cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
436
Views
0
Helpful
5
Replies

L2L Vpn not establishing.

img
Level 1
Level 1

Hi,

I am trying to set up a site to site VPN,My end is PIX & other end is VPN concentrator.

but it seems that 2nd phase Quick mode is not coming up.

I have uploaded the debug , can someone please analyze it & let me know the cause of the problem.

Thanks in advance!

5 Replies 5

Hi,

From the log, I suspect that IPsec transform-set is not matching between the VPN end-points.

Can you please confirm it.

--Jaffer

Hi Jaffer,

below is the relevant config, i believe everything is alright in the configuration, can you confirm ?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list Test permit icmp any any

access-list ICMP permit icmp any any

access-list 101 permit ip 192.168.0.0 255.255.255.0 host 10.212.213.145

ip address outside a.b.c.d 255.255.255.248

ip address inside 192.168.0.4 255.255.255.0

nat (inside) 0 access-list 101

access-group Test in interface outside

sysopt connection permit-ipsec

crypto ipsec transform-set ing esp-3des esp-md5-hmac

crypto map ingmex 10 ipsec-isakmp

crypto map ingmex 10 match address 101

crypto map ingmex 10 set peer w.x.y.z

crypto map ingmex 10 set transform-set ing

crypto map ingmex interface outside

isakmp enable outside

isakmp key XXXXXX address w.x.y.z netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

thanks !

ggilbert
Cisco Employee
Cisco Employee

Can you go send the logs from the concentrator.

Set the severities to 1-13 for IKE, IKEDBG, IPSEC and IPSECDBG. Try to establish the tunnel and send me the logs from the concentrator.

Cheers

gilbert

From the logs, we are trying to bring up phase 2 but we received a delete from the concentrator side.

Ok Thanks!

After few hours, I have a concall with the client.

right now I can not get logs & config of their Concentrator but surely i will put forward these questions.

Thanks for all you help!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: