04-30-2008 11:24 AM - edited 02-21-2020 02:00 AM
I have setup 2 VPN connections; one to a vendor's 3000 concentrator and the second to a branch office.
The branch office connects with a L2L type, however my vendors' connection is a "user" type. I have rebuild the connection and the same thing happens.
screen scrap of the sh crypto isa
1 IKE Peer: 68.xxx.xxx.xxx
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 12.xxx.xxx.xxx
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
the only difference in the config is the vendor is using a transform set of
crypto ipsec transform-set vendor esp-aes esp-md5-hmac
and the branch is using
crypto ipsec transform-set branch esp-3des esp-sha-hmac
any help?
Solved! Go to Solution.
05-07-2008 06:19 AM
Acceptable transform set combinations are listed below:
1)ah-md5-hmac
2)esp-des
3)esp-3des and esp-md5-hmac
4)ah-sha-hmac and esp-des and esp-sha-hmac
5)comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)
6)esp-seal and esp-md5-hmac
Try using "esp-3des esp-sha-hmac" or "esp-aes and esp-md5-hmac" at both vendor and branch ends.
Refer the following url for more info:
http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199028
05-07-2008 06:19 AM
Acceptable transform set combinations are listed below:
1)ah-md5-hmac
2)esp-des
3)esp-3des and esp-md5-hmac
4)ah-sha-hmac and esp-des and esp-sha-hmac
5)comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)
6)esp-seal and esp-md5-hmac
Try using "esp-3des esp-sha-hmac" or "esp-aes and esp-md5-hmac" at both vendor and branch ends.
Refer the following url for more info:
http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199028
05-07-2008 06:26 AM
Thanks for the response. You are correct. The vendor side was not set correctly. We reconfigured both sides to esp-aes and esp-md5-hmac and the problem was resolved.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide