Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Terminate VPN on new Interfaces

Hi

I have 2 Cisco ASA connected in 2 offices which have a fully functional l2l ipsec tunnel.  A new layer 2 link has been installed on each site and I am terminating it on a firewall FE int on each site with private address.  Connenctivity is established.  So I want to swap the vpn from using the outside interfaces to the new installed interfaces

On both firewalls I have enabled isakmp on the new interface

I have created a new tunnel group for each side using the same pre share key (thanks to the more system:running config command :-))

enabled the crypto map "my_map" on new interfaces

thats all I should need?

I have tested it by removing the existing peers and using new peers and its not coming up saying there is no match

Anything else I am missing?

thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Terminate VPN on new Interfaces

Hi,

Besides enabling the crypto commands on the new interfaces, you should have the route pointing out the new interface to reach the VPN peer.

Check that you have connectivity with the VPN peer via the new interfaces.

Federico.

8 REPLIES

Re: Terminate VPN on new Interfaces

Hi,

Besides enabling the crypto commands on the new interfaces, you should have the route pointing out the new interface to reach the VPN peer.

Check that you have connectivity with the VPN peer via the new interfaces.

Federico.

Community Member

Re: Terminate VPN on new Interfaces

I didn't think I would need a route for the peer as its a directly connected network but I will add routes for the destination network via the new interface and test.  Thanks

Re: Terminate VPN on new Interfaces

Both VPN devices share the same subnet for the new interfaces? (directly connected at Layer 2)?

Then you're right there's no need for a route.

Do you see the tunnel trying to establish?

sh cry isa sa

Federico.

Community Member

Re: Terminate VPN on new Interfaces

Correct. 

Firewall 1 - E 0/0 is 10.10.10.1

Firewall 2 - E 0/0 is 10.10.10.2

sh crypto isakmp sa just shows it trying to establish.  One weird thing I noticed while its trying to negotiate the type says user however it tunnel group is ipsec l2l, could be just an initial thing.

I think I recall working on a similar issue before and the firewall needed the routes to the private networks.  I think the ASA routes first and then encrypts after.

so I think add routes to the private networks on each side via the 10.10.10 network should fix it.

Re: Terminate VPN on new Interfaces

Attach the debug crypto isakmp and the config of both asa.

Community Member

Re: Terminate VPN on new Interfaces

fredrico

thought you might be interested in my findings.  As suspected the asa needed static routes for the encryptino domains on each side.  tunnel came up straight away after doing that.

thanks for your input

Re: Terminate VPN on new Interfaces

Great!

You mean a static route to the other peer's internal LAN correct?

LAN A -- VPN A -- VPN B -- LAN B

So,

VPN A needs a static route to LAN B

VPN B needs a static route to LAN A

That's what you did?

Federico.

Community Member

Re: Terminate VPN on new Interfaces

exactly.  I did not change the default gateway on the firewall so these routes were required to make it work.

200
Views
0
Helpful
8
Replies
CreatePlease to create content