Configure CPN Between Asa-Astaro

Unanswered Question
Jul 10th, 2009

Hi All

I have a ASA 5510, I have configure 2 VPN, router 850-ASA is OK, but I can't establish the other VPN ASA-Astaro, the error is:

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, QM FSM error (P2 struct &0x3bcd8c0, mess id 0x4f4f1e75)!

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jul 09 15:35:57 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!

Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jul 09 15:36:03 [IKEv1]: Group = 200.50.2.114, IP = 200.50.2.114, Removing peer from correlator table failed, no match!

My configuration for VPN is:

ACL:

access-list Internet_cryptomap_40 extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list Internet_cryptomap_60 extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

VPN:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Internet_map 20 match address Internet_cryptomap_20_1

crypto map Internet_map 20 set peer 186.1.10.74

crypto map Internet_map 20 set transform-set ESP-3DES-MD5

crypto map Internet_map 20 set security-association lifetime seconds 86400

crypto map Internet_map 20 set security-association lifetime kilobytes 4608000

crypto map Internet_map 20 set nat-t-disable

crypto map Internet_map 40 match address Internet_cryptomