Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1310
Views
0
Helpful
1
Replies

Configure CPN Between Asa-Astaro

vidaluzarista
Level 1
Level 1

‎07-10-2009 02:13 PM

Hi All

I have a ASA 5510, I have configure 2 VPN, router 850-ASA is OK, but I can't establish the other VPN ASA-Astaro, the error is:

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, QM FSM error (P2 struct &0x3bcd8c0, mess id 0x4f4f1e75)!

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!

Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!

My configuration for VPN is:

ACL:

access-list Internet_cryptomap_40 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list Internet_cryptomap_60 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

VPN:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Internet_map 20 match address Internet_cryptomap_20_1

crypto map Internet_map 20 set peer 186.1.10.74

crypto map Internet_map 20 set transform-set ESP-3DES-MD5

crypto map Internet_map 20 set security-association lifetime seconds 86400

crypto map Internet_map 20 set security-association lifetime kilobytes 4608000

crypto map Internet_map 20 set nat-t-disable

crypto map Internet_map 40 match address Internet_cryptomap_40

crypto map Internet_map 40 set peer 165.98.233.180

crypto map Internet_map 40 set transform-set ESP-3DES-MD5

crypto map Internet_map 40 set security-association lifetime seconds 86400

crypto map Internet_map 40 set security-association lifetime kilobytes 4608000

crypto map Internet_map 60 match address Internet_cryptomap_60

crypto map Internet_map 60 set peer 200.50.2.114

crypto map Internet_map 60 set transform-set ESP-3DES-MD5

crypto map Internet_map 60 set security-association lifetime seconds 28800

crypto map Internet_map 60 set security-association lifetime kilobytes 4608000

crypto map Internet_map interface Internet

isakmp identity address

isakmp enable Internet

isakmp enable management

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 10 retry 2

tunnel-group 186.1.10.74 type ipsec-l2l

tunnel-group 186.1.10.74 ipsec-attributes

pre-shared-key *

tunnel-group 165.98.233.180 type ipsec-l2l

tunnel-group 165.98.233.180 ipsec-attributes

pre-shared-key *

tunnel-group 200.50.2.114 type ipsec-l2l

tunnel-group 200.50.2.114 ipsec-attributes

pre-shared-key *

Thanks in Advanced

Regards

Labels:
0 Helpful
1 Reply 1

drolemc
Level 6
Level 6

‎07-16-2009 06:24 AM

Take a look at this:

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K74152394

0 Helpful
Customers Also Viewed These Support Documents