Solved: Basically what traffic has to

kamrannaseem1 · ‎02-17-2017

Hello,

I am having some issue establishing an IPsec VPN with my customer but unable to establish the VPN.

Please see the attached logs from asa.

Any help would be much appreciated.

Many thanks.

Rahul Govindan · ‎02-17-2017

Basically what traffic has to be encrypted. It usually consists of a Source and destination network and applied as an ACL in your crypto map. For example, in the below config example, the following line defines the ACL to match what traffic has to be encrypted.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html#anc19

crypto map outside-map 1 match address cryacl

This ACL has to be an exact mirror on the other peer device, i.e; source and destination addresses and ports swapped.

View solution in original post

Rahul Govindan · ‎02-17-2017

Looks like a proxy mismatch. Other side seems to be sending a different proxy from what you have configured, which kills the negotiation.

kamrannaseem1 · ‎02-17-2017

What is a proxy mismatch ?

Rahul Govindan · ‎02-17-2017

Basically what traffic has to be encrypted. It usually consists of a Source and destination network and applied as an ACL in your crypto map. For example, in the below config example, the following line defines the ACL to match what traffic has to be encrypted.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html#anc19

crypto map outside-map 1 match address cryacl

This ACL has to be an exact mirror on the other peer device, i.e; source and destination addresses and ports swapped.