Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
986
Views
0
Helpful
3
Replies

Site to Site VPN using Cisco 2651XM and ASA5505

Go to solution
bansal.ojasvi
Level 1
Level 1

‎07-14-2009 11:26 AM

Hello Experts,

I have an issue setting up site to site VPN between Cisco 2651XM and ASA505.

Here's the config from both the devices.

On Cisco 2651XM

===============

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco12345 address 205.200.8.XXX

!

!

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to205.200.8.251

set peer 205.200.8.XXX

set transform-set ESP-DES-SHA

match address 102

qos pre-classify

interface Dialer1

ip nbar protocol-discovery

crypto map SDM_CMAP_2

On ASA 5505

===========

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list outside_6_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 6 match address outside_6_cryptomap_1

crypto map outside_map 6 set pfs

crypto map outside_map 6 set peer 205.200.9.xxx

crypto map outside_map 6 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

tunnel-group 205.200.9.203 type ipsec-l2l

tunnel-group 205.200.9.203 ipsec-attributes

pre-shared-key *

Here's the output log from ASA5505

IP = 205.200.9.XXX Received encrypted packet with no matching SA, dropping

Group = 205.200.9.XXX Username = 205.200.9.XXX IP = 205.200.9.XXX Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Group = 205.200.9.XXX IP = 205.200.9.XXX Removing peer from correlator table failed, no match!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, QM FSM error (P2 struct &0xd7b42260, mess id 0x84b2979c)!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, All IPSec SA proposals found unacceptable!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, PHASE 1 COMPLETED

Please help me out.

OJ

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
3 Replies 3

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎07-14-2009 01:12 PM

Here's an excellent VPN troubleshooting guide-

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

0 Helpful

Go to solution
bansal.ojasvi
Level 1
Level 1
In response to Collin Clark

‎07-14-2009 07:56 PM

Went through the link. Tried doing what relates to my issue but no luck. Any other idea?

0 Helpful

Go to solution
bansal.ojasvi
Level 1
Level 1
In response to bansal.ojasvi

‎07-15-2009 08:30 PM

I found out the issue. It was PFS group issue. Sh crypto map command helped me. It was showing DH1, I changed it to DH2 and the issue was resolved. Thanks for your help though.

0 Helpful
Customers Also Viewed These Support Documents