Site-to-Site VPN between EdgeRouter Pro 8 and Cisco ASA 5510

Hi all,

Thank you in advance for your help. I need to configure my EdgeRouter Pro 8 for site-to-site VPN connection with a 3rd party vendor using their Cisco ASA. I entered all the settings provided by the third vendor but the tunnel is still down. Below are the details of my equipment and configuration. I share it with you in hopes that you can provide guidance to getting my VPN tunnel up.

I have an EdgeRouter Pro 8 running v1.8.5. I have 4 active ethernet ports:

Eth0 is configured with a public IP of my primary ISP

Eth1 is configured with a public IP of my secondary ISP

Eth2 is configured with a private IP of my LAN (192.168.1.1/24)

Eth3 is configured with a private IP of my LAN (192.168.2.1/24)

Here's how I configured from the EdgeRouter GUI:

- I went into the VPN tab then IPsec Site-to-Site sub-tab

- I added Eth0 as an IPsec Interface (logic is being that I want to establish the VPN handshake to my primary gateway with the 3rd party vendor's router).

- Next, under Site-to-site peers section, I added the 3rd party vendor's gateway in the Peer field

- I entered a text value in the Description field

- For the Local IP field, I entered my Eth0 public IP

- I entered the Pre-shared secret provided to me by the 3rd party vendor

Everything so far, seems straight forward to me, now here's where I get a little unsure:

- For local subnet, I entered a specific IP that belows to the first segment of my private network which belows to my Eth2 port. The IP is 192.168.1.10//32

- For Remote subnet, I entered the information provided to me by the 3rd party vendor, which happens to be a public IP (not a private IP like I entered in my local subnet)

I Applied my settings it was saved successfully.

When you select by clicking "Show advanced options", I configured 3 more fields to match that given to me by the 3rd party vendor:

Encryption is AES-256

Hash is SHA1

DH Group is 2

Finally, I adjusted some values from the Config Tree tab to match the 3rd party:

vpn > ipsec > esp-group > FOO0 > pfs changed to disable from enable

vpn > ipsec > ike-group > FOO0 > lifetime changed to 86400

vpn > ipsec > ike-group >FOO0 > proposal > 1 > dh-group to "no value" from 2

The result is that the tunnel is down. Going back and forth with the 3rd party vendor but we aren't making any progress.

Some questions that I have:

- Should I be adding any other IPsec interface (i.e. Eth2 where my private IP of 192.168.1.1/24 is configured)?

- Do I need to make any Firewall/NAT changes to allow successful VPN handshake and get tunnel up?

- Is the logic with Local subnet and Remote subnet okay? (i.e. I have private IP for local and private for remote)

Thank you for any help that I can get.

~manny