Site to Site VPN Configuration Help - ASA5525x

I don't see any phase 1 proposals, it maybe that they are already in the config.

I prefer to do this by hand, it looks neater and Ii point it makes it to troubleshoot, see my notes here;

Cisco ASA 5500 Site to Site VPN (From CLI)

You don't mention the other end, so I'm assuming you don't have control of that? This will be the biggest hurdle, if there's a problem the other end don't like to admit the fault is their end!

So learn what the tunnel is doing;
Cisco ASA Site to Site VPN’sSite to Site ISAKMP VPN (Main Mode)
Then how to troubleshoot the tunnel to identify any problems;
Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels
Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

Regards,

Pete

Site A:
object network NET_SITEA
 subnet 192.168.1.0 255.255.255.0
!
object network NET_SITEB_SUBNET1
 subnet 167.28.0.0 255.255.0.0 (Note: you realize this is a publicly routable subnet, right?)
!
object network NET_SITEB_SUBNET2
 subnet 172.28.0.0 255.255.0.0
!
object-group network GROUP_SITEB_SUBNETS
 network-object object NET_SITEB_SUBNET1
 network-object object NET_SITEB_SUBNET2
!
nat (inside_interface_name,outside_interface_name) source static GROUP_SITEB_SUBNETS GROUP_SITEB_SUBNETS destination static NET_SITEA NET_SITEA no-proxy-arp route-lookup
!
access-list SITEB_TO_SITEA extended permit tcp object-group GROUP_SITEB_SUBNETS object NET_SITEA eq 3389
access-list SITEB_TO_SITEA extended permit icmp object-group GROUP_SITEB_SUBNETS object NET_SITEA
!
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5
crypto map outside_map 1 set peer 20.20.20.20 (Note: you realize this is not a publicly routable IP, right?)
crypto map outside_map 1 match address SITEB_TO_SITEA
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map 1 set security-association lifetime seconds 3600
!
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md
 group 2
 lifetime 28800
!
tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
 ikev1 pre-shared-key whateveryouwantyourpsktobe
!
crypto map outside_map interface outside_interface_name
crypto ikev1 enable outside

I'll throw the disclaimer out there again. --I may have made a small mistake on the syntax as I was doing it all from memory, so feel free to use your "?" as you go through the config.--


MO

MO. I have not control over the other end of the configuration, i have only been provided with information shared. The IP addresses i posted are not used in the rea scenario.  Thanks for the support MO. I am planning to do this configuration this week. i want to make this smooth and make it work in one shot; this is why i am taking precautions. i will make backup of config in case i need to go back.
PeterLong. thanks for the information share. it is good to understand more and troubleshoot Site-to-Site VPN.
I will keep you all posted during this week. Awfully this will work the way we want it.
Faustino12

No problem. Keep us posted. We're here to help.

MO

MO,
#1
I was analyze your configuration in the NAT. it should be source first. see below config, or that is the reason of bidirectional?
nat (inside_interface_name,outside_interface_name) source static NET_SITEA NET_SITEA  destination static  GROUP_SITEB_SUBNETS GROUP_SITEB_SUBNETS no-proxy-arp route-lookup
#2
see attached config. and let me know if it is ok, so I can start config. Thanks a lot.
HO_VPN_Configuration-v1.txt

Also, I did not see on the config ikev2. Can I add it like this (below) per my last config? Thanks

crypto ikev2 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800

Didn't realize you were doing IKEV2. Yes, you can do it that way. Make sure to enable IKEV2:

crypto ikev2 enable outside

and that your tunnel-group is using IKEV2 as well, e.g. local and remote authentication.

MO

what about the NAT Configured posted by you previously? My source address is NET_SITEA. Check the syntax.

nat (inside_interface_name,outside_interface_name) source static GROUP_SITEB_SUBNETS GROUP_SITEB_SUBNETS destination static NET_SITEA NET_SITEA no-proxy-arp route-lookup

I posted 2 entries for Syntax. One was for the SITEA config and one was for the remote site. The NAT you are referring to is for the remote site, which you subsequently told me is not controlled by you so you can then discard it.

See the first config entry I sent. It has the appropriate information.

MO

Ha! I just realized I called them both "SITEA". My bad. Look at the first config. That's the correct one.

MO

HI MO, the only command that I was not able to put into the configuration was??:

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5

Remember I am running: ASA 9.4(1); ASDM 7.4(1). let me know any suggestion. All commands were entered into the ASA configuration without any issues.

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

MO

Perhaps it already exists? It would give you an error also if it already existed.

MO

correct. it already existed in the configuration.  I have configured on my end. I am waiting on the other end for test.

MO. Thanks very much. I will actually take more time to know if it is working 100%. I will mark it as closed. I will open another question if I ran into troubleshooting, awfully VPNIPsec will be fine.