Anyone successfully got a site to site VPN set up between a Route10 and Cisco ASA? On my ASA end it seems to think the IKEv2 SA is up but an ipsec sa never forms. However, from the Route10 perspective it thinks an ipsec association is connected. No traffic is flowing between the clients on each side.
If I’m not misremembering my commands, then you might be able to run swanctl --log from the Route10 terminal and get some more information about what’s going on from the Route10 side at least
Any chance you can run some debugs on the ASA? I deal with ASAs using S2S tunnels at work. They’re not my favorite to say the least, but it’s what we use. If you can run a debug crypto ipsec sa and if it doesn’t produce any logs because the SA isn’t even attempting to be created (which I doubt because the Route 10 sees it) a debug crypto ipsec.
I don’t have an IKEv2 VPN setup to test right now unfortunately but I wonder if either of these might be helpful to reference? Since the Route10 is using strongSwan internally.
Think there’s a chance you could post a snippet of the config on each device? Nothing identifying of course. Might help someone in the future if they stumble on this thread with a similar problem
The name is just a description of the VPN.
For Hostname I used the public IP address of my ASA
PSK is self explanatory. Same one on ASA.
Remote subnet. I only need to reach one subnet so I define it here in the format xx.xx.xx.0/24
For local TS I used the local Route 10 subnet I wanted to encrypt in the format xx.xx.xx.0/24
So, on the ASA end in my crypto ACL I need to define the remote subnet and local TS as an entry with the source being the Remote ID on the Route 10 and the destination being the local TS on the route 10.
Also, on the ASA you have to make sure traffic between the encryptoed subnets is NOT NAT’d. I believe that needs explicitly defined, I believe turning off masquerade on the Route 10 ensures the traffic is not NAT’d at that end.