I have configured, well i attempted to configure my side of the tunnel for a site to site vpn, The other side is waiting on configuration. Someone else is doing the other side, but is there a way I can see if my side is even trying to connect?
If you are generating constant traffic that is supposed to match the L2L VPN configurations then the output of the command you mention should show some output
If you are not seeing anything I would imagine that you might either be missing some essential configuration related to the VPN Connection or there might be some NAT/ACL related configuration that is stopping the connection attempt before reaching the VPN Phase or changing the packet so (NAT) that it doesnt match the VPN configurations.
I usually tend to use "packet-tracer" command to test if the traffic matches the VPN configurations and naturally also because the use of "packet-tracer" command actually initiates the VPN negotiation without having to use any internal host for that purpose.
In a normal working L2L VPN setup your first "packet-tracer" test would end up with the VPN Phase DROP and the second time entering the command would result with an ALLOW
Naturally if there is no VPN Phase in the output then the packet wouldnt match any VPN configuration on the device. If the "packet-tracer" keeps resulting in VPN Phase DROP it means that the VPN negotiations simply dont complete.
On the newer software levels you are also able to use TCP Ping for example to generate traffic to the actual L2L VPN connection. The command format for that would be
You wont need the line with "ipsec-isakmp" with this L2L VPN configuration. Its related to the VPN Client configurations which are dynamic VPN connections while L2L VPN are using static crypto map configurations.
Have you used the above parameters for the L2L VPN Connection? Are you really sure these are the correct parameters? You are using DES which should not be used.
From my perspective it would be easier to see your current configurations and the L2L VPN parameters that were given to you for building this L2L VPN connection. I could then go through the configurations to determine what might be causing the problem on your side (if anything)
I seem to have forgotten to ask you to take the output of
show crypto ikev1 sa
On your ASA while you are requently issuing the "packet-tracer" matching the L2L VPN configurations.
If the "packet-tracer" matches the VPN by hitting the VPN Phase (whether its PERMIT/DROP) tells us that your configurations leading to the VPN negotiation seem to be fine.
But I highly doubt that DES/MD5 would be used for any new connection. 3DES/MD5 would be more likely. The negotiation might stop because of missmatched Phase 1 parameters/policys on the VPN gateways. Is the above IKEv1 policy the only policy on your device?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :