ASA L2L vpn can not connect

Expert
Here is a problem. Any expert can take a look at the configuration of ASA L2L vpn. The two asa can ping each other, but its vpn cannot connect. Thank you.

ASA3# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.0.0.0
!
ftp mode passive
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set Router-set esp-3des esp-md5-hmac
crypto map outside_map 1 match address nonat
crypto map outside_map 1 set peer 192.168.1.2
crypto map outside_map 1 set ikev1 transform-set Router-set
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5    
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
================================================
client# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname client
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.2.2.1 255.255.255.0
!
!
ftp mode passive
access-list USGA095 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac
crypto map S2SVPN 2 match address USGA095
crypto map S2SVPN 2 set peer 172.16.1.1
crypto map S2SVPN 2 set ikev1 transform-set FIRSTSET
crypto map S2SVPN interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
=================================
client# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
client#

ASA3#  sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
ASA3#
EESkyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

svijay_kCommented:
Nat 0 is missing in the configuration
0
Pete LongTechnical ConsultantCommented:
Hi

>>access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

This has no place in an 8.4 VPN config? Oh wait I see you've delaired that in the cryptomap - thats what confused the first poster. DO NOT attempt to add a Nat0 command it will error!

You have no NAT stement for the VPN
See Cisco ASA 5500 Site to Site VPN (From CLI)


Pete
0
svijay_kCommented:
Agreed, Nat 0 is not reqiured post 8.3.

Crypto ipsec transform-set is matching on both the ends. first one it is esp-3des esp-md5-hmac and the second one it is esp-3des esp-sha-hmac. use the same encyrption on both the ends

Also the Shared secret should match at both the ends.

Rest all seems to be good.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Pete LongTechnical ConsultantCommented:
Yes Well spotted - your Transform set on the bottom ASA des not match your phase 1 policy

crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac

crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600

for phase 1 you need

1. Matching policy
2. Matching Shared Secret
3. Connectivity
4. Symetrical ACLs for 'Interesting Traffic'

Though if the problm was policy mismatch you should at least see a WAIT_MSG_(number) on the 'show cryptp isakmp' results.
0
EESkyAuthor Commented:
Thank you so much for your fast reply

@svijay_k, in fact, I do not use nat, instead I just use nonat as a name of access-less. And you are right about the "esp-3des esp-md5-hmac" now i already correct it.

@PeteLong, I already changed to "esp-3des esp-md5-hmac". And regarding access-list and Policy etc in two ASA, the access-list name is different, but the traffic in two asa is mirror relation. also some names are different, but the content in the two asa are the same.  

However the VPN is still not working. any suggestion ? Thank you.
0
Pete LongTechnical ConsultantCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EESkyAuthor Commented:
Thank you. I got it after i reconfigured it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.