crypto map entry is incomplete

JAYESH RAMAIYA · ‎03-05-2013

Hi

This is my config below. The error i am recieving is crypto map entry is incomplete. Can someone please take a look and let me know. Thank you

ASA(config)# crypto map outside_map 1 match address outside_1_cryptomap

WARNING: The crypto map entry is incomplete!

ASA(config)# show run

: Saved

:

ASA Version 8.4(4)1

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.10.10.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network net-local

subnet 10.10.10.20 255.255.255.0

object network net-remote

subnet 10.10.3.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.10.10.20 255.255.255.0 10.

10.3.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (any,any) source static net-local net-local destination static net-remote ne

t-remote

!

object network obj_any

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 96.145.68.82

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.10.10.22-10.10.10.231 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

tunnel-group 81.141.29.69 type ipsec-l2l

tunnel-group 81.141.29.69 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c2b7cdae5eb0961d822f634f2b36d3dc

: end

ASA(config)#

Jouni Forss · ‎03-05-2013

Hi,

You lack a "transform-set" configuration from the "crypto map" line.

For example

Create the IKEv1 Transform set

crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac

and

Use it in the VPN configuration

crypto map outside_map 1 set ikev1 transform-set AES

The values ofcourse depend on the your own preference

Hope this helps

- Jouni