Solved: Re: Site to site VPN - Need help configuring multiple tunnels

Michael Murray · ‎04-01-2010

I currently have site-to-site VPN tunnels from two remote sites with 1720s connecting to an ASA5510 at my TOWN_HALL site. (see attached diagram)

This is working fine but I want to add connectivity between the 1720-A LAN (172.20.3.0/24) and the 1720-B LAN (172.22.3.0/24). What's the best way to do this? Can the 1720s be configured with direct L2L VPN tunnels or will that affect the current tunnels to the ASA5510? If so, I'm guessing each 1720 will have to go through the ASA first.

Thanks.

Configs below:

ASA5510

ASA Version 7.2(2)

!

names

name 172.18.3.19 Postal description Mail Server

name 172.18.3.33 helpdesk description Helpdesk Server

dns-guard

!

interface Ethernet0/0

description Comcast Link

nameif ComCast_Out

security-level 0

ip address 29.92.14.73 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.2 255.255.255.252

!

interface Ethernet0/2

security-level 0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.10.10.1 255.255.255.0

management-only

!

boot system disk0:/asa722-k8.bin

boot system disk0:/asa706-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

access-list inbound extended permit ip any host 29.92.14.74

access-list inbound extended permit icmp any any unreachable

access-list inbound extended permit icmp any any echo-reply

access-list inbound extended permit tcp any host 29.92.14.73 eq 3000

access-list inbound extended permit tcp any host 29.92.14.73 eq smtp log

access-list inbound extended permit tcp any host 29.92.14.73 eq www

access-list inbound extended permit tcp any host 29.92.14.73 eq 3389

access-list inbound extended permit tcp any host 29.92.14.73 eq pptp

access-list inbound extended permit tcp any host 116.204.226.42 eq 3000

access-list inbound extended permit tcp any host 116.204.226.42 eq smtp

access-list inbound extended permit tcp any host 116.204.226.42 eq www

access-list inbound extended permit tcp any host 116.204.226.42 eq 3389

access-list inbound extended permit tcp any host 116.204.226.42 eq pptp

access-list inbound remark FTP Server

access-list inbound extended permit tcp any host 29.92.14.73 eq ftp

access-list acl_out extended permit tcp host 29.92.14.73 any eq smtp

access-list acl_out extended permit tcp host 192.168.1.4 any eq smtp

access-list acl_out extended deny tcp any any eq smtp

access-list acl_out extended permit ip any any

access-list 121 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list nonat extended permit ip 172.18.3.0 255.255.255.0 172.22.3.0 255.255.255.0

access-list nonat extended permit ip 172.18.3.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.22.3.0 255.255.255.0

access-list nonat extended permit ip 172.30.1.0 255.255.255.0 172.31.255.0 255.255.255.0

access-list nonat extended permit ip 192.168.10.0 255.255.255.252 172.31.255.0 255.255.255.0

access-list nonat extended permit ip 172.17.1.0 255.255.255.0 172.31.255.0 255.255.255.0

access-list nonat extended permit ip 172.18.0.0 255.255.0.0 172.31.255.0 255.255.255.0

access-list nonat extended permit ip 172.31.3.0 255.255.255.0 172.31.255.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 172.31.255.0 255.255.255.0

access-list backup_access_out extended permit ip any any

access-list outside_access_out extended permit ip any any

access-list outside_access_out remark Barracuda

access-list outside_access_out extended permit tcp host 172.18.3.8 any eq smtp inactive

access-list outside_access_out remark SMTP Block

access-list outside_access_out extended deny tcp any any eq smtp inactive

access-list inside_access_in remark Schools SMTP

access-list inside_access_in extended permit tcp host Postal eq smtp any eq smtp

access-list inside_access_in extended permit tcp host 172.18.3.8 any eq smtp

access-list inside_access_in extended permit tcp host 172.18.3.30 any eq smtp

access-list inside_access_in extended deny tcp any any eq smtp

access-list inside_access_in extended permit ip any any

access-list ComCast_Out_20_cryptomap extended permit ip 172.18.3.0 255.255.255.0 172.22.3.0 255.255.255.0

access-list ComCast_Out_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.22.3.0 255.255.255.0

access-list ComCast_Out_25_cryptomap extended permit ip 172.18.3.0 255.255.255.0 172.20.3.0 255.255.255.0

access-list vpn_access standard permit 192.168.10.0 255.255.255.252

access-list vpn_access standard permit 172.17.1.0 255.255.255.0

access-list vpn_access standard permit 172.18.0.0 255.255.0.0

access-list vpn_access standard permit 172.31.3.0 255.255.255.0

access-list vpn_access standard permit 172.30.1.0 255.255.255.0

access-list vpn_access standard permit 192.168.0.0 255.255.0.0

pager lines 24

logging enable

logging monitor emergencies

logging buffered warnings

logging asdm informational

mtu ComCast_Out 1500

mtu inside 1500

mtu NOT_IN_USE 1500

mtu management 1500

ip local pool vpnpool 192.168.20.2-192.168.20.254

ip local pool VPN-POOL 172.31.255.1-172.31.255.250 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (ComCast_Out) 1 interface

global (NOT_IN_USE) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 192.0.0.0 255.0.0.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,ComCast_Out) tcp interface 3000 172.18.3.22 3000 netmask 255.255.255.255

static (inside,ComCast_Out) tcp interface smtp 172.18.3.8 smtp netmask 255.255.255.255

static (inside,ComCast_Out) tcp interface www 172.18.3.30 www netmask 255.255.255.255

static (inside,ComCast_Out) tcp interface 3389 172.18.3.22 3389 netmask 255.255.255.255

static (inside,ComCast_Out) tcp interface pptp 172.18.3.22 pptp netmask 255.255.255.255

static (inside,NOT_IN_USE) tcp interface 3000 172.18.3.22 3000 netmask 255.255.255.255

static (inside,NOT_IN_USE) tcp interface smtp 172.18.3.8 smtp netmask 255.255.255.255

static (inside,NOT_IN_USE) tcp interface www 172.18.3.30 www netmask 255.255.255.255

static (inside,NOT_IN_USE) tcp interface 3389 172.18.3.23 3389 netmask 255.255.255.255

static (inside,NOT_IN_USE) tcp interface pptp 172.18.3.22 pptp netmask 255.255.255.255

static (inside,ComCast_Out) tcp interface 3101 172.18.3.8 3101 netmask 255.255.255.255

static (inside,ComCast_Out) tcp interface ftp helpdesk ftp netmask 255.255.255.255

static (inside,ComCast_Out) tcp interface ftp-data helpdesk ftp-data netmask 255.255.255.255

static (inside,ComCast_Out) 29.92.14.74 172.18.3.16 netmask 255.255.255.255

access-group inbound in interface ComCast_Out

access-group outside_access_out out interface ComCast_Out

access-group inside_access_in in interface inside

access-group inbound in interface NOT_IN_USE

access-group backup_access_out out interface NOT_IN_USE

route ComCast_Out 0.0.0.0 0.0.0.0 29.92.14.78 1 track 1

route inside 192.168.0.0 255.255.0.0 192.168.10.1 1

route inside 172.17.1.0 255.255.255.0 192.168.10.1 1

route inside 172.18.0.0 255.255.0.0 192.168.10.1 1

route inside 172.31.3.0 255.255.255.0 192.168.10.1 1

route inside 172.30.1.0 255.255.255.0 192.168.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy vpnclient internal

group-policy vpnclient attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_access

group-policy remote internal

group-policy remote attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 121

http server enable

http 172.0.0.0 255.0.0.0 inside

http 192.0.0.0 255.0.0.0 inside

http 10.10.10.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

type echo protocol ipIcmpEcho 168.87.71.226 interface ComCast_Out

num-packets 3

frequency 10

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

crypto ipsec transform-set SHA3DES esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10 set transform-set 3des

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto map vpnremote 20 match address ComCast_Out_20_cryptomap

crypto map vpnremote 20 set peer 202.13.116.209

crypto map vpnremote 20 set transform-set ESP-DES-MD5

crypto map vpnremote 25 match address ComCast_Out_25_cryptomap

crypto map vpnremote 25 set peer 207.147.31.97

crypto map vpnremote 25 set transform-set ESP-DES-MD5

crypto map vpnremote 30 ipsec-isakmp dynamic dynmap

crypto map vpnremote 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map vpnremote interface ComCast_Out

crypto map VN1530600A 663 match address ACL663

crypto map VN1530600A 663 set pfs

crypto map VN1530600A 663 set peer 29.92.14.73

crypto map VN1530600A 663 set transform-set SHA3DES

crypto map VN1530600A 663 set security-association lifetime seconds 1800

crypto isakmp identity address

crypto isakmp enable ComCast_Out

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

!

