Hello Networking!
I'm struggling with what I feel should be a simple VPN setup on a Cisco ASA and I feel I'm missing something simple. I'm trying to set up two tunnels to a site, securing traffic from two of my local subnets to the same remote subnet.
For example purposes, lets say my local subnets are 10.1.0.0/16 and 10.5.1.0/24. The remote subnet is 10.3.0.0/16. I've configured the following -
ikev2 enable outside
ikev2 policy 2
encryption aes-gcm-256
group 24
prf sha384
lifetime seconds 86400
tunnel-group PEER_IP type ipsec-l2l
tunnel-group PEER_IP ipsec-attributes
ikev2 remote-authentication pre-shared-key password
ikev2 local-authentication pre-shared-key password
crypto ipsec ikev2 ipsec-proposal cry_ike2
protocol esp encryption aes-gmac-256
access-list map_1 extended permit ip 10.1.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list map_1 extended permit ip 10.5.1.0 255.255.255.0 10.3.0.0 255.255.0.0
crypto map cry1 1 match address map_1
crypto map cry1 1 set peer PEER_IP
crypto map cry1 1 set ikev2 ipsec-proposal cry_ike2
crypto map cry1 interface outside
crypto map cry1 set pfs Group24
object network Network1
subnet 10.1.0.0 255.255.0.0
object network Network2
subnet 10.5.1.0 255.255.255.0
object network Remote_Net
subnet 10.3.0.0 255.255.0.0
nat (inside,outside) source static Network1 Network1 destination static Remote_Net Remote_Net no-proxy-arp route-lookup
nat (inside,outside) source static Network2 Network2 destination static Remote_Net Remote_Net no-proxy-arp route-lookup
I have configured the same (but reverse, as needed) on the ASA at the other end.
I have SA's for 10.1.0.0 > 10.3.0.0 forming but no SA forming for 10.5.1.0 > 10.3.0.0
what am I doing wrong here?
No comments:
Post a Comment