cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
344
Views
10
Helpful
4
Replies

Veryfiing Site-to-site VPN

robbhanMid
Level 1
Level 1

Hi,

How do I verify that the site-to-site VPN connection I just configured is ok?

When I log into the ADSM the number of VPN connections i zero. Is a site-to-site VPN connection only active when traffic is sent between two host on does it "stay on" all the time?

I used the following configuration:

Asa 5505# 1

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

hostname(config)# access-list l2l_list extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

hostname(config)# tunnel-group 10.10.10.1 type ipsec-l2l

hostname(config)# tunnel-group 10.10.10.1 ipsec-attributes

hostname(config-ipsec)# pre-shared-key blabla

hostname(config)# exit

hostname(config)# crypto map abcmap 1 match address l2l_list

hostname(config)# crypto map abcmap 1 set peer 10.10.10.1

hostname(config)# crypto map abcmap 1 set transform-set FirstSet

hostname(config)# crypto map abcmap interface outside

hostname(config)# write memory

Asa 5505# 2

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

hostname(config)# access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

hostname(config)# tunnel-group 10.10.10.2 type ipsec-l2l

hostname(config)# tunnel-group 10.10.10.2 ipsec-attributes

hostname(config-ipsec)# pre-shared-key blabla

hostname(config)# exit

hostname(config)# crypto map abcmap 1 match address l2l_list

hostname(config)# crypto map abcmap 1 set peer 10.10.10.2

hostname(config)# crypto map abcmap 1 set transform-set FirstSet

hostname(config)# crypto map abcmap interface outside

hostname(config)# write memory

Thanx!

4 Replies 4

Suppose this is the setup :

---===vpn tunnel===---

Then initiate a continous ping from PC1(192.168.100.0/24) to PC2(192.168.1.0/24), then you will see the establishing of a IPSEC tunnel , provided your config is correct.

And then if you issue the command "show crypto isakmp sa" on the ASA box you should see that the Active SA's in the output

Active SA: 1

- And then give the command "show crypto ipsec sa"

You will see something like this in the output, which says the no. of packets getting encrypted, encapsulated, etc.

#pkts encaps: 20, #pkts encrypt: 20, #pkts digest: 20

#pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20

If using ASDM, go to

VPN Statistics > Global IKE/IPSec Statistics

You will see the Active tunnels.

Do I need to specify antoher ACL to allow icmp traffic or will my VPN automatically allow all kinds of traffic between the two networks?

It's working now. Some much needed routing was missing from both the asa's. Puh,, thanx a lot for helping me

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: