I configured on 2 ASA 5510s a VPN between them. I used the IPsec wizard and ensured that each rule was mirrored on the other device. I did select to have the traffic NATed because this is eventually going to be a point to multipoint environment, with the same IP addresses within each enclave. What will seperate them will be the public addresses assigned to them. Looking at my my log files on both devices, I see the same errors. Any help would be greatly appreciated.
4|Sep 25 2010|12:01:18|113019|||||Group = 220.127.116.11, Username = 18.104.22.168, IP = 22.214.171.124, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
5|Sep 25 2010|12:01:18|713259|||||Group = 126.96.36.199, IP = 188.8.131.52, Session is being torn down. Reason: User Requested
3|Sep 25 2010|12:01:18|713902|||||Group = 184.108.40.206, IP = 220.127.116.11, Removing peer from correlator table failed, no match!
5|Sep 25 2010|12:01:18|713050|||||Group = 18.104.22.168, IP = 22.214.171.124, Connection terminated for peer 126.96.36.199. Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
5|Sep 25 2010|12:01:18|713068|||||Group = 188.8.131.52, IP = 184.108.40.206, Received non-routine Notify message: Invalid ID info (18)
5|Sep 25 2010|12:01:18|713119|||||Group = 220.127.116.11, IP = 18.104.22.168, PHASE 1 COMPLETED
6|Sep 25 2010|12:01:18|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 22.214.171.124
6|Sep 25 2010|12:01:18|713172|||||Group = 126.96.36.199, IP = 188.8.131.52, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
5|Sep 25 2010|12:01:18|713041|||||IP = 184.108.40.206, IKE Initiator: New Phase 1, Intf Inside, IKE Peer 220.127.116.11 local Proxy Address 18.104.22.168, remote Proxy Address 22.214.171.124, Crypto map (Outside_map)
5|Sep 25 2010|12:01:18|713904|||||IP = 126.96.36.199, Received encrypted packet with no matching SA, dropping
It does not look like it's mirror image ACL.
Can you please advise what subnet is in Enterprise_A/29 and Enterprise_B/29?
On the first ASA you have:
Local Network: 188.8.131.52
Remote Network: Enterprise_A/29
On the other ASA, it should be the mirror image as follows:
Local Network: Enterprise_A/29
Remote Network: 184.108.40.206
However, you have the following on the other ASA:
Local network: 220.127.116.11 --> is this the same as Enterprise_A/29 ip address?
Remote Network: Enterprise_B/29 --> is this the same as 18.104.22.168?
Also, how are they being NATed? static NAT or PAT? as if you are performing PAT, traffic can only be initiated from the PAT end, hence, you can't configure PAT for both end of the ASA. Plus the crypto ACL needs to match the NATed address.