08-31-2010 08:20 AM
Hi
I have 2 Cisco ASA connected in 2 offices which have a fully functional l2l ipsec tunnel. A new layer 2 link has been installed on each site and I am terminating it on a firewall FE int on each site with private address. Connenctivity is established. So I want to swap the vpn from using the outside interfaces to the new installed interfaces
On both firewalls I have enabled isakmp on the new interface
I have created a new tunnel group for each side using the same pre share key (thanks to the more system:running config command :-))
enabled the crypto map "my_map" on new interfaces
thats all I should need?
I have tested it by removing the existing peers and using new peers and its not coming up saying there is no match
Anything else I am missing?
thanks
Solved! Go to Solution.
08-31-2010 08:26 AM
Hi,
Besides enabling the crypto commands on the new interfaces, you should have the route pointing out the new interface to reach the VPN peer.
Check that you have connectivity with the VPN peer via the new interfaces.
Federico.
08-31-2010 08:26 AM
Hi,
Besides enabling the crypto commands on the new interfaces, you should have the route pointing out the new interface to reach the VPN peer.
Check that you have connectivity with the VPN peer via the new interfaces.
Federico.
08-31-2010 08:39 AM
I didn't think I would need a route for the peer as its a directly connected network but I will add routes for the destination network via the new interface and test. Thanks
08-31-2010 08:49 AM
Both VPN devices share the same subnet for the new interfaces? (directly connected at Layer 2)?
Then you're right there's no need for a route.
Do you see the tunnel trying to establish?
sh cry isa sa
Federico.
08-31-2010 09:00 AM
Correct.
Firewall 1 - E 0/0 is 10.10.10.1
Firewall 2 - E 0/0 is 10.10.10.2
sh crypto isakmp sa just shows it trying to establish. One weird thing I noticed while its trying to negotiate the type says user however it tunnel group is ipsec l2l, could be just an initial thing.
I think I recall working on a similar issue before and the firewall needed the routes to the private networks. I think the ASA routes first and then encrypts after.
so I think add routes to the private networks on each side via the 10.10.10 network should fix it.
08-31-2010 09:24 AM
Attach the debug crypto isakmp and the config of both asa.
08-31-2010 01:15 PM
fredrico
thought you might be interested in my findings. As suspected the asa needed static routes for the encryptino domains on each side. tunnel came up straight away after doing that.
thanks for your input
08-31-2010 01:17 PM
Great!
You mean a static route to the other peer's internal LAN correct?
LAN A -- VPN A -- VPN B -- LAN B
So,
VPN A needs a static route to LAN B
VPN B needs a static route to LAN A
That's what you did?
Federico.
08-31-2010 02:21 PM
exactly. I did not change the default gateway on the firewall so these routes were required to make it work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide