Site to Site Tunnel (Urgent)

Answered Question
Jul 7th, 2008

Hi, I m making a tunnel site to site Vpn with ISP so can u guys please check the attached configuration. Tell me if i m missing anything in cnfiguration. Thanks

Attachment: 
I have this problem too.
0 votes
Correct Answer by srue about 8 years 4 months ago

disable pfs. your isp is clearly not using it.

and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.

Correct Answer by nomair_83 about 8 years 4 months ago

ok just remove crypto map outside_map interface outside and enable it again.

Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
nomair_83 Mon, 07/07/2008 - 08:50

Hi,

Please configure your split tunnel acl just like crypto acl.

reg

ray_stone Mon, 07/07/2008 - 08:56

hi, i m getting this error in inspection logs

construct_ipsec_delete(): No SPI to identify Phase 2 SA!

please advice what to do with it.

I requested from ISP to show the configuration. The conf is in below:-

name 196.44.242.50 VOXIVADC_VPN_Peer

object-group network MTNRwanda

network-object host 196.44.242.13

network-object host 172.17.80.247

object-group network VOXIVADC

network-object host VOXIVADC_VPN_Peer

access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer eq isakmp

access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer

access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.50.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.51.0 255.255.255.0

nat (outside) 0 access-list MTNVPNVOXIVA

crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac

crypto map ASPECT_MTNR 170 match address MTNVPNVOXIVA

crypto map ASPECT_MTNR 170 set peer VOXIVADC_VPN_Peer

crypto map ASPECT_MTNR 170 set transform-set ASPECT_MTNR

crypto map ASPECT_MTNR 170 set security-association lifetime kilobytes 10000

crypto map ASPECT_MTNR interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 196.44.242.50 type ipsec-l2l

tunnel-group 196.44.242.50 ipsec-attributes

pre-shared-key *

Please advice where we r doing mistake

nomair_83 Mon, 07/07/2008 - 09:29

why did u put "nat (outside) 0 access-list MTNVPNVOXIVA "

it should be nat (inside) 0 access-list MTNVPNVOXIVA

ray_stone Mon, 07/07/2008 - 09:35

ok but what does it mean of following error

construct_ipsec_delete(): No SPI to identify Phase 2 SA!

nomair_83 Mon, 07/07/2008 - 09:42

probably the pfs or acl is not matching on both sides.

Please check this as well

Correct Answer
nomair_83 Mon, 07/07/2008 - 10:04

ok just remove crypto map outside_map interface outside and enable it again.

Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.

Correct Answer
srue Mon, 07/07/2008 - 10:04

disable pfs. your isp is clearly not using it.

and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.

ray_stone Mon, 07/07/2008 - 10:15

All, Thank you very much now issue has been solved. Thanks once again.

Actions

This Discussion