Can someone please tell me why I can't establish Phase 2 ipsec negotiations.  I am trying to connect a 2651XM to a Pix 501.

Below is the debug isakmp and ipsec output and the configs. I have verified keys are the same. And transforms sets look ok. Any ideas why its not working?

What is the below telling me?

===========================================================

1:32:37: IPSEC(validate_transform_proposal): invalid local address 1.1.1.2

01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal

01:32:37: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.2 re

mote 1.1.1.3)

1:32:37: IPSEC(validate_transform_proposal): invalid local address 1.1.1.2

01:32:37: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal

01:32:37: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.2 re

mote 1.1.1.3)

===============================================================================

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1154286426:bb32fca6
crypto_isakmp_process_block: src 1.1.1.2, dest 1.1.1.3
ISAKMP (0): processing NOTIFY payload 14 protocol 2
        spi 2224366689, message ID = 1503891776
ISAKMP (0): deleting spi 1629787524 message ID = 3140680870
return status is IKMP_NO_ERR_NO_TRANS
pixfirewall#
pixfirewall# sh crypto is
ISAKMP (0): beginning Quick Mode exchange, M-ID of 400184159:17da535f
crypto_isakmp_process_block: src 1.1.1.2, dest 1.1.1.3
ISAKMP (0): processing NOTIFY payload 14 protocol 2
        spi 2649583861, message ID = 1778335964a
ISAKMP (0): deleting spi 4117818781 message ID = 400184159
return status is IKMP_NO_ERR_NO_TRANSkmp sa
Total     : 1
Embryonic : 0
        dst             src          state       pending    created
         1.1.1.2          1.1.1.3    QM_IDLE         0           0
pixfirewall#
ISAKMP (0): beginning Quick Mode exchange, M-ID of 923039456:370476e0
crypto_isakmp_process_block: src 1.1.1.2, dest 1.1.1.3
ISAKMP (0): processing NOTIFY payload 14 protocol 2
        spi 2163779852, message ID = 2746774364
ISAKMP (0): deleting spi 212465792 message ID = 923039456
return status is IKMP_NO_ERR_NO_TRANSexi

Logoff

CCC#sh cryp
CCC#sh crypto isakmp sa
dst             src             state          conn-id slot status
1.1.1.2         1.1.1.3         QM_IDLE              1    0 ACTIVE

CCC#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

CCC#ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CCC#debug crypto isakmp
Crypto ISAKMP debugging is on
CCC#debug crypto ipsec
Crypto IPSEC debugging is on
CCC#debug crypto verbose
verbose debug output debugging is on
CCC#ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
CCC#
00:51:24: ISAKMP (0:134217729): received packet from 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:51:24: ISAKMP: set new node 1268073006 to QM_IDLE
00:51:24: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 1268073006
00:51:24: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 1268073006
00:51:24: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
00:51:24: ISAKMP: transform 1, AH_SHA
00:51:24: ISAKMP:   attributes in transform:
00:51:24: ISAKMP:      encaps is 1 (Tunnel)
00:51:24: ISAKMP:      SA life type in seconds
00:51:24: ISAKMP:      SA life duration (basic) of 28800
00:51:24: ISAKMP:      SA life type in kilobytes
00:51:24: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
00:51:24: ISAKMP:      authenticator is HMAC-SHA
00:51:24: ISAKMP:(0:1:SW:1):atts are acceptable.
00:51:24: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
00:51:24: ISAKMP: transform 1, ESP_3DES
00:51:24: ISAKMP:   attributes in transform:
00:51:24: ISAKMP:      encaps is 1 (Tunnel)
00:51:24: ISAKMP:      SA life type in seconds
00:51:24: ISAKMP:      SA life duration (basic) of 28800
00:51:24: ISAKMP:      SA life type in kilobytes
00:51:24: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
00:51:24: ISAKMP:(0:1:SW:1):atts are acceptable.
00:51:24: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 1.1.1.2, remote= 1.1.1.3,
    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
00:51:24: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= 1.1.1.2, remote= 1.1.1.3,
    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
00:51:24: IPSEC(validate_transform_proposal): invalid local address 1.1.1.2
00:51:24: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:51:24: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.2 re
mote 1.1.1.3)
00:51:24: ISAKMP: set new node -429221146 to QM_IDLE
00:51:24: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 2
        spi 2237255312, message ID = -429221146
00:51:24: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:51:24: ISAKMP:(0:1:SW:1):purging node -429221146
00:51:24: ISAKMP:(0:1:SW:1):deleting node 1268073006 error TRUE reason "QM rejec
ted"
00:51:24: ISAKMP (0:134217729): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:
for node 1268073006: state = IKE_QM_READY
00:51:24: ISAKMP:(0:1:SW:1):Node 1268073006, Input = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:51:24: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
00:51:24: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer
at 1.1.1.3
00:51:54: ISAKMP (0:134217729): received packet from 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:51:54: ISAKMP: set new node -500877443 to QM_IDLE
00:51:54: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -500877443
00:51:54: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -500877443
00:51:54: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
00:51:54: ISAKMP: transform 1, AH_SHA
00:51:54: ISAKMP:   attributes in transform:
00:51:54: ISAKMP:      encaps is 1 (Tunnel)
00:51:54: ISAKMP:      SA life type in seconds
00:51:54: ISAKMP:      SA life duration (basic) of 28800
00:51:54: ISAKMP:      SA life type in kilobytes
00:51:54: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
00:51:54: ISAKMP:      authenticator is HMAC-SHA
00:51:54: ISAKMP:(0:1:SW:1):atts are acceptable.
00:51:54: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
00:51:54: ISAKMP: transform 1, ESP_3DES
00:51:54: ISAKMP:   attributes in transform:
00:51:54: ISAKMP:      encaps is 1 (Tunnel)
00:51:54: ISAKMP:      SA life type in seconds
00:51:54: ISAKMP:      SA life duration (basic) of 28800
00:51:54: ISAKMP:      SA life type in kilobytes
00:51:54: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
00:51:54: ISAKMP:(0:1:SW:1):atts are acceptable.
00:51:54: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 1.1.1.2, remote= 1.1.1.3,
    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
00:51:54: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= 1.1.1.2, remote= 1.1.1.3,
    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
00:51:54: IPSEC(validate_transform_proposal): invalid local address 1.1.1.2
00:51:54: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:51:54: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.2 re
mote 1.1.1.3)
00:51:54: ISAKMP: set new node -701693099 to QM_IDLE
00:51:54: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 2
        spi 2237255312, message ID = -701693099
00:51:54: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:51:54: ISAKMP:(0:1:SW:1):purging node -701693099
00:51:54: ISAKMP:(0:1:SW:1):deleting node -500877443 error TRUE reason "QM rejec
ted"
00:51:54: ISAKMP (0:134217729): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:
for node -500877443: state = IKE_QM_READY
00:51:54: ISAKMP:(0:1:SW:1):Node -500877443, Input = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:51:54: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
00:52:14: ISAKMP:(0:1:SW:1):purging node 1268073006
CCC#sh crypto isakmp sa
dst             src             state          conn-id slot status
1.1.1.2         1.1.1.3         QM_IDLE              1    0 ACTIVE

CCC#ping 192.168.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.5, timeout is 2 seconds:

00:52:44: ISAKMP:(0:1:SW:1):purging node -500877443...
00:52:50: ISAKMP (0:134217729): received packet from 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:52:50: ISAKMP: set new node 1186613650 to QM_IDLE
00:52:50: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 1186613650
00:52:50: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 1186613650
00:52:50: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
00:52:50: ISAKMP: transform 1, AH_SHA
00:52:50: ISAKMP:   attributes in transform:
00:52:50: ISAKMP:      encaps is 1 (Tunnel)
00:52:50: ISAKMP:      SA life type in seconds
00:52:50: ISAKMP:      SA life duration (basic) of 28800
00:52:50: ISAKMP:      SA life type in kilobytes
00:52:50: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
00:52:50: ISAKMP:      authenticator is HMAC-SHA
00:52:50: ISAKMP:(0:1:SW:1):atts are acceptable.
00:52:50: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
00:52:50: ISAKMP: transform 1, ESP_3DES
00:52:50: ISAKMP:   attributes in transform:
00:52:50: ISAKMP:      encaps is 1 (Tunnel)
00:52:50: ISAKMP:      SA life type in seconds
00:52:50: ISAKMP:      SA life duration (basic) of 28800
00:52:50: ISAKMP:      SA life type in kilobytes
00:52:50: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
00:52:50: ISAKMP:(0:1:SW:1):atts are acceptable.
00:52:50: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 1.1.1.2, remote= 1.1.1.3,
    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
00:52:50: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= 1.1.1.2, remote= 1.1.1.3,
    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.1.68.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
00:52:50: IPSEC(validate_transform_proposal): invalid local address 1.1.1.2
00:52:50: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:52:50: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.2 re
mote 1.1.1.3)
00:52:50: ISAKMP: set new node -1113601414 to QM_IDLE
00:52:50: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 2
        spi 2237255312, message ID = -1113601414
00:52:50: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:52:50: ISAKMP:(0:1:SW:1):purging node -1113601414
00:52:50: ISAKMP:(0:1:SW:1):deleting node 1186613650 error TRUE reason "QM rejec
ted"
00:52:50: ISAKMP (0:134217729): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:
for node 1186613650: state = IKE_QM_READY
00:52:50: ISAKMP:(0:1:SW:1):Node 1186613650, Input = IKE_MESG_FROM_PEER, IKE_QM_
EXCH
00:52:50: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
00:52:50: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer
at 1.1.1.3        .
Success rate is 0 percent (0/5)
CCC#
00:53:20: ISAKMP (0:134217729): received packet from 1.1.1.3 dport 500 sport 500
Global (R) QM_IDLE
00:53:20: ISAKMP: set new node 459446741 to QM_IDLE
00:53:20: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 459446741
00:53:20: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 459446741
00:53:20: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
00:53:20: ISAKMP: transform 1, AH_SHA
00:53:20: ISAKMP:   attributes in transform:
00:53:20: ISAKMP:      encaps is 1 (Tunnel)
00:53:20: ISAKMP:      SA life type in seconds
00:53:20: ISAKMP:      SA life duration (basic) of 28800
00:53:20: ISAKMP:      SA life type in kilobytes
00:53:20: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
00:53:20: ISAKMP:      authenticator is HMAC-SHA
00:53:20: ISAKMP:(0:1:SW:1):atts are acceptable.
00:53:20: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
00:53:20: ISAKMP: transform 1, ESP_3DES
00:53:20: ISAKMP:   attributes in transform:
00:53:20: ISAKMP:      encaps is 1 (Tunnel)
00:53:20: ISAKMP:      SA life type in seconds
00:53:20: ISAKMP:      SA life duration (basic) of 28800
00:53:20: ISAKMP:      SA life type in kilobytes
00:53:20: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
00:53:20: ISAKMP:(0:1:SW:1):atts are acceptable.
00:53:20: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 1.1.1.2, remote= 1.1.1.3,
    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
00:53:20: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= 1.1.1.2, remote= 1.1.1.3,
    local_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
00:53:20: IPSEC(validate_transform_proposal): invalid local address 1.1.1.2
00:53:20: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
00:53:20: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 1.1.1.2 re
mote 1.1.1.3)
00:53:20: ISAKMP: set new node -1692074376 to QM_IDLE
00:53:20: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 2
        spi 2237255312, message ID = -1692074376
00:53:20: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.3 my_port 500 peer_port 500
(R) QM_IDLE
00:53:20: ISAKMP:(0:1:SW:1):purging node -1692074376
00:53:20: ISAKMP:(0:1:SW:1):deleting node 459446741 error TRUE reason "QM reject
ed"
00:53:20: ISAKMP (0:134217729): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:
for node 459446741: state = IKE_QM_READY
00:53:20: ISAKMP:(0:1:SW:1):Node 459446741, Input = IKE_MESG_FROM_PEER, IKE_QM_E
XCH
00:53:20: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_READY
00:53:40: ISAKMP:(0:1:SW:1):purging node 1186613650
00:53:42: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, chang
ed state to down
00:54:10: ISAKMP:(0:1:SW:1):purging node 459446741

===============================================================================

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname pixfirewall

domain-name ciscopix.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 10.10.1

0.0 255.255.255.0

pager lines 24

interface ethernet0 10baset

interface ethernet1 10full

mtu outside 1500

mtu inside 1500

ip address outside 1.1.1.3 255.255.255.0

ip address inside 192.168.1.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location 10.10.10.0 255.255.255.0 inside

pdm location 10.10.10.0 255.255.255.0 outside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 1.1.1.2

crypto map outside_map 20 set transform-set Petaluma_VPN

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 1.1.1.2 netmask 255.255.255.255 no-xauth no-config-m

ode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 5

ssh timeout 5

dhcpd address 192.168.1.5-192.168.1.33 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 80

Cryptochecksum:8c0d4948407071d3515f1546cf8bc147

: end

pixfirewall#

=========================================================================

CCC#sh run
Building configuration...

Current configuration : 1328 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname CCC
!
boot-start-marker
boot system flash c2600-adventerprisek9-mz.124-25d.bin
boot-end-marker
!
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!

!

!

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco123 address 1.1.1.3

!

!

crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des

!

crypto map Petaluma_1 1 ipsec-isakmp

set peer 1.1.1.3

set transform-set Petaluma_VPN

match address 100

!

!

!

!

interface FastEthernet0/0

ip address 1.1.1.2 255.255.255.0

speed auto

half-duplex

!

interface Serial0/0

no ip address

shutdown

clock rate 56000

!

interface FastEthernet0/1

ip address 10.10.10.2 255.255.255.0

duplex auto

speed auto

crypto map Petaluma_1

!

ip forward-protocol nd

ip route 192.168.1.0 255.255.255.0 1.1.1.3

!

!

no ip http server

no ip http secure-server

!

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

CCC#

!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco123 address 1.1.1.3
!
!
crypto ipsec transform-set Petaluma_VPN ah-sha-hmac esp-3des
!
crypto map Petaluma_1 1 ipsec-isakmp
set peer 1.1.1.3
set transform-set Petaluma_VPN
match address 100
!
!
!
!
interface FastEthernet0/0

ip address 1.1.1.2 255.255.255.0
speed auto
half-duplex
!
interface Serial0/0
no ip address
shutdown
clock rate 56000
!
interface FastEthernet0/1
ip address 10.10.10.2 255.255.255.0
duplex auto
speed auto
crypto map Petaluma_1
!
ip forward-protocol nd
ip route 192.168.1.0 255.255.255.0 1.1.1.3
!
!
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255