Veryfiing Site-to-site VPN

Unanswered Question
Jul 15th, 2008
User Badges:

Hi,

How do I verify that the site-to-site VPN connection I just configured is ok?

When I log into the ADSM the number of VPN connections i zero. Is a site-to-site VPN connection only active when traffic is sent between two host on does it "stay on" all the time?


I used the following configuration:



Asa 5505# 1

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

hostname(config)# access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

hostname(config)# tunnel-group 10.10.10.1 type ipsec-l2l

hostname(config)# tunnel-group 10.10.10.1 ipsec-attributes

hostname(config-ipsec)# pre-shared-key blabla

hostname(config)# exit

hostname(config)# crypto map abcmap 1 match address l2l_list

hostname(config)# crypto map abcmap 1 set peer 10.10.10.1

hostname(config)# crypto map abcmap 1 set transform-set FirstSet

hostname(config)# crypto map abcmap interface outside

hostname(config)# write memory



Asa 5505# 2

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

hostname(config)# access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

hostname(config)# tunnel-group 10.10.10.2 type ipsec-l2l

hostname(config)# tunnel-group 10.10.10.2 ipsec-attributes

hostname(config-ipsec)# pre-shared-key blabla

hostname(config)# exit

hostname(config)# crypto map abcmap 1 match address l2l_list

hostname(config)# crypto map abcmap 1 set peer 10.10.10.2

hostname(config)# crypto map abcmap 1 set transform-set FirstSet

hostname(config)# crypto map abcmap interface outside

hostname(config)# write memory


Thanx!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
dhananjoy chowdhury Tue, 07/15/2008 - 03:53
User Badges:
  • Silver, 250 points or more

Suppose this is the setup :


---===vpn tunnel===---


Then initiate a continous ping from PC1(192.168.100.0/24) to PC2(192.168.1.0/24), then you will see the establishing of a IPSEC tunnel , provided your config is correct.


And then if you issue the command "show crypto isakmp sa" on the ASA box you should see that the Active SA's in the output


Active SA: 1


- And then give the command "show crypto ipsec sa"


You will see something like this in the output, which says the no. of packets getting encrypted, encapsulated, etc.


#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20

#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20

dhananjoy chowdhury Tue, 07/15/2008 - 03:55
User Badges:
  • Silver, 250 points or more

If using ASDM, go to

VPN Statistics > Global IKE/IPSec Statistics


You will see the Active tunnels.

robbhanMid Tue, 07/15/2008 - 04:09
User Badges:

Do I need to specify antoher ACL to allow icmp traffic or will my VPN automatically allow all kinds of traffic between the two networks?

robbhanMid Tue, 07/15/2008 - 05:12
User Badges:

It's working now. Some much needed routing was missing from both the asa's. Puh,, thanx a lot for helping me

Actions

This Discussion