06-21-2007 11:20 AM - edited 02-21-2020 03:07 PM
l2l completes phase 1 but cannot seem to complete phase 2. A portion of the debug from the Pix is attached. Anyone got any ideas?
06-21-2007 12:14 PM
possible transform set mismatch on phase 2.
in the pix, this will be the command's related to something like:
crypto map VPN 20 set transform-set 3desSHA
in the concentrator, it will be found on the main config page for a L2L setup under:
Encryption and Authentication (not the IKE Proposal setting)
or, in the concentrator
configuration--> policy mgmt -->traffic mgmt - SA's--> find the IPSEC SA for this connection and modify
06-22-2007 07:03 AM
I am thinking that as well. I have verified a couple of times the config on the concentrator, however, I only have part of what the other Pix has and something is bugging me. He setup his transform-set as IPSEC-3DES-MD5, instead of what I am used to seeing ESP-3DES-MD5. Personally never heard of IPSEC-3DES-MD5, however, I am no expert, just someone with some experience. What's your take on this?
06-22-2007 08:23 AM
Never mind my last post, it's just the name he gave his transform set. I took a look at his parameters again and he has used esp-3des esp-md5-hmac. Still trying to find the Phase 2 mismatch.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: