Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
811
Views
0
Helpful
4
Replies

2nd IPsec site2site VPN on ASA5520

Go to solution
D.Zeb
Level 1
Level 1

‎06-20-2017 01:44 AM - edited ‎02-21-2020 09:19 PM

Hi Everyone,

We have a client's IPsec VPN running on ASA5520, now clients wishes to add another VPN. I have tried to add the 2nd VPN but its not establishing the connection. Client is using Sonicwall on their end for 2nd connection. I have used the same transform-set and crypto ikev1 policy for both tunnels. Please suggest a solution.

Here is the config for the VPN

 

object-group network Local_LAN

 network-object 192.168.1.0 255.255.255.0

 network-object 192.168.2.0 255.255.255.0

 object-group network Site1_LAN

 network-object 10.10.1.0 255.255.255.0

 network-object 10.10.2.0 255.255.255.0

 network-object 10.10.3.0 255.255.255.0

 object-group network Site2_LAN

 network-object 10.10.5.0 255.255.255.0

 

access-list cryp_site1 extended permit ip object-group Local_LAN object-group Site1_LAN

access-list cryp_site2 extended permit ip object-group Local_LAN object-group Site2_LAN

 

nat (inside,outside) source static Local_LAN Local_LAN destination static Site1_LAN Site1_LAN no-proxy-arp route-lookup

nat (dmz,outside) source static Local_LAN Local_LAN destination static Site1_LAN Site1_LAN no-proxy-arp route-lookup

nat (inside,outside) source static Local_LAN Local_LAN destination static Site2_LAN Site2_LAN no-proxy-arp route-lookup

nat (dmz,outside) source static Local_LAN Local_LAN destination static Site2_LAN Site2_LAN no-proxy-arp route-lookup

 

crypto ipsec ikev1 transform-set my_set esp-aes-256 esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto map my_map 20 match address cryp_site1

crypto map my_map 20 set pfs group5

crypto map my_map 20 set peer xxx.xxx.xxx.210

crypto map my_map 20 set ikev1 transform-set my_set

crypto map my_map 30 match address cryp_site2

crypto map my_map 30 set pfs group5

crypto map my_map 30 set peer xxx.xxx.xxx.220

crypto map my_map 30 set ikev1 transform-set my_set

crypto map my_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 1

 authentication pre-share

 encryption aes-256

 hash sha

 group 5

 lifetime 28800

 

 tunnel-group xxx.xxx.xxx.210 type ipsec-l2l

tunnel-group xxx.xxx.xxx.210 ipsec-attributes

 ikev1 pre-shared-key mysite1key

tunnel-group xxx.xxx.xxx.220 type ipsec-l2l

tunnel-group xxx.xxx.xxx.220 ipsec-attributes

 ikev1 pre-shared-key mysite2key

Can some give me a quick advise please? I will really appreciate it. Thanks in advance 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎06-21-2017 09:28 PM

Hi Daud,

If the phase 1 and phase 2 proposals are matching on both the sides, can you please run the following debugs and share the output

debug crypto condition peer x.x.x.x
debug crypto isakmp 200
debug crypto ipsec 200

where x.x.x.x is new remote peer IP

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎06-22-2017 02:35 AM

Most likely there is a mismatch on the Sonicwall side, but this you can find out from the debug commands that Dinesh has suggested though I would use the following

debug crypto condition x.x.x.x

debug crypto ikev1 127

debug crypto ipsec 127

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎06-21-2017 09:28 PM

Hi Daud,

If the phase 1 and phase 2 proposals are matching on both the sides, can you please run the following debugs and share the output

debug crypto condition peer x.x.x.x
debug crypto isakmp 200
debug crypto ipsec 200

where x.x.x.x is new remote peer IP

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎06-22-2017 02:35 AM

Most likely there is a mismatch on the Sonicwall side, but this you can find out from the debug commands that Dinesh has suggested though I would use the following

debug crypto condition x.x.x.x

debug crypto ikev1 127

debug crypto ipsec 127

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
D.Zeb
Level 1
Level 1

‎07-05-2017 12:39 AM

Thanks Dinesh and Marius.

It was mismatch on the Sonicwall side. Client was adamant that he has configured everything right on his side. When I remote into them, it was set to aggressive mode.Changed to Main mode and got the connection straightaway.

Thanks 

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to D.Zeb

‎07-05-2017 01:49 AM

Thank you for sharing the resolution for this issue.

Regards
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents