Advertisement

[x]
Attachment Details

Cisco ASA 5505 Site-to-Site VPN won't come up

[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.4
Zones: Networking Hardware Firewalls, IPSec Security Protocol, Enterprise Firewalls
Tags: , , ,
I am working on setting up a site-to-site VPN on two Cisco ASA 5505's that currently have remote access VPN's setup.  I am not used to setting up remote access L2TP connections that integrate with Microsoft's built-in VPN client, I usually just set it up to work with the Cisco VPN Client so forgive some additional or unneeded lines of the config.  The remote access portion works fine, users are able to connect, split-tunnels work normally.  The issue I am having is with the site-to-site VPN.  I am not yet proficient in setting up VPN's through the command line so unfortunately I have to use the wizard.

The internet setup is the same at both locations; Comcast cable internet with static IP connected to Cisco ASA 5505 connected to internal network.
Here is some additional detail:

Site 1 - Parkcenter

WAN: XX.XX.XX.229            LAN: 192.168.250.0 /24

Site 2 - Boalsburg

WAN:  XX.XX.XX.181      LAN:  192.168.251.0 /24

While trying to setup the site-to-site VPN on one side of the connection through the ASDM's VPN Wizard, these are the commands that were sent and the errors I received:

Boalsburg(config)# crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-$
Boalsburg(config)# crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
Boalsburg(config)# crypto ipsec transform-set msvpn esp-des esp-md5-hmac
Boalsburg(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hm$
Boalsburg(config)# crypto dynamic-map outside_dyn_map 20 set transform-set msv$
Boalsburg(config)# crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_$
WARNING: Existing map is being linked to dynamic-map: outside_dyn_map.
         All static attributes in existing map will be inactive!
Boalsburg(config)# crypto map outside_map interface outside
WARNING: crypto map has incomplete entries
Boalsburg(config)# crypto isakmp enable outside
Boalsburg(config)# crypto isakmp policy 10
Boalsburg(config-isakmp-policy)#  authentication pre-share
Boalsburg(config-isakmp-policy)#  encryption 3des

When I attempt to send packets across the site-to-site VPN from the 192.168.250.X network to establish the connection, these are the debug errors logged:

IKE Initiator unable to find policy: Intf inside, Src: 192.168.250.5, Dst: 192.168.251.1
Pitcher: received a key acquire message, spi 0x0

Wiping the VPN configuration and starting from stratch is not an option as there is ALWAYS someone connected to the RA VPN.  I will post the sanitized configs for both ASA's below.   Any help would be greatly appreciated.  Thanks.
Related Solutions
Related Solutions
# Title
1 IPSec VPN
2 VPN Split Tunneling - Cisco ASA 5505
3 Cisco ASA interface issues with VPN
4 Cisco ASA 5510 site to site VPN tu…
5 VPN SPLIT TUNNELING CONFIGURATIO…
6 VPN - PIX 506 to Linksys WRVS4…
 
Loading Advertisement...
 
Author Comment by jsbush:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 

Rank: Genius

Assisted Solution by lrmoore:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 

Rank: Genius

Accepted Solution by lrmoore:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Author Comment by jsbush:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 

Rank: Genius

Expert Comment by lrmoore:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Author Comment by jsbush:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 

Rank: Genius

Expert Comment by lrmoore:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Author Comment by jsbush:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
Loading Advertisement...
20080924-EE-VQP-41 / EE_QW_2_20070628