06-20-2017 01:44 AM - edited 02-21-2020 09:19 PM
Hi Everyone,
We have a client's IPsec VPN running on ASA5520, now clients wishes to add another VPN. I have tried to add the 2nd VPN but its not establishing the connection. Client is using Sonicwall on their end for 2nd connection. I have used the same transform-set and crypto ikev1 policy for both tunnels. Please suggest a solution.
Here is the config for the VPN
object-group network Local_LAN
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
object-group network Site1_LAN
network-object 10.10.1.0 255.255.255.0
network-object 10.10.2.0 255.255.255.0
network-object 10.10.3.0 255.255.255.0
object-group network Site2_LAN
network-object 10.10.5.0 255.255.255.0
access-list cryp_site1 extended permit ip object-group Local_LAN object-group Site1_LAN
access-list cryp_site2 extended permit ip object-group Local_LAN object-group Site2_LAN
nat (inside,outside) source static Local_LAN Local_LAN destination static Site1_LAN Site1_LAN no-proxy-arp route-lookup
nat (dmz,outside) source static Local_LAN Local_LAN destination static Site1_LAN Site1_LAN no-proxy-arp route-lookup
nat (inside,outside) source static Local_LAN Local_LAN destination static Site2_LAN Site2_LAN no-proxy-arp route-lookup
nat (dmz,outside) source static Local_LAN Local_LAN destination static Site2_LAN Site2_LAN no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set my_set esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map my_map 20 match address cryp_site1
crypto map my_map 20 set pfs group5
crypto map my_map 20 set peer xxx.xxx.xxx.210
crypto map my_map 20 set ikev1 transform-set my_set
crypto map my_map 30 match address cryp_site2
crypto map my_map 30 set pfs group5
crypto map my_map 30 set peer xxx.xxx.xxx.220
crypto map my_map 30 set ikev1 transform-set my_set
crypto map my_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
tunnel-group xxx.xxx.xxx.210 type ipsec-l2l
tunnel-group xxx.xxx.xxx.210 ipsec-attributes
ikev1 pre-shared-key mysite1key
tunnel-group xxx.xxx.xxx.220 type ipsec-l2l
tunnel-group xxx.xxx.xxx.220 ipsec-attributes
ikev1 pre-shared-key mysite2key
Can some give me a quick advise please? I will really appreciate it. Thanks in advance
Solved! Go to Solution.
06-21-2017 09:28 PM
Hi Daud,
If the phase 1 and phase 2 proposals are matching on both the sides, can you please run the following debugs and share the output
debug crypto condition peer x.x.x.x
debug crypto
debug crypto
where x.x.x.x is new remote peer IP
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
06-22-2017 02:35 AM
Most likely there is a mismatch on the Sonicwall side, but this you can find out from the debug commands that Dinesh has suggested though I would use the following
debug crypto condition x.x.x.x
debug crypto ikev1 127
debug crypto ipsec 127
--
Please remember to select a correct answer and rate helpful posts
06-21-2017 09:28 PM
Hi Daud,
If the phase 1 and phase 2 proposals are matching on both the sides, can you please run the following debugs and share the output
debug crypto condition peer x.x.x.x
debug crypto
debug crypto
where x.x.x.x is new remote peer IP
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
06-22-2017 02:35 AM
Most likely there is a mismatch on the Sonicwall side, but this you can find out from the debug commands that Dinesh has suggested though I would use the following
debug crypto condition x.x.x.x
debug crypto ikev1 127
debug crypto ipsec 127
--
Please remember to select a correct answer and rate helpful posts
07-05-2017 12:39 AM
Thanks Dinesh and Marius.
It was mismatch on the Sonicwall side. Client was adamant that he has configured everything right on his side. When I remote into them, it was set to aggressive mode.Changed to Main mode and got the connection straightaway.
Thanks
07-05-2017 01:49 AM
Thank you for sharing the resolution for this issue.
Regards
Dinesh Moudgil
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: