troubleshooting Question

Cisco L2L VPN - Two tunnels, one peer

Avatar of ccfcfc
ccfcfcFlag for United Kingdom of Great Britain and Northern Ireland asked on
RoutersHardware Firewalls
3 Comments1 Solution1802 ViewsLast Modified:
I am trying to setup a L2L VPN, with local IP address details as follows.

Side A: 192.168.50.0/24, 192.168.53.0/24
Side B: 192.168.69.17, 192.168.69.21

The operators of Side B have requested that this be setup as two separate tunnels, between the same peers.

My config (Side A, ASA 5520) is as follows.


access-list inside-in-acl extended permit ip 192.168.50.0 255.255.255.0 host 192.168.69.17
access-list inside-in-acl extended permit icmp 192.168.50.0 255.255.255.0 host 192.168.69.17
access-list inside-in-acl extended permit ip 192.168.50.0 255.255.255.0 host 192.168.69.21
access-list inside-in-acl extended permit icmp 192.168.50.0 255.255.255.0 host 192.168.69.21

access-list stg-dmz-in-acl extended permit ip 192.168.53.0 255.255.255.0 host 192.168.69.17
access-list stg-dmz-in-acl extended permit icmp 192.168.53.0 255.255.255.0 host 192.168.69.17
access-list stg-dmz-in-acl extended permit ip 192.168.53.0 255.255.255.0 host 192.168.69.21
access-list stg-dmz-in-acl extended permit icmp 192.168.53.0 255.255.255.0 host 192.168.69.21

access-list no-nat-inside extended permit ip 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list no-nat-inside extended permit icmp 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0

access-list no-nat-stg-dmz extended permit ip 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list no-nat-stg-dmz extended permit icmp 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0

access-list 187 remark SF VPN Link
access-list 187 extended permit ip 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list 187 extended permit icmp 192.168.50.0 255.255.255.0 192.168.69.0 255.255.255.0
 
access-list 186 remark SF VPN Link 2
access-list 186 extended permit ip 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0
access-list 186 extended permit icmp 192.168.53.0 255.255.255.0 192.168.69.0 255.255.255.0

crypto map intamap 86 match address 186
crypto map intamap 86 set peer 88.88.88.88
crypto map intamap 86 set transform-set intatrans-sf
crypto map intamap 86 set nat-t-disable

crypto map intamap 87 match address 187
crypto map intamap 87 set peer 88.88.88.88
crypto map intamap 87 set transform-set intatrans-sf
crypto map intamap 87 set nat-t-disable

tunnel-group 88.88.88.88 type ipsec-l2l
tunnel-group 88.88.88.88 ipsec-attributes
 pre-shared-key xxxxxxxx


Phase 1 seems to be up ok and is showing a state of MM_ACTIVE, but if I try to connect to either of the 192.168.69.xx hosts I see encrypted traffic increasing on the IPSec sa, but the decrypt count remains at zero.

Any ideas, anyone ?
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros