Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site to site VPN

Hi I am trying to get site to site VPN tunnel with IKVE2, and I am locked at below stage,


 sh cry isa sa de

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1725, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id                 Local                Remote     Status         Role
1781440877     DELETE    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/28 sec
      Session-id: 1712
      Status Description: Deleting IKE SA
      Local spi: 29748E8ACCE8FB23       Remote spi: 3B87A189EB138FF1
      Local id:
      Remote id:
      Local req mess id: 1              Remote req mess id: 3
      Local next mess id: 2             Remote next mess id: 3
      Local req queued: 1               Remote req queued: 3
      Local window: 1                   Remote window: 1
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected



configuration on ASA 5520-version 8.4:

crypto ipsec ikev2 ipsec-proposal IPSEC.PROP
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto ikev2 policy 30
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside


crypto map punmap 30 match address DallasVPN-New
crypto map punmap 30 set peer
crypto map punmap 30 set ikev2 ipsec-proposal IPSEC.PROP
crypto map punmap 30 set security-association lifetime seconds 86400

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
nat (inside,outside) source static SLK-IT-VPNDALLAS SLK-IT-VPNDALLAS destination static DALLAS-Subnet DALLAS-Subnet description NAT for new dallas vpn

 sh run object id SLK-IT-VPNDALLAS
object network SLK-IT-VPNDALLAS

sh run object id DALLAS-Subnet
object network DALLAS-Subnet

access-list DallasVPN-New line 1 extended permit ip object SLK-IT-VPNDALLAS object DALLAS-Subnet (hitcnt=2250) 0x8fc37759
  access-list DallasVPN-New line 1 extended permit ip (hitcnt=2251) 0x8fc37759


on other hand I have sonic wall configured.