Cisco ASA v8.3- LAN-to-LAN IPsec VPN. [TESTED]

We’re gonna use Symmetric Cipher - on both ends the same cypher key will be configured (pre-shared).

A symmetric key cipher (also called a secret-key cipher, or a one-key cipher, or a private-key cipher, or a shared-key cipher) is one that uses the same (necessarily secret) key to encrypt messages as it does to decrypt messages.

Until the invention of asymmetric key cryptography (commonly termed “public key / private key” crypto) in the 1970s, all ciphers were symmetric. Each party to the communication needed a key to encrypt a messages; and a recipient needed a copy of the same key to decrypt the message.


conf t
 vpnsetup site-to-site steps

Step by Step

• We need to create tunnel-group and associate it with group-policy allowed IKEv1. So, the 1st step is to create group-policy to be able to specify it under tunnel-group configuration section. We can also disable vpn-idle-timeout which is 30min by default.

group-policy internal
group-policy attributes
 vpn-tunnel-protocol ikev1
 vpn-idle-timeout none

Then create tunnel-group, specify group-policy and a KEY.

tunnel-group type ipsec-l2l
tunnel-group general-attributes
tunnel-group ipsec-attributes
 ikev1 pre-shared-key EXAMPLE_KEY

• ASA 9.1(5) has the following default parameters: pre-shared auth, 3DES, SHA, DH group 2 (1024 bit), lifetime 86400 (24 hours). Technically, you can create it by issuing only ONE command “crypto ikev1 policy 1“.
• To check the result:

ASA# show run crypto ikev1
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

• Enable IKEv1 on outside interface.

crypto ikev1 enable outside

• After that you will see that on some ASA models (5510 for instance) policy sequence 65535 will be created with the default parameters. So, technically, on some models (not all), you can issue just one command “crypto ikev1 enable outside” and you will get the following.

crypto ikev1 enable outside
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

Known issues


• “vpn-idle-timeout” is 30min by default, could be different on different sides of L2L VPN (locally significant). You can see the reason of disconnection:

%ASA-5-713259: Group =, IP =, Session is being torn down. Reason: Idle Timeout

un-encrypted INVALID_COOKIE

• If you have NO tunnel-group configured for the remote IP address, you will get the following:

%ASA-5-713904: Group =, IP =, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: Group =, IP =, Information Exchange processing failed

• Reason: No proper tunnel-group and group-policy configured on far end, just check current configurations.

QM FSM error

%ASA-5-713119: Group =, IP =, PHASE 1 COMPLETED
%ASA-5-713904: Group =, IP =, All IPSec SA proposals found unacceptable!
%ASA-3-713902: Group =, IP =, QM FSM error (P2 struct &0xae432b50, mess id 0xee9d1cbd)!
%ASA-3-713902: Group =, IP =, Removing peer from correlator table failed, no match!
%ASA-5-713259: Group =, IP =, Session is being torn down. Reason: Phase 2 Mismatch
%ASA-4-113019: Group =, Username =, IP =, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
%ASA-5-713904: IP =, Received encrypted packet with no matching SA, dropping

• Reason: PFS isn’t configured on far end.

Useful links to learn

Вебкаст на тему: “Некоторые аспекты построения отказоустойчивых Site-to-Site VPN на ASA” - презентация - MUST READ!
Understanding ASA IPSec and IKE debugs - IKEv1 Main Mode..
Cisco ASA 5500 Site to Site VPN (From CLI).
LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example.
ASA 8.3 Upgrade - What You Need to Know.

Admin area