Need help with VPN (Cisco831+ASA5510)

Answered Question

Hello,

We are trying to establish a site-site VPN between a Cisco831 and an ASA5510.

I've attached the config files of both units and the error file from the ASA.

on the 831, we get:

KED1CSPSVPNr01#

*Mar 19 22:17:48.743: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 8.10.15.130

I can't seem to find out where the problem is. Could anyone help out please?

Thanks.

I have this problem too.
0 votes
Correct Answer by ajagadee about 8 years 1 week ago

Ken,

The Crypto IPSEC ACL are not matching on the ASA and 831 router.

ASA

access-list outside_1_cryptomap extended permit ip 172.30.1.0 255.255.255.0 192.168.13.0 255.255.255.0

831

access-list 100 permit ip 10.0.0.0 0.255.255.255 172.30.0.0 0.0.255.255

access-list 100 permit ip 192.168.13.0 0.0.0.255 172.30.0.0 0.0.0.255

Make sure that you configure the IPSEC ACLs to be mirror images of each other and then bring up the tunnel. After you make the changes, do update your NAT 0 command accordingly.

Regards,

Arul

*Pls rate if it helps*

Correct Answer by acomiskey about 8 years 1 week ago

try adding this to the ASA..

crypto map outside_map 1 set pfs

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Correct Answer
acomiskey Mon, 12/01/2008 - 12:55

try adding this to the ASA..

crypto map outside_map 1 set pfs

Correct Answer
ajagadee Mon, 12/01/2008 - 13:07

Ken,

The Crypto IPSEC ACL are not matching on the ASA and 831 router.

ASA

access-list outside_1_cryptomap extended permit ip 172.30.1.0 255.255.255.0 192.168.13.0 255.255.255.0

831

access-list 100 permit ip 10.0.0.0 0.255.255.255 172.30.0.0 0.0.255.255

access-list 100 permit ip 192.168.13.0 0.0.0.255 172.30.0.0 0.0.0.255

Make sure that you configure the IPSEC ACLs to be mirror images of each other and then bring up the tunnel. After you make the changes, do update your NAT 0 command accordingly.

Regards,

Arul

*Pls rate if it helps*

Actions

This Discussion