Site to Site Tunnel (Urgent)

Answered Question
Jul 7th, 2008
User Badges:

Hi, I m making a tunnel site to site Vpn with ISP so can u guys please check the attached configuration. Tell me if i m missing anything in cnfiguration. Thanks



Attachment: 
Correct Answer by srue about 8 years 11 months ago

disable pfs. your isp is clearly not using it.


and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.

Correct Answer by nomair_83 about 8 years 11 months ago

ok just remove crypto map outside_map interface outside and enable it again.

Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
nomair_83 Mon, 07/07/2008 - 08:50
User Badges:
  • Bronze, 100 points or more

Hi,

Please configure your split tunnel acl just like crypto acl.

reg

ray_stone Mon, 07/07/2008 - 08:56
User Badges:

hi, i m getting this error in inspection logs


construct_ipsec_delete(): No SPI to identify Phase 2 SA!


please advice what to do with it.


I requested from ISP to show the configuration. The conf is in below:-


name 196.44.242.50 VOXIVADC_VPN_Peer


object-group network MTNRwanda

network-object host 196.44.242.13

network-object host 172.17.80.247


object-group network VOXIVADC

network-object host VOXIVADC_VPN_Peer


access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer eq isakmp

access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer


access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.50.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.51.0 255.255.255.0


nat (outside) 0 access-list MTNVPNVOXIVA



crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac


crypto map ASPECT_MTNR 170 match address MTNVPNVOXIVA

crypto map ASPECT_MTNR 170 set peer VOXIVADC_VPN_Peer

crypto map ASPECT_MTNR 170 set transform-set ASPECT_MTNR

crypto map ASPECT_MTNR 170 set security-association lifetime kilobytes 10000

crypto map ASPECT_MTNR interface outside


crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400


tunnel-group 196.44.242.50 type ipsec-l2l

tunnel-group 196.44.242.50 ipsec-attributes

pre-shared-key *



Please advice where we r doing mistake

nomair_83 Mon, 07/07/2008 - 09:29
User Badges:
  • Bronze, 100 points or more

why did u put "nat (outside) 0 access-list MTNVPNVOXIVA "


it should be nat (inside) 0 access-list MTNVPNVOXIVA


ray_stone Mon, 07/07/2008 - 09:35
User Badges:

ok but what does it mean of following error


construct_ipsec_delete(): No SPI to identify Phase 2 SA!

nomair_83 Mon, 07/07/2008 - 09:42
User Badges:
  • Bronze, 100 points or more

probably the pfs or acl is not matching on both sides.

Please check this as well

Correct Answer
nomair_83 Mon, 07/07/2008 - 10:04
User Badges:
  • Bronze, 100 points or more

ok just remove crypto map outside_map interface outside and enable it again.

Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.

Correct Answer
srue Mon, 07/07/2008 - 10:04
User Badges:
  • Blue, 1500 points or more

disable pfs. your isp is clearly not using it.


and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.

ray_stone Mon, 07/07/2008 - 10:15
User Badges:

All, Thank you very much now issue has been solved. Thanks once again.

Actions

This Discussion