Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site to site VPN

Hi I am trying to get site to site VPN tunnel with IKVE2, and I am locked at below stage,

 

 sh cry isa sa de

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1725, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id                 Local                Remote     Status         Role
1781440877    121.242.42.165/500     66.180.101.75/500     DELETE    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/28 sec
      Session-id: 1712
      Status Description: Deleting IKE SA
      Local spi: 29748E8ACCE8FB23       Remote spi: 3B87A189EB138FF1
      Local id: 121.242.42.165
      Remote id: 66.180.101.75
      Local req mess id: 1              Remote req mess id: 3
      Local next mess id: 2             Remote next mess id: 3
      Local req queued: 1               Remote req queued: 3
      Local window: 1                   Remote window: 1
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected

 

 

configuration on ASA 5520-version 8.4:

crypto ipsec ikev2 ipsec-proposal IPSEC.PROP
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto ikev2 policy 30
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside

 

crypto map punmap 30 match address DallasVPN-New
crypto map punmap 30 set peer 66.180.236.23
crypto map punmap 30 set ikev2 ipsec-proposal IPSEC.PROP
crypto map punmap 30 set security-association lifetime seconds 86400

tunnel-group 66.180.236.23 type ipsec-l2l
tunnel-group 66.180.236.23 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
nat (inside,outside) source static SLK-IT-VPNDALLAS SLK-IT-VPNDALLAS destination static DALLAS-Subnet DALLAS-Subnet description NAT for new dallas vpn
     

 sh run object id SLK-IT-VPNDALLAS
object network SLK-IT-VPNDALLAS
 subnet 192.168.1.0 255.255.255.0

sh run object id DALLAS-Subnet
object network DALLAS-Subnet
 subnet 192.168.236.0 255.255.255.0

access-list DallasVPN-New line 1 extended permit ip object SLK-IT-VPNDALLAS object DALLAS-Subnet (hitcnt=2250) 0x8fc37759
  access-list DallasVPN-New line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.236.0 255.255.255.0 (hitcnt=2251) 0x8fc37759

 

on other hand I have sonic wall configured.


 

166
Views
0
Helpful
0
Replies