ASA 5540 to Watchguard VPN

Unanswered Question
Jan 11th, 2008

I am trying to configure a VPN to a partner company with a watchguard firewall.

I am running a 5540 ASA version 7.2.

It's a pre-shared key config, and passes phase 1. I don't get any debug entries after that and no errors.

A show crypto isakmp sa gives the following:

19 IKE Peer: 64.xxx.xxx.xxx

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

But a show crypto ipsec doesn't have it listed anywhere.

My crypo config is as follows:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 100 match address outside_xxxxx_cryptomap

crypto map outside_map 100 set peer 64.xxx.xxx.xxx

crypto map outside_map 100 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp nat-traversal 20

My tunnel config is as follows:

tunnel-group 64.xxx.xxx.xxx type ipsec-l2l

tunnel-group 64.xxx.xxx.xxx ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

isakmp keepalive disable

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ajagadee Thu, 01/17/2008 - 11:46

Can you post the "deb cry is" and "deb cry ipsec" when you try and bring up the tunnel.

Regards,

Arul

Actions

This Discussion