Rick5225
asked on
Setting up a l2l vpn between 2 ASA
Hello All,
I'm setting up an ipsec l2l vpn between two 5510 asa's. Phase 1 completes and then i get an error "crypto map policy not found" I've verified that the crypto map is in both configs and that they match, but it doesn't seem to want to negotiate the sa's. This tunnel was up and running a couple of weeks ago, then a requirment came in for me to add remote access vpn capablitiy to one of the asa's. Also, orginally was getting an NO SPI to identify Phase 2 SA, think i may have resolved that one, but wanted to give as much info as i can.
I've attached both asa configs.
Any help is greatly appreciated!
Rick
asa1.txt
asa2.txt
I'm setting up an ipsec l2l vpn between two 5510 asa's. Phase 1 completes and then i get an error "crypto map policy not found" I've verified that the crypto map is in both configs and that they match, but it doesn't seem to want to negotiate the sa's. This tunnel was up and running a couple of weeks ago, then a requirment came in for me to add remote access vpn capablitiy to one of the asa's. Also, orginally was getting an NO SPI to identify Phase 2 SA, think i may have resolved that one, but wanted to give as much info as i can.
I've attached both asa configs.
Any help is greatly appreciated!
Rick
asa1.txt
asa2.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
forgot to add you will want to run the commands also that ricks v stated (this clears out incorrect security associations
they have correct peer addresses:
ASA1 config:
crypto map outside_map 10 set peer 217.20.20.51
ASA2 config:
crypto map uk_map 1 set peer 63.228.185.66
no changes needs to be made for peer/ interface address..
btw, hope is not the real address.
note: always hide the internet address when posting config..
ASA1 config:
crypto map outside_map 10 set peer 217.20.20.51
ASA2 config:
crypto map uk_map 1 set peer 63.228.185.66
no changes needs to be made for peer/ interface address..
btw, hope is not the real address.
note: always hide the internet address when posting config..
you are right, I was copying the cryptomap configs in notepad file to compare them on each peer to check for mismatches
what about for starters resetting shared keys on both asa's - this will cause phase I failure
what about for starters resetting shared keys on both asa's - this will cause phase I failure
ASKER
Thanks guys for the responses!
No luck, ran the commands that you suggested ricks v, didn't establish the tunnel.
Attached is the debug logging
vpn-issues.doc
No luck, ran the commands that you suggested ricks v, didn't establish the tunnel.
Attached is the debug logging
vpn-issues.doc
Take this out from asa2 "access-list l2l_VPN_UK extended permit icmp any any", which has no match on other end. see what will happen.
ASKER
Actually, It worked!
Thanks ricks v, i had a routing issue turns out, but need the commands anyway.
thanks guys for all your help!
Thanks ricks v, i had a routing issue turns out, but need the commands anyway.
thanks guys for all your help!
ASKER
Again, thx for you help!
Rick
Rick
crypto map uk_map 1 set peer 63.228.185.66
this is your ip address of your outside interface:
interface Ethernet0/1
nameif outside
security-level 0
ip address 63.228.185.66 255.255.255.224
the above cryptomap statement ip should be pointing at pix#2
217.20.20.51