L2L VPN Tunnel Failure

Unanswered Question

Hello there,


I am trying to establish a site to site IPSEC VPN using two ASA firewalls but the VPN holds in IKE phase1 with the below error from my side : "Nov 26 04:00:27 [IKEv1]: Group = 168.187.68.242, IP = 168.187.68.242, Removing peer from correlator table failed, no match!"


I checked both IKE proposals/policies and the pre-shared key from both ends.


See attached files.


Thank you.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ariesc_33 Wed, 11/26/2008 - 19:13
User Badges:

=========================================================================================================

access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 172.30.0.0 255.255.248.0

access-list outside_cryptomap_20 extended permit ip 192.168.30.0 255.255.255.0 172.30.0.0 255.255.248.0

=========================================================================================================


nat (inside) 0 access-list outside_cryptomap_20



#############################################

it looks like everything is configured correctly except the access-list for your NAT 0 which you used the same crypto map ACL that was applied on outside interface.

try changing your nat 0 ACL to "inside_nat0_outbound"


nat (inside) 0 access-list inside_nat0_outbound


#############################################


please rate if it helps





ajagadee Fri, 11/28/2008 - 22:33
User Badges:
  • Cisco Employee,

Hi,


Quick qn, in your crypto map, for the peer "84.203.226.226" where is the match address statement. If there is none, can you configure one and then retest the tunnel to the other peer 212.93.223.211.


crypto map mymap 3 set peer 84.203.226.226

crypto map mymap 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map mymap 3 set nat-t-disable

crypto map mymap 3 set phase1-mode aggressive


Regards,

Arul


*Pls rate if it helps*

rkalia1 Thu, 12/11/2008 - 19:53
User Badges:

change the following:

crypto map mymap 1 ipsec-isakmp dynamic dyn1


To the following:

crypto map mymap 65000 ipsec-isakmp dynamic dyn1


on IT-S2

rkalia1 Fri, 12/12/2008 - 12:50
User Badges:

Did u get a chance to try the change I suggested?


Thanks


Actions

This Discussion