - the site 10.10.0.0/24

Site B - 10.0.0.0/24

Site of the C - 10.25.0.0/24

Any help is greatly appreciated.

So, that's what you have configured correctly?

RTR_A

||

_____________ || ___________

|| ||

RTR_B RTR_C

Since there is no tunnel between B and C there is no way for us past that traffic through RTR_A for two reasons. The most important reason is that subnet 10.25.0.0/24 (rtr_c) is not allowed to pass through the IPSec tunnel (it's okay to IPSec?) of rtr_a ==> rtr_b. You can't just add a statement of road because your addresses are not routable which is the reason why it fails.

Your only option is to create another tunnel between rtr_b and rtr_c. This may not be the ONLY option, but you should get what you need.

I hope this helps.

Using the same set processing on several site to site VPN tunnels

Hi all. I have a rather strange situation about site-to-site VPN tunnel.

On the one hand, I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

The problem is that on the side of the PIX, I can't establish a tunnel, but when the traffic starts on the side of the ASA the tunnel established as usual.

I checked the configurations on both ends and keys, passwords, mirror that LCD seems OK. The only thing that comes to my attention, it's that I have the same set of transformation used for 2 different tunnel on the side of PIX.

Can I use the same set of transformation on several tunnels or should I set a different transformation for each tunnel? Could be the source of the problem?

Use it on PIX

card crypto set pfs group2

Or on ASA, use:

card crypto set pfs Group1

Site to site VPN tunnel - cannot ping the second interface of the firewall peer inside2

I have two ASA 5505 firewall each with a basic license: FWa and FWb. currently there is a VPN tunnel between them work. I added a second (inside2) interface to the firewall, FWb, but I can't ping firewall FWa, so that I can ping the inside interface of FWa.

I can ping the FWb inside interface 192.168.20.1 from the FWa inside 172.16.1.1 interface, but I can not ping to the 10.52.100.10 of the FWa FWb inside2 interface. I can not ping the gateway host FWa 10.52.100.1.

I show the essential configuration of two firewalls as well as the debug icmp output on the two firewalls that I ping the internal interfaces and of FWa FWb inside2.
=========================================================

Here is a skeleton of the FWa configuration:

name 172.16.1.0 network-inside
name 192.168.20.0 HprCnc Thesys
name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name S.S.S.S outside-interface

interface Vlan1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface Vlan2
Description Connection to 777 VLAN to work around static Comast external Modem and IP address.
nameif outside
security-level 0
outside interface IP address 255.255.255.240

the DM_INLINE_NETWORK_5 object-group network
network-object HprCnc Thesys 255.255.255.0
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-object

the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
network-object HprCnc Thesys 255.255.255.0
ring53-network 255.255.255.0 network-object

outside-interface of the access-list extended permitted Outside_5_cryptomap ip host object-group DM_INLINE_NETWORK_3
inside_nat_outbound list extended access allowed inside-network ip, 255.255.255.0 DM_INLINE_NETWORK_5 object-group
permit access list extended ip host 173.162.149.72 Outside_nat0_outbound aus_asx_uat 255.255.255.0

NAT (inside) 0 access-list sheep
NAT (inside) 101-list of access inside_nat_outbound
NAT (inside) 101 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access Outside_nat0_outbound

card crypto VPN 5 corresponds to the address Outside_5_cryptomap
card crypto VPN 5 set pfs Group1
VPN 5 set peer D.D.D.D crypto card
VPN 5 value transform-set VPN crypto card
tunnel-group D.D.D.D type ipsec-l2l
IPSec-attributes tunnel-Group D.D.D.D
pre-shared key *.

=========================================================

FWb:

name 10.52.100.0 ring52-network
name 10.53.100.0 ring53-network
name 10.51.100.0 ring51-network
name 10.54.100.0 ring54-network

interface Vlan1
nameif inside
security-level 100
address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP D.D.D.D 255.255.255.240
!
interface Vlan52
prior to interface Vlan1
nameif inside2
security-level 100
IP 10.52.100.10 255.255.255.0

the DM_INLINE_NETWORK_3 object-group network
ring52-network 255.255.255.0 network-object
ring53-network 255.255.255.0 network-object

the DM_INLINE_NETWORK_2 object-group network
ring52-network 255.255.255.0 network-object
object-network 192.168.20.0 255.255.255.0
ring53-network 255.255.255.0 network-object

inside_nat0_outbound to access extended list ip 192.168.20.0 allow 255.255.255.0 host S.S.S.S
inside2_nat0_outbound list extended access allowed object-group DM_INLINE_NETWORK_3 S.S.S.S ip host

outside_1_cryptomap list extended access allowed object-group DM_INLINE_NETWORK_2 S.S.S.S ip host

NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
inside2_nat0_outbound (inside2) NAT 0 access list
NAT (inside2) 1 0.0.0.0 0.0.0.0

Route inside2 network ring51 255.255.255.0 10.52.100.1 1
Route inside2 network ring53 255.255.255.0 10.52.100.1 1
Route inside2 network ring54 255.255.255.0 10.52.100.1 1

card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
outside_map game 1 card crypto peer S.S.S.S
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
outside_map interface card crypto outside

tunnel-group S.S.S.S type ipsec-l2l
IPSec-attributes tunnel-group S.S.S.S
pre-shared key *.

