Neat! Thanks for this. And would really appreciate if you could send a link for a sample config of Cisco1841 for this setup.

Thanks very much! :)

For IOS this is the only link I know of, you will have to modify it based on the ASA Link:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

Regards

Farrukh

Hi,

Thanks for this. I'll just have to test it first. Btw, there won't be any issues if the other FW is Fortinet, right?

Thanks again,

Patricia

If you can form a regular L2L VPN with the fortinet (which can be sometimes tricky) then the spoke 2 spoke should be OK as well. The real intelligence lies in the HUB device in such a setup.

Regards

Farrukh

Hi,

I have tried to test this setup, unfortunately, to no success. :(

The connection of L2L and remote access are ok. But if the VPN client tries to connect to the spoke network, it doesn't work. When I check crytpo ipsec sa, there's no spi for this connection. Would you know the possible reasons for this?

Thanks!

I would have to look at your configuration to comment on that. Make sure that the spoke to client traffic is included in your crypto ACL, nat exemption etc.

Regards

Farrukh

Hi Farrukh,

See attached config of the hub (Cisco1841) and spoke (ASA5505).

I did some config changes and now my L2L is not up too. :(

Thanks,

Pat

Hi Farrukh,

I'm also attaching the debug on my L2L vpn connection. From the ASA, it has an error of "Removing peer from correlator table failed, no match!". I've checked all the attributes and acls, still I can't find any differences in the config.

Thanks!

Ooppsss, here is the attachment.

Thanks!

Why have you enabled PFS on one side and not the other?

Regards

Farrukh

How would I enable pfs in 1841?

Thanks!

Ok, have configured it now and will test the connection later as I can't plug the test router into the network yet. Hmm, just wondering if this will solve the issue of VPN client getting into the spoke network? :)

Thanks!