l2l vpn between cisco pix and vpn concentrator 3030

pklein222 · ‎06-21-2007

l2l completes phase 1 but cannot seem to complete phase 2. A portion of the debug from the Pix is attached. Anyone got any ideas?

srue · ‎06-21-2007

possible transform set mismatch on phase 2.

in the pix, this will be the command's related to something like:

crypto map VPN 20 set transform-set 3desSHA

in the concentrator, it will be found on the main config page for a L2L setup under:

Encryption and Authentication (not the IKE Proposal setting)

or, in the concentrator

configuration--> policy mgmt -->traffic mgmt - SA's--> find the IPSEC SA for this connection and modify

pklein222 · ‎06-22-2007

I am thinking that as well. I have verified a couple of times the config on the concentrator, however, I only have part of what the other Pix has and something is bugging me. He setup his transform-set as IPSEC-3DES-MD5, instead of what I am used to seeing ESP-3DES-MD5. Personally never heard of IPSEC-3DES-MD5, however, I am no expert, just someone with some experience. What's your take on this?

pklein222 · ‎06-22-2007

Never mind my last post, it's just the name he gave his transform set. I took a look at his parameters again and he has used esp-3des esp-md5-hmac. Still trying to find the Phase 2 mismatch.