Solved: Re: Terminate VPN on new Interfaces

agent2007 · ‎08-31-2010

Hi

I have 2 Cisco ASA connected in 2 offices which have a fully functional l2l ipsec tunnel. A new layer 2 link has been installed on each site and I am terminating it on a firewall FE int on each site with private address. Connenctivity is established. So I want to swap the vpn from using the outside interfaces to the new installed interfaces

On both firewalls I have enabled isakmp on the new interface

I have created a new tunnel group for each side using the same pre share key (thanks to the more system:running config command :-))

enabled the crypto map "my_map" on new interfaces

thats all I should need?

I have tested it by removing the existing peers and using new peers and its not coming up saying there is no match

Anything else I am missing?

thanks

Federico Coto Fajardo · ‎08-31-2010

Hi,

Besides enabling the crypto commands on the new interfaces, you should have the route pointing out the new interface to reach the VPN peer.

Check that you have connectivity with the VPN peer via the new interfaces.

Federico.

View solution in original post

Federico Coto Fajardo · ‎08-31-2010

Hi,

Besides enabling the crypto commands on the new interfaces, you should have the route pointing out the new interface to reach the VPN peer.

Check that you have connectivity with the VPN peer via the new interfaces.

Federico.

agent2007 · ‎08-31-2010

I didn't think I would need a route for the peer as its a directly connected network but I will add routes for the destination network via the new interface and test. Thanks

Federico Coto Fajardo · ‎08-31-2010

Both VPN devices share the same subnet for the new interfaces? (directly connected at Layer 2)?

Then you're right there's no need for a route.

Do you see the tunnel trying to establish?

sh cry isa sa

Federico.

agent2007 · ‎08-31-2010

Correct.

Firewall 1 - E 0/0 is 10.10.10.1

Firewall 2 - E 0/0 is 10.10.10.2

sh crypto isakmp sa just shows it trying to establish. One weird thing I noticed while its trying to negotiate the type says user however it tunnel group is ipsec l2l, could be just an initial thing.

I think I recall working on a similar issue before and the firewall needed the routes to the private networks. I think the ASA routes first and then encrypts after.

so I think add routes to the private networks on each side via the 10.10.10 network should fix it.

Diego Armando Cambronero Arias · ‎08-31-2010

Attach the debug crypto isakmp and the config of both asa.

agent2007 · ‎08-31-2010

fredrico

thought you might be interested in my findings. As suspected the asa needed static routes for the encryptino domains on each side. tunnel came up straight away after doing that.

thanks for your input

Federico Coto Fajardo · ‎08-31-2010

Great!

You mean a static route to the other peer's internal LAN correct?

LAN A -- VPN A -- VPN B -- LAN B

So,

VPN A needs a static route to LAN B

VPN B needs a static route to LAN A

That's what you did?

Federico.

agent2007 · ‎08-31-2010

exactly. I did not change the default gateway on the firewall so these routes were required to make it work.