=========================================================================
I'm Tournai on icmp trace debugging on both firewalls and could see the traffic arriving at the inside2 interface, but never return to FWa.

Ping Successul FWa inside the interface on FWb

FWa # ping 192.168.20.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.1, time-out is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.1 ID = 32068 seq = 23510 len = 72
! ICMP echo reply to 192.168.20.1 in outside-interface ID = 32068 seq = 23510 len = 72
....

FWb #.
Echo ICMP of S.S.S.S to 192.168.20.1 ID request = 32068 seq = 23510 len = 72
ICMP echo reply 192.168.20.1 S.S.S.S ID = 32068 seq = 23510 len = 72
==============================================================================
Successful ping of Fwa on a host connected to the inside interface on FWb

FWa # ping 192.168.20.15
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.20.15, wait time is 2 seconds:
Echo request ICMP from outside-interface to 192.168.20.15 ID = seq 50862 = 18608 len = 72
! ICMP echo reply to 192.168.20.15 in outside-interface ID = seq 50862 = 18608 len = 72
...

FWb #.
Inside outside:S.S.S.S ICMP echo request: 192.168.20.15 ID = seq 50862 = 18608 len = 72
ICMP echo reply to Interior: 192.168.20.15 outside:S.S.S.S ID = seq 50862 = 18608 len = 72

===========================
Unsuccessful ping of FWa to inside2 on FWb interface

FWa # ping 10.52.100.10
Send 5, echoes ICMP 100 bytes to 10.52.100.10, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
? Echo request ICMP from outside-interface to 10.52.100.10 ID = 19752 seq = 63173 len = 72
...

FWb #.
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
10.52.100.10 ID of S.S.S.S ICMP echo request = 19752 seq = 63173 len = 72
....

==================================================================================

Unsuccessful ping of Fwa to a host of related UI inside2 on FWb

FWa # ping 10.52.100.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.52.100.1, wait time is 2 seconds:
Echo request ICMP from outside-interface to 10.52.100.1 ID = 11842 seq = 15799 len = 72

FWb #.
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72
Echo request ICMP outside:S.S.S.S to inside2:10.52.100.1 ID = 11842 seq = 15799 len = 72

=======================

Thank you

Hi odelaporte2,

Is very probably the "access management" command is not applied in the second inside, only inside primary (see the race management) which will confirm.

This command can be applied to an interface at a time, for example, if the law is now applied to the inside, it can not be applied to the inside2 at the same time.

It may be useful

-Randy-

Keep Site to Site VPN Tunnel active for monitoring

Hi all

I have a configured site-to-site VPN tunnel only happen when the traffic generated from the remote peer. is it possible to keep the still active tunnel once after the tunnel is established.

My requirement is to monitor VPN to see availability, so need to ping one of the natd(8) ip on the remote end, but it will come only when the traffic generated end peer. currently the timers of default on SA is configured

Help, please...

Thank you

Mikael

TARGET_GP group policy attributes

VPN-idle-timeout no

VPN tunnel between the concentrator 3005 and router Cisco 827

I am trying to establish a VPN tunnel between the Central Office with VPN 3005 and controller branch Cisco 827 router.

There is a router of perimeter with access set up in front of the 3005 list.

I quote the ACLs on the Central perimeter router instructionsuivante to allow traffic to permit ip 3005 - acl 101 all 193.188.X.X (address of the hub)

I get the following message appears when I try to ping a local host in the Central site.

Can Anyoune give me the correct steps to 827 and 3005.

Thank you

CCNP Ansar.

------------------------------------------------------------------------------------------------------

Debug crypto ISAKMP

encryption of debugging engine

Debug crypto his

debug output

------------------

1d20h: IPSEC (sa_request):,.

(Eng. msg key.) Local OUTGOING = 172.22.113.41, distance = 193.188.108.165.

local_proxy = 202.71.244.160/255.255.255.240/0/0 (type = 4),

remote_proxy = 128.128.1.78/255.255.255.255/0/0 (type = 1),

Protocol = ESP, transform = esp - esp-md5-hmac.

lifedur = 3600 s and KB 4608000,

SPI = 0x83B8AC1B (2209917979), id_conn = 0, keysize = 0, flags = 0x400D

1d20h: ISAKMP: ke received message (1/1)

1d20h: ISAKMP: 500 local port, remote port 500

1d20h: ISAKMP (0:1): entry = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Former State = new State IKE_READY = IKE_I_MM1

1d20h: ISAKMP (0:1): early changes of Main Mode

1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE...

1d20h: ISAKMP (0:1): will increment the error counter on his: retransmit the phase 1

1d20h: ISAKMP (0:1): retransmission phase 1 MM_NO_STATE

1d20h: ISAKMP (0:1): lot of 193.188.108.165 sending (I) MM_NO_STATE

1d20h: IPSEC (key_engine): request timer shot: count = 1,.

You must also allow the esp Protocol in your ACL.

access-list 101 permit esp any host x.x.x.x (address of the hub)

Hope this helps,

-Nairi

Public static IPsec tunnel between two routers cisco [VRF aware]

Hi all

I am trying to configure static IPsec tunnel between two routers. Router R1 has [no VRF] only global routing table.

Router R2 has two routing tables:

* vrf INET - used for internet connectivity

* global routing table - used for VPN connections

Here are the basic configs:

R1

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key 7V7u841k2D3Q7v98d6Y4z0zF address 203.0.0.3
invalid-spi-recovery crypto ISAKMP
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
!
interface Loopback0
10.0.1.1 IP address 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.34 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 203.0.0.3
ipv4 ipsec tunnel mode
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP 102.0.0.1 255.255.255.0

!

IP route 203.0.0.3 255.255.255.255 FastEthernet0/0 102.0.0.2

#######################################################

R2

IP vrf INET
RD 1:1
!
Keyring cryptographic test vrf INET
address of pre-shared-key 102.0.0.1 key 7V7u841k2D3Q7v98d6Y4z0zF
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
invalid-spi-recovery crypto ISAKMP
crypto isakmp profile test
door-key test
function identity address 102.0.0.1 255.255.255.255
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac TRSET_AES-256_SHA
transport mode
!
Crypto ipsec TUNNEL-IPSEC-PROTECTION profile
game of transformation-TRSET_AES-256_SHA
Test Set isakmp-profile
!
interface Loopback0
IP 10.0.2.2 255.255.255.255
IP ospf 1 zone 0
!
interface Tunnel0
IP 192.168.255.33 255.255.255.252
IP ospf 1 zone 0
source of tunnel FastEthernet0/0
tunnel destination 102.0.0.1
ipv4 ipsec tunnel mode
tunnel vrf INET
Ipsec TUNNEL-IPSEC-PROTEC protection tunnel profile
!
interface FastEthernet0/0
IP vrf forwarding INET
IP 203.0.0.3 255.255.255.0

!

IP route 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

#######################################################

There is a router between R1 and R2, it is used only for connectivity:

interface FastEthernet0/0
IP 102.0.0.2 255.255.255.0
!
interface FastEthernet0/1
IP 203.0.0.2 255.255.255.0

The problem that the tunnel is not coming, I can't pass through phase I.

The IPsec VPN are not my strength. So if someone could show me what mistake I make, I'd appreciate it really.

I joined ouptup #debug R2 crypto isakmp

Source and destination Tunnel0 is belong to VRF INET, the static route need to be updated.

IP route vrf INET 102.0.0.1 255.255.255.255 FastEthernet0/0 203.0.0.2

crypto isakmp profile test

VRF INET

door-key test
function identity address 102.0.0.1 255.255.255.255

VPN failover between the ASA

I do a search in the search of the best solution for switching between two ASA and hoped that someone wants to point me in the right direction.

The situation is this, we got:

-Head Office 2:

Each is equipped with an ASA 5505

-10 branches

Each is equipped with a 887 integrated services router.

Each is BranchOffice must have a redundant VPN connection at the headquarters of these two, and they all need to use the first person as main and the other in high school. In case of failure, all branches need to use the second connection VPN going the second seat.

In my research, I'm looking for the best possible solution, with faster failover, but have no idea where to start my research.

I hope someone has a good answer for this one.

Thank you very much in advance,

Kind regards

Dwayne

I do not understand why people continue to use ASA devices for VPN endpoint. the ASA is NOT designed for complex VPN scenarios. It is designed for simple scenarios. In terms of VPN by using comparison, ASA is a person with a basic education while Cisco IOS is like a person with a college degree.

For the scenario, you will be much better using Cisco IOS routers everywhere, where you can implement the GRE/IPSec or DMVPN. Both cases will be sastify to your needs.

Site to Site VPN tunnel between two ASA

Similar Questions

Maybe you are looking for