I need some help getting some VPN connections up and running on an asa5510. I will Post the old config for the Cisco-1711. I have tried coping all the settings over to the asa, but I must not be copying them right. Let me know what i am doing wrong. I will also posts the error's i am getting in debug mode as well.
All but one of the remote vpns is a 1711. The remaning vpn is a 1811. I can get the config form the remote sites if needed.
From the config, I can see that you have setup 5 peers for the vpn. Could you please tell whether the vpn tunnel is not coming up with all the peers or only a few? In the later case please mention the peer ip addresses with which the IPSec tunnel is not coming up and attach the config for those peers.
I see a few mismatch in the router's and ASA's configs. The router is configured with tunnel interfaces and hence is using a GRE over IPSec tunnel with the remote peers. On the router, the crypto ACL's allow only gre traffic through the vpn tunnel, whereas on the ASA we are allowing all the traffic from one network to the remote network to go through the vpn tunnel.
From the debugs, I can see the following:
1>Oct 01 19:21:14 [IKEv1]: Group = 184.108.40.206, IP = 220.127.116.11, Session is being torn down. Reason: Phase 2 Mismatch
This suggests that there is a mismatch in phase 2 configuration, so it could either be the transform set or the crypto acl. If we check the config, we can see that the router is allowing only the gre traffic to go through the vpn tunnel but the ASA is allowing all traffic from 192.168.8.0/24 to 192.168.7.0/24
Could you please check if we have the corrosponding ACL in the crypto map at the peer site also.
2> We see the above debugs for peer 18.104.22.168:
Oct 01 19:22:59 [IKEv1]: Group = 22.214.171.124, IP = 126.96.36.199, Session is being torn down. Reason: Phase 2 Mismatch
So, it seems to be to the same issue with this peer as well.
I also see the following debugs:
Oct 01 19:23:17 [IKEv1]: Group = 188.8.131.52, IP = 184.108.40.206, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
Could you also please check if the pre-shared-key for the peers are correct.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...