track 1 rtr 123 reachability

tunnel-group remote type ipsec-ra

tunnel-group remote general-attributes

address-pool vpnpool

default-group-policy remote

tunnel-group remote ipsec-attributes

pre-shared-key *

tunnel-group 29.92.14.73 type ipsec-l2l

tunnel-group 29.92.14.73 ipsec-attributes

pre-shared-key *

tunnel-group 202.13.116.209 type ipsec-l2l

tunnel-group 202.13.116.209 ipsec-attributes

pre-shared-key *

tunnel-group 207.147.31.97 type ipsec-l2l

tunnel-group 207.147.31.97 ipsec-attributes

pre-shared-key *

telnet 192.168.0.0 255.255.0.0 inside

telnet 172.0.0.0 255.0.0.0 inside

telnet timeout 120

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 10.10.10.11-10.10.10.20 management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:82155434d3cfa69cd7217f20aaacabb7

: end

1720-A

version 12.2

service timestamps debug datetime

service timestamps log datetime

service password-encryption

!

hostname 1720-A

!

logging buffered 4096 debugging

!

memory-size iomem 20

clock timezone EST -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip subnet-zero

!

no ip domain-lookup

ip name-server 172.18.3.24

ip dhcp excluded-address 172.20.3.1 172.20.3.20

!

ip dhcp pool dhcppool

network 172.20.3.0 255.255.255.0

default-router 172.20.3.1

dns-server 172.18.3.24 172.18.3.26

!

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key Cisco address 29.92.14.73

!

crypto ipsec transform-set TOWN_HALL esp-des esp-md5-hmac

crypto ipsec transform-set DES-MD5 esp-des esp-md5-hmac

crypto mib ipsec flowmib history tunnel size 200

crypto mib ipsec flowmib history failure size 200

!

crypto map VPNmap 10 ipsec-isakmp

set peer 29.92.14.73

set transform-set TOWN_HALL

match address TOWN_HALL

!

interface Ethernet0

ip address 207.147.31.97 255.255.255.252

ip access-group PERIMETER in

ip nat outside

half-duplex

crypto map VPNmap

!

interface FastEthernet0

description LAN

ip address 172.20.3.1 255.255.255.0

ip nat inside

speed auto

!

interface Serial0

no ip address

shutdown

!

ip nat inside source list NAT_ADDRESSES interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 207.147.31.98

no ip http server

ip pim bidir-enable

!

ip access-list extended NAT_ADDRESSES

deny ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255

permit ip 172.20.3.0 0.0.0.255 any

ip access-list extended PERIMETER

permit udp host 29.92.14.73 host 207.147.31.97 eq isakmp

permit esp host 29.92.14.73 host 207.147.31.97

permit ip 172.18.3.0 0.0.0.255 172.20.3.0 0.0.0.255

permit icmp any any unreachable

permit icmp any any echo-reply

permit tcp any host 207.147.31.97 eq telnet

permit tcp any host 192.168.20.1 eq telnet

permit tcp any eq www any

permit tcp any eq 443 any

permit udp host 173.13.116.209 host 207.147.31.97 eq isakmp

permit esp host 173.13.116.209 host 207.147.31.97

permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255

deny ip any any

ip access-list extended TOWN_HALL

permit ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255

!

alias exec sr show run

alias exec s sh ip int br

alias exec srt show ip route

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

exec-timeout 60 0

logging synchronous

login local

transport input telnet

!

no scheduler allocate

ntp clock-period 17180009

end

1720-B

version 12.1

no service single-slot-reload-enable

service timestamps debug datetime

service timestamps log datetime

service password-encryption

!

hostname 1720-B

!

logging buffered 4096 debugging

no logging buffered

logging rate-limit console 10 except errors

!

memory-size iomem 25

clock timezone ET -5

clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00

ip subnet-zero

no ip finger

no ip domain-lookup

ip name-server 172.18.3.24

ip dhcp excluded-address 172.22.3.1 172.22.3.20

!

ip dhcp pool dhcppool

network 172.22.3.0 255.255.255.0

default-router 172.22.3.1

dns-server 172.18.3.24 172.18.3.26

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key Cisco address 29.92.14.73

!

crypto ipsec transform-set TOWN_HALL esp-des esp-md5-hmac

!

crypto map VPNmap 10 ipsec-isakmp

set peer 29.92.14.73

set transform-set TOWN_HALL

match address TOWN_HALL

!

interface Ethernet0

ip address 202.13.116.209 255.255.255.252

ip access-group PERIMETER in

ip nat outside

half-duplex

crypto map VPNmap

!

interface FastEthernet0

description LAN

ip address 172.22.3.1 255.255.255.0

ip nat inside

speed auto

!

ip nat inside source list NAT_ADDRESSES interface Ethernet0 overload

ip kerberos source-interface any

ip classless

ip route 0.0.0.0 0.0.0.0 202.13.116.210

no ip http server

!

ip access-list extended NAT_ADDRESSES

deny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255

deny ip 172.22.3.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 172.22.3.0 0.0.0.255 any

ip access-list extended PERIMETER

permit udp host 29.92.14.73 host 202.13.116.209 eq isakmp

permit esp host 29.92.14.73 host 202.13.116.209

permit ip 172.18.3.0 0.0.0.255 172.22.3.0 0.0.0.255

permit icmp any any unreachable

permit icmp any any echo-reply

permit tcp any eq www any

permit tcp any eq 443 any

permit ip 192.168.1.0 0.0.0.255 172.22.3.0 0.0.0.255

deny ip any any

ip access-list extended TOWN_HALL

permit ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255

permit ip 172.22.3.0 0.0.0.255 192.168.1.0 0.0.0.255

alias exec sr show run

alias exec s sh ip int br

alias exec srt show ip route

alias exec sri show run | i

alias exec srb show run | b

!

line con 0

logging synchronous

transport input none

line aux 0

line vty 0 4

exec-timeout 0 0

logging synchronous

login local

!

no scheduler allocate

ntp clock-period 17180266

end

Federico Coto Fajardo · ‎04-02-2010

Double-check that you have the following transforms sets in used by this tunnel:
crypto ipsec transform-set TOWN_HALL esp-des esp-md5-hmac

The tunnel seems to be failing on phase 2 negotiations due to a mismatch, but according to the configuration
it seems fine.

Are you sure that those debugs aren't just part of the negotiations and finally the tunnel established?

Check the status of the tunnel again with the commands:
sh cry isa sa
sh cry ips sa
When trying to establish the tunnel again and let's see the results.

Federico.

View solution in original post

Jennifer Halim · ‎04-02-2010

Configuration seems to be correct.

I assume phase 1 is up? QM_IDLE for the remote to remote L2L tunnel?

Can you run debug on both sides and post the output please. Thanks.

View solution in original post

Federico Coto Fajardo · ‎04-01-2010

Hi,

You can do it either way.

1. Both 1720s can communicate to each other via the Site-to-Site tunnel each one has to the ASA (just need to add the interesting traffic correctly and some minor configuration adjustments).

2. Both 1720s can have a direct Site-to-Site tunnel between them (without going through the ASA).

I would recommend option #2, unless you have some specific requirement to control communication between the remote sites on the central site.

Federico.

Jennifer Halim · ‎04-01-2010

Hi Michael,

You have 2 options:

1) Direct VPN tunnel between the 2 remote sites as you have publicly assigned ip on the outside interface, so you can do direct VPN tunnel.

OR/ alternatively

2) Configure the VPN tunnel between the 2 remote sites to go through your ASA, config as follows:

ASA:

no nat-control
same-security-traffic permit intra-interface
access-list ComCast_Out_20_cryptomap extended permit ip 172.20.3.0 255.255.255.0 172.22.3.0 255.255.255.0
access-list ComCast_Out_25_cryptomap extended permit ip 172.22.3.0 255.255.255.0 172.20.3.0 255.255.255.0

1720-A:
ip access-list extended TOWN_HALL
permit ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255

ip access-list extended NAT_ADDRESSES
1 deny ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255

1720-B:
ip access-list extended TOWN_HALL
permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255

ip access-list extended NAT_ADDRESSES
1 deny ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255

Remember to clear the SA and reestablish the VPN tunnel once the configuration has been done.

Hope that helps.

Michael Murray · ‎04-02-2010

Ok. I'm am going with the direct VPN tunnel between 1720-A and 1720-B but I'm having some problems. When I try to bring up the tunnel by doing an extended ping between the two subnets 172.20.3.0/24 and 172.22.3.0/24 I get the following error:

Apr 2 15:12:59: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 202.13.116.209

1720-A changes in blue

crypto isakmp key D1sC0 address 202.13.116.209

crypto map VPNmap 20 ipsec-isakmp

set peer 202.13.116.209

set transform-set TOWN_HALL

match address RTRB

ip access-list extended NAT_ADDRESSES

deny ip 172.20.3.0 0.0.0.255 172.18.3.0 0.0.0.255

deny ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255

permit ip 172.20.3.0 0.0.0.255 any

ip access-list extended PERIMETER

permit udp host 29.92.14.73 host 207.147.31.97 eq isakmp

permit esp host 29.92.14.73 host 207.147.31.97

permit ip 172.18.3.0 0.0.0.255 172.20.3.0 0.0.0.255

permit icmp any any unreachable

permit icmp any any echo-reply

permit tcp any host 207.147.31.97 eq telnet

permit tcp any host 192.168.20.1 eq telnet

permit tcp any eq www any

permit tcp any eq 443 any

permit udp host 202.13.116.209 host 207.147.31.97 eq isakmp

permit esp host 202.13.116.209 host 207.147.31.97

permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255

permit udp host 202.13.116.209 host 207.147.31.97 eq isakmp

permit esp host 202.13.116.209 host 207.147.31.97

permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255

deny ip any any

ip access-list extended RTRB

permit ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255

1720-B changes in red

crypto isakmp key D1sC0 address 207.147.31.97

crypto map VPNmap 20 ipsec-isakmp

set peer 207.147.31.97

set transform-set TOWN_HALL

match address RTRA

ip access-list extended NAT_ADDRESSES

deny ip 172.22.3.0 0.0.0.255 172.18.3.0 0.0.0.255

deny ip 172.22.3.0 0.0.0.255 192.168.1.0 0.0.0.255

deny ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255

permit ip 172.22.3.0 0.0.0.255 any

ip access-list extended PERIMETER

permit udp host 29.92.14.73 host 202.13.116.209 eq isakmp

permit esp host 29.92.14.73 host 202.13.116.209

permit ip 172.18.3.0 0.0.0.255 172.22.3.0 0.0.0.255

permit icmp any any unreachable

permit icmp any any echo-reply

permit tcp any host 202.13.116.209 eq telnet

permit tcp any host 192.168.22.1 eq telnet

permit tcp any eq www any

permit tcp any eq 443 any

permit ip 192.168.1.0 0.0.0.255 172.22.3.0 0.0.0.255

permit udp host 207.147.31.97 host 202.13.116.209 eq isakmp

permit esp host 207.147.31.97 host 202.13.116.209

permit ip 172.20.3.0 0.0.0.255 172.22.3.0 0.0.0.255

deny ip any any

ip access-list extended RTRA

permit ip 172.22.3.0 0.0.0.255 172.20.3.0 0.0.0.255

Any ideas? Thanks

-mike

Michael Murray · ‎04-02-2010

More info from debug crypto ipsec on RTRA

Apr 2 15:33:28: IPSEC(validate_proposal): peer address 202.13.116.209 not found

Federico Coto Fajardo · ‎04-02-2010

Michael,

The logs indicate that there's a mismatch in Quick Mode (this is phase 2).

So, most likely the transform set is not matching on both sides.

Check the settings of the transform set for both crypto maps.

Federico.

Federico Coto Fajardo · ‎04-02-2010

Double-check that you have the following transforms sets in used by this tunnel:
crypto ipsec transform-set TOWN_HALL esp-des esp-md5-hmac

The tunnel seems to be failing on phase 2 negotiations due to a mismatch, but according to the configuration
it seems fine.

Are you sure that those debugs aren't just part of the negotiations and finally the tunnel established?

Check the status of the tunnel again with the commands:
sh cry isa sa
sh cry ips sa
When trying to establish the tunnel again and let's see the results.

Federico.

Jennifer Halim · ‎04-02-2010

Configuration seems to be correct.

I assume phase 1 is up? QM_IDLE for the remote to remote L2L tunnel?

Can you run debug on both sides and post the output please. Thanks.

Michael Murray · ‎04-06-2010

You are correct. This config does work. I made a change to the ACL that matches my interesting traffic after my debug but before I posted the config here. Thanks for all your help.