We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Setting up a l2l vpn between 2 ASA

Rick5225
Rick5225 asked
on
Medium Priority
532 Views
Last Modified: 2012-05-06
Hello All,

I'm setting up an ipsec l2l vpn between two 5510 asa's. Phase 1 completes and then i get an error "crypto map policy not found" I've verified that the crypto map is in both configs and that they match, but it doesn't seem to want to negotiate the sa's. This tunnel was up and running a couple of weeks ago, then a requirment came in for me to add remote access vpn capablitiy to one of the asa's. Also, orginally was getting an NO SPI to identify Phase 2 SA, think i may have resolved that one, but wanted to give as much info as i can.

I've attached both asa configs.

Any help is greatly appreciated!

Rick






asa1.txt
asa2.txt
Comment
Watch Question

Commented:
try:

sysopt connection permit-vpn
( at both end of asa)

then try
clear ipsec sa
clear isakmp sa

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Commented:
In asa #1 your peer address is pointing at itself:

crypto map uk_map 1 set peer 63.228.185.66

this is your ip address of your outside interface:

interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 63.228.185.66 255.255.255.224

the above cryptomap statement ip should be pointing at pix#2
217.20.20.51

Commented:
forgot to add you will want to run the commands also that ricks v stated (this clears out incorrect security associations

Commented:
they have correct peer addresses:
ASA1 config:
crypto map outside_map 10 set peer 217.20.20.51

ASA2 config:
crypto map uk_map 1 set peer 63.228.185.66

no changes needs to be made for peer/ interface address..

btw, hope is not the real address.
note: always hide the internet address when posting config..

Commented:
you are right, I was copying the cryptomap configs in notepad file to compare them on each peer to check for mismatches


what about for starters resetting shared keys on both asa's  - this will cause phase I failure

Author

Commented:
Thanks guys for the responses!

No luck, ran the commands that you suggested ricks v, didn't establish the tunnel.

Attached is the debug logging




vpn-issues.doc
Take this out from asa2 "access-list l2l_VPN_UK extended permit icmp any any", which has no match on other end. see what will happen.

Author

Commented:
Actually, It worked!

Thanks ricks v, i had a routing issue turns out, but need the commands anyway.

thanks guys for all your help!

Author

Commented:
Again, thx for you help!

Rick
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.