11-26-2008 03:51 AM
Hello there,
I am trying to establish a site to site IPSEC VPN using two ASA firewalls but the VPN holds in IKE phase1 with the below error from my side : "Nov 26 04:00:27 [IKEv1]: Group = 168.187.68.242, IP = 168.187.68.242, Removing peer from correlator table failed, no match!"
I checked both IKE proposals/policies and the pre-shared key from both ends.
See attached files.
Thank you.
11-26-2008 07:13 PM
=========================================================================================================
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 172.30.0.0 255.255.248.0
access-list outside_cryptomap_20 extended permit ip 192.168.30.0 255.255.255.0 172.30.0.0 255.255.248.0
=========================================================================================================
nat (inside) 0 access-list outside_cryptomap_20
#############################################
it looks like everything is configured correctly except the access-list for your NAT 0 which you used the same crypto map ACL that was applied on outside interface.
try changing your nat 0 ACL to "inside_nat0_outbound"
nat (inside) 0 access-list inside_nat0_outbound
#############################################
please rate if it helps
11-28-2008 09:47 PM
Thank you,
The access list references the intersting traffic only and its valid for both NAT and crypto map.
11-28-2008 10:33 PM
Hi,
Quick qn, in your crypto map, for the peer "84.203.226.226" where is the match address statement. If there is none, can you configure one and then retest the tunnel to the other peer 212.93.223.211.
crypto map mymap 3 set peer 84.203.226.226
crypto map mymap 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map mymap 3 set nat-t-disable
crypto map mymap 3 set phase1-mode aggressive
Regards,
Arul
*Pls rate if it helps*
11-29-2008 12:09 AM
Hi,
The peer 212.93.223.211 should have a tunnel with 168.187.68.242.
Peer 84.203.226.226 is also to have a tunnel with 168.187.68.242.
thank you but this is not the case.
12-11-2008 07:53 PM
change the following:
crypto map mymap 1 ipsec-isakmp dynamic dyn1
To the following:
crypto map mymap 65000 ipsec-isakmp dynamic dyn1
on IT-S2
12-12-2008 12:50 PM
Did u get a chance to try the change I suggested?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide