IPSec decap error

Unanswered Question
Jul 19th, 2008
User Badges:

Hello every one.


I have a funny problem with ASA5510 VPN


I have created two VPN tunnel with two offices.


ASA to D-LINK VPN router

ASA tp 1751 like Router.


both the tunnels are established and I can ping from D-LINK local net to ASA local net but I can not ping from the 1751 local net to ASA local net. the error I am getting is bellow


2 12:04:45 IPSEC_PACKET(decaps):

rec'd IPSEC packet from 192.168.1.2 to 192.168.240.200 does not agree with policy.

(SPI)destaddr=x.x.x.x,prot=-1515870811,spi=a5a5a5a5(-1515870811)


where the 192.168.240.200 is from 1751 local lan and 192.168.1.2 is the ASA lan


bellow is my config


ASA for the 1751

access-list SSDT extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0


crypto map VPNmap 30 match address SSDT

crypto map VPNmap 30 set pfs

crypto map VPNmap 30 set peer x.x.x.x

crypto map VPNmap 30 set transform-set ESP-3DES-MD5


isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400


tunnel-group 202.22.193.176 type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

------

1751 config


crypto isakmp key cisco y.y.y.y 255.255.255.255

!

crypto isakmp policy 1

encryption 3des

group 2

hash md5

!

crypto ipsec transform-set ts

transform-type esp-3des esp-md5-hmac

!

crypto map vpn 1 ipsec-isakmp

set peer y.y.y.y

set pfs group2

set security-association lifetime seconds 86400

set transform-set ts

match address vpn


ip access-list extended vpn

permit ip 192.168.240.0 255.255.255.0 192.168.1.0 255.255.255.0 log


--



nat (inside) 0 access-list NONAT is implemented on the ASA side to exempt local net to go via nat for the remote office LAN.


can any one tell me why I am having this error


I have access-list implementd on the 1751 to block some specific traffic to the internet.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Sat, 07/19/2008 - 20:51
User Badges:
  • Gold, 750 points or more

crypto map VPNmap 30 set pfs group 2

Actions

This Discussion