Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hello Amit

Before you see any SAs, you must first send a ping from R1 to R2. You need to create traffic that will match the LAN1_LAN2 access list to trigger encryption and create the tunnel. Did you ping beforehand? If you did, was your ping successful? By answering those questions we’ll be able to help you further in your troubleshooting process.

I hope this has been helpful!

Laz

Hi Lazaros,

I did ping but it’s not pinging.

Note-: i am using gns3 in VMware.

Best Regards,

Amit Dhakane
8828489598

Hello Amit

OK, so if the ping failed, then there will be no established SAs, so the output that you are seeing is to be expected. You must troubleshoot the connectivity problem first. Go through the phase 1 and phase 2 configurations and ensure that your configurations are correct. Once you get the ping working, then you can check to see if SAs have formed for encrypting that traffic.

If you need further help, let us know!

I hope this has been helpful!

Laz

Cisco ASA Site-to-Site IKEv1 IPsec VPN same (nearly copy paste, except interface and password of course) and does not work in CML231 02.08.2022
In Cisco Packet Tracer as well does not work, but it should work in CML.

Any idea please?
Dan

Hello Dan

This lab should be doable on Cisco CML. Just to confirm, I went in to the lab and checked and was able to reproduce the results in the lesson. I suggest you approach the problem as you would when troubleshooting such an issue regardless of what emulator you are using. As for packet tracer, I can’t say since I( haven’t tried it there. If you need any help along the way, give us some more details so that we can help out…

I hope this has been helpful!

Laz

Hi Rene,
Can you explain what does the tunnel-group command do, please ? Do we really need it ?

Hello Nguyen

When configuring IPSec, the tunnel-group command is used to configure what is called “the database of connection-specific records”. This database contains tunnel-specific information that is necessary to establish and maintain the tunnel. As shown in the lesson, this information includes the type of tunnel being created. In the lesson, this is a LAN to LAN tunnel, but you can also have remote access type.

Once the tunnel group is created, you can then change various attributes using one or more of the following commands:

  • tunnel-group general-attributes
  • tunnel-group ipsec-attributes
  • tunnel-group webvpn-attributes
  • tunnel-group ppp-attributes

In the lesson, the ipsec-attributes keyword is used. This configuration mode allows us to configure the IKE attributes such as the preshared key for the tunnel.

More information bout the tunnel-group command for the ASA can be found at the following Cisco command reference:

I hope this has been helpful!

Laz

So without tunnel-group, ipsec tunnel cannot be created, right?

Hello Nguyen

The tunnel group is typically used when you want to define different rules for different connections. Most often you will use it for VPN clients to connect with different rules such as when you’re implementing EZVpn. However, it is possible to not use it.

The alternative is to use a crypto map with an IPSec profile. This is what is done for example when you configure an IPSec tunnel as in this lesson:

or when you create an IPSec VTI like so:

Take a look at this Cisco Community thread for more information.

I hope this has been helpful!

Laz