07-07-2008 08:04 AM - edited 03-11-2019 06:10 AM
Hi, I m making a tunnel site to site Vpn with ISP so can u guys please check the attached configuration. Tell me if i m missing anything in cnfiguration. Thanks
Solved! Go to Solution.
07-07-2008 10:04 AM
ok just remove crypto map outside_map interface outside and enable it again.
Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.
07-07-2008 10:04 AM
disable pfs. your isp is clearly not using it.
and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.
07-07-2008 08:50 AM
Hi,
Please configure your split tunnel acl just like crypto acl.
reg
07-07-2008 08:56 AM
hi, i m getting this error in inspection logs
construct_ipsec_delete(): No SPI to identify Phase 2 SA!
please advice what to do with it.
I requested from ISP to show the configuration. The conf is in below:-
name 196.44.242.50 VOXIVADC_VPN_Peer
object-group network MTNRwanda
network-object host 196.44.242.13
network-object host 172.17.80.247
object-group network VOXIVADC
network-object host VOXIVADC_VPN_Peer
access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer eq isakmp
access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer
access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.50.0 255.255.255.0
access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.51.0 255.255.255.0
nat (outside) 0 access-list MTNVPNVOXIVA
crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac
crypto map ASPECT_MTNR 170 match address MTNVPNVOXIVA
crypto map ASPECT_MTNR 170 set peer VOXIVADC_VPN_Peer
crypto map ASPECT_MTNR 170 set transform-set ASPECT_MTNR
crypto map ASPECT_MTNR 170 set security-association lifetime kilobytes 10000
crypto map ASPECT_MTNR interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 196.44.242.50 type ipsec-l2l
tunnel-group 196.44.242.50 ipsec-attributes
pre-shared-key *
Please advice where we r doing mistake
07-07-2008 09:22 AM
Please respond urgent.
07-07-2008 09:29 AM
why did u put "nat (outside) 0 access-list MTNVPNVOXIVA "
it should be nat (inside) 0 access-list MTNVPNVOXIVA
07-07-2008 09:35 AM
ok but what does it mean of following error
construct_ipsec_delete(): No SPI to identify Phase 2 SA!
07-07-2008 09:42 AM
probably the pfs or acl is not matching on both sides.
Please check this as well
07-07-2008 09:56 AM
no, any other solution
07-07-2008 10:04 AM
ok just remove crypto map outside_map interface outside and enable it again.
Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.
07-07-2008 10:04 AM
disable pfs. your isp is clearly not using it.
and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.
07-07-2008 10:15 AM
All, Thank you very much now issue has been solved. Thanks once again.
07-07-2008 10:19 AM
No worries:)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: