01-27-2011 07:35 AM
Hi
i try to establish a site to site tunnel betweekn a umts router and a asa 5505. The asa has a static outside ip the umts router a dynamic. I have set up a connection profile on the asa without ip, transform set,........
If i now try to set up a site to site tunnel the folowing appears in the log of asdm:
IP = <umts public ip>, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'id@domain.com'
On the UMTS router i can set up a remote id and a local id but on the asa i have not found this option. Any suggestions?
Which outputs do you need?
regards
Jason
01-27-2011 08:23 AM
Hello Jason,
Can you please attach the "sh run crypto" and "sh run tunnel-group" output from the asa?
Also check on the UMTS router if the VPN mode is aggressive instead of main-mode.
Sent from Cisco Technical Support iPhone App
01-27-2011 11:49 AM
ok here it is:
sh run crypto:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set umts1_set esp-aes esp-sha-hmac
crypto ipsec transform-set umts2_set esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map cisco 1 match address outside_cryptomap_10.1
crypto dynamic-map cisco 1 set transform-set umts1_set
crypto dynamic-map cisco 1 set reverse-route
crypto dynamic-map cisco 2 match address outside_cryptomap_10.2
crypto dynamic-map cisco 2 set transform-set umts2_set
crypto dynamic-map cisco 2 set reverse-route
crypto dynamic-map a@domain.com 1 match address outside_cryptomap
crypto dynamic-map a@domain.com 1 set pfs
crypto dynamic-map a@domain.com 1 set transform-set umts1_set
crypto dynamic-map a@domain.com 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dyn-map 1 ipsec-isakmp dynamic a@domain.com
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map dyn-map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
on t he other side there is a entry called b@domain.com and this entry appears in the asdm log.
sh run tunnel-group:
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group client_vpn type remote-access
tunnel-group client_vpn general-attributes
address-pool VPNPOOL
default-group-policy client_vpn
tunnel-group client_vpn ipsec-attributes
pre-shared-key *****
tunnel-group a@domain.com type ipsec-l2l
tunnel-group a@domain.com ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
One question. Normaly it should work without a connection profile, or?
01-28-2011 03:18 AM
any suggestions ?
01-30-2011 10:33 AM
1. By UMTS router do you mean a router of different brand or is it a cisco router which supports UMTS?
2. What was the reference to "on the other side there is an entry with b@domain.com" ? Is there a dynamic crypto map on the other side?
3. Is there a hostname based peer set on the router? Like using a hostname in the peer ip field instead of ip.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide