cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
749
Views
0
Helpful
11
Replies

Site to Site Tunnel (Urgent)

ray_stone
Level 1
Level 1

Hi, I m making a tunnel site to site Vpn with ISP so can u guys please check the attached configuration. Tell me if i m missing anything in cnfiguration. Thanks

2 Accepted Solutions

Accepted Solutions

ok just remove crypto map outside_map interface outside and enable it again.

Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.

View solution in original post

disable pfs. your isp is clearly not using it.

and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.

View solution in original post

11 Replies 11

nomair_83
Level 3
Level 3

Hi,

Please configure your split tunnel acl just like crypto acl.

reg

hi, i m getting this error in inspection logs

construct_ipsec_delete(): No SPI to identify Phase 2 SA!

please advice what to do with it.

I requested from ISP to show the configuration. The conf is in below:-

name 196.44.242.50 VOXIVADC_VPN_Peer

object-group network MTNRwanda

network-object host 196.44.242.13

network-object host 172.17.80.247

object-group network VOXIVADC

network-object host VOXIVADC_VPN_Peer

access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer eq isakmp

access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer

access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.50.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.51.0 255.255.255.0

nat (outside) 0 access-list MTNVPNVOXIVA

crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac

crypto map ASPECT_MTNR 170 match address MTNVPNVOXIVA

crypto map ASPECT_MTNR 170 set peer VOXIVADC_VPN_Peer

crypto map ASPECT_MTNR 170 set transform-set ASPECT_MTNR

crypto map ASPECT_MTNR 170 set security-association lifetime kilobytes 10000

crypto map ASPECT_MTNR interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 196.44.242.50 type ipsec-l2l

tunnel-group 196.44.242.50 ipsec-attributes

pre-shared-key *

Please advice where we r doing mistake

Please respond urgent.

why did u put "nat (outside) 0 access-list MTNVPNVOXIVA "

it should be nat (inside) 0 access-list MTNVPNVOXIVA

ok but what does it mean of following error

construct_ipsec_delete(): No SPI to identify Phase 2 SA!

probably the pfs or acl is not matching on both sides.

Please check this as well

no, any other solution

ok just remove crypto map outside_map interface outside and enable it again.

Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.

disable pfs. your isp is clearly not using it.

and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.

All, Thank you very much now issue has been solved. Thanks once again.

No worries:)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: