i am really sorry, i cant post the conf. if you could tell me the possible reasons, then i will try.

Hello,

Sure,this will lets us know analize what it really happening in here, why the VPN tunnel is not succesfully getting established, of course you will need to hide some things as the IP addresses ( Security reasons).

-I would like to have the VPN configuration of both sites, to see if there is a mismatch on the IPsec configuration. Again just to help!!!!

Regards,

Julio

is it possible to enable DH group 2 with out PFS in phase 2 in ASA?

Hello,

This link will answer all of you configuration questions regarding a L2L VPN on the ASA

https://learningnetwork.cisco.com/docs/DOC-8696

Regards,

Julio

Yes. Also, refer to the below link on some common t-shoot process.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml?referring_site=bodynav

Thx

MS

thx for this. cud you guys tell what the packets are not encrypting, but decrypting?

Hello,

There might be a mismatch between the Ip sec configuration and the IKE configuration, remember that the transform set is based on what you have configured for phase 1. So check that!

Do rate if this helps.

Julio

looks like the my remote end has DH group 2 and PFS disabled in phase 2, where as at my end both are disabled. Think if i need to enable DH group alone at my end without PFS it is not possible. I have cisco asa 5520 and remote end has checkpoint UTM. correct me if i am wrong?

Hello,

That's it. you need to have the same phase two configuration on both VPN ends.

Julio

we have changed the phase1 and phase2 parameters at both ends, also the intersting traffic after which the tunnel came up. but intrestingly, remote end is not able to ping my server lan and my server lan is not able to reach the remote LAN. when i do a debug crypto ipsec i am getting the below messages. verified all ACL 's and rules, looks to be fine.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 3 does not hole match for A

CL OUTSIDE_ISP_cryptomap_3.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 4 does not hole match for A

CL OUTSIDE_ISP_cryptomap_4.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 5 does not hole match for A

CL OUTSIDE_ISP_cryptomap_5.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 6 does not hole match for A

CL outside_ssl_6_cryptomap.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 7 does not hole match for A

CL OUTSIDE_ISP_cryptomap_7.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 8 does not hole match for A

CL outside_ssl_cryptomap_1.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 9 does not hole match for A

CL outside_ssl_cryptomap_2.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 1 does not hole match for A

CL outside_ssl_cryptomap.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 2 does not hole match for A

CL OUTSIDE_ISP_cryptomap_1.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 3 does not hole match for A

CL OUTSIDE_ISP_cryptomap_3.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 4 does not hole match for A

CL OUTSIDE_ISP_cryptomap_4.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 5 does not hole match for A

CL OUTSIDE_ISP_cryptomap_5.

IPSEC(crypto_map_check): crypto map OUTSIDE_ISP_map0 6 does not hole match for A

CL outside_ssl_6_cryptomap.

Hello Sridar,

Are you sure you have the same ACL configuration ( interesting traffic) I mean without seeing the VPN config will be hard to help you on this.

Regards,

I can provide assistance. I have spent the past month trying to get the checkpoint and the cisco asa to play nicely. Checkpoint UTM and Edge products send the peer or public ip address as part of the encryption domain. You need to go into the console and include that as part of your statements. Look at the example below.

access-list outside_1_cryptomap extended permit ip host a.b.c.d host e.f.g.h