• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 524
  • Last Modified:

Setting up a l2l vpn between 2 ASA

Hello All,

I'm setting up an ipsec l2l vpn between two 5510 asa's. Phase 1 completes and then i get an error "crypto map policy not found" I've verified that the crypto map is in both configs and that they match, but it doesn't seem to want to negotiate the sa's. This tunnel was up and running a couple of weeks ago, then a requirment came in for me to add remote access vpn capablitiy to one of the asa's. Also, orginally was getting an NO SPI to identify Phase 2 SA, think i may have resolved that one, but wanted to give as much info as i can.

I've attached both asa configs.

Any help is greatly appreciated!

Rick






asa1.txt
asa2.txt
0
Rick5225
Asked:
Rick5225
  • 3
  • 3
  • 2
  • +1
1 Solution
 
ricks_vCommented:
try:

sysopt connection permit-vpn
( at both end of asa)

then try
clear ipsec sa
clear isakmp sa
0
 
bignewfCommented:
In asa #1 your peer address is pointing at itself:

crypto map uk_map 1 set peer 63.228.185.66

this is your ip address of your outside interface:

interface Ethernet0/1
 nameif outside
 security-level 0
 ip address 63.228.185.66 255.255.255.224

the above cryptomap statement ip should be pointing at pix#2
217.20.20.51
0
 
bignewfCommented:
forgot to add you will want to run the commands also that ricks v stated (this clears out incorrect security associations
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
ricks_vCommented:
they have correct peer addresses:
ASA1 config:
crypto map outside_map 10 set peer 217.20.20.51

ASA2 config:
crypto map uk_map 1 set peer 63.228.185.66

no changes needs to be made for peer/ interface address..

btw, hope is not the real address.
note: always hide the internet address when posting config..
0
 
bignewfCommented:
you are right, I was copying the cryptomap configs in notepad file to compare them on each peer to check for mismatches


what about for starters resetting shared keys on both asa's  - this will cause phase I failure
0
 
Rick5225Author Commented:
Thanks guys for the responses!

No luck, ran the commands that you suggested ricks v, didn't establish the tunnel.

Attached is the debug logging




vpn-issues.doc
0
 
leibinusaCommented:
Take this out from asa2 "access-list l2l_VPN_UK extended permit icmp any any", which has no match on other end. see what will happen.
0
 
Rick5225Author Commented:
Actually, It worked!

Thanks ricks v, i had a routing issue turns out, but need the commands anyway.

thanks guys for all your help!
0
 
Rick5225Author Commented:
Again, thx for you help!

Rick
0

Featured Post

How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now