Hello!

Sorry for my late!

I tried that you advised, and its seems better.

But something is wrong yet.

Attached the config and a debug txt,

Please give me some instructions, what is wrong!

Thanks!

(in nat debug i find this:

nat: translation - inside:192.168.0.101/1729 to outside:10.104.4.101/1729

but no untranslation line)

hi ,

can you please check the crypto Access-list on both sides it should be exactly mirrored , Cz we can see the following error in the  debugs :

Aug 21 23:48:37 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0

thanks .

Hi,

This is the remote end crypto Access-list :

access-list outside_cryptomap_8; 2 elements; name hash: 0x1a88a6c3

access-list outside_cryptomap_8 line 1 extended permit ip object-group DM_INLINE_NETWORK_19 10.104.4.0 255.255.255.0 0x6105a778

access-list outside_cryptomap_8 line 1 extended permit ip SAP_Netz 255.255.255.0 10.104.4.0 255.255.255.0 (hitcnt=25) 0x2567e08a

access-list outside_cryptomap_8 line 1 extended permit ip 10.1.64.0 255.255.255.0 10.104.4.0 255.255.255.0 (hitcnt=4) 0x1d2940ed

and the remote device vpn log:

And this is my config and my crypto ikev1 debug:

from the debugs you attached :

Aug 24 01:52:05 [IKEv1]Group = x.x.x.x, IP = x.x.x.x, PHASE 2 COMPLETED (msgid=28405279)

this means that phase 2 is up :

can you share the following after initiating the traffic :

show cry ikev1 sa

show crypto ipsec sa

regards.

this is it:

sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: x.x.x.x

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

Poli-ASA# sh cry ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 10, local addr: x.x.x.x

      access-list jwo_tunnel extended permit ip 10.104.4.0 255.255.255.0 10.1.48                                                                              .0 255.255.255.0

      local ident (addr/mask/prot/port): (10.104.4.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.1.48.0/255.255.255.0/0/0)

      current_peer: x.x.x.x

      #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0

      path mtu 1492, ipsec overhead 74, media mtu 1500

      current outbound spi: E05EB4F9

      current inbound spi : FB220429

    inbound esp sas:

      spi: 0xFB220429 (4213310505)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 5, }

         slot: 0, conn_id: 880640, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3915000/28776)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xE05EB4F9 (3764303097)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 5, }

         slot: 0, conn_id: 880640, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914999/28776)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

It means that the tunnel is up?

But if i try to ping 10.1.48.95 which is the target host (or telnet some spec ports) no replies come back.

?