Core issue
Transform set must be configured on the PIX.
Resolution
- On the PIX, issue the show crypto map command.
- Locate the crypto map name that is associated with the interface where you are trying to connect.
- Using the crypto map name, issue the show crypto dynamic-map tag {crypto map name} command.
The output will be similar to the following.
Crypto Map: "partner-map" interfaces: { outside }
client configuration address initiate
Crypto Map "partner-map" 20 ipsec-isakmp
Dynamic map template tag: cisco
- Identify the dynamic map template tag (in this example, it is cisco), and then issue the show crypto dynamic-map tag cisco command.
The output will be similar to the following.
Crypto Map Template"cisco" 4
No matching address list set.
Current peer: 0.0.0.0
Security association lifetime:
4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ strong-des, }
- Use the transform name (strong-des) and issue a show crypto ipsec transform strong-des command.
The output will be similar to the following.
Transform set strong-des: { esp-3des esp-sha-hmac }
will negotiate = { Tunnel, },
The transform must be one of the following combinations. If it is not, modify the transform to match one of the following and try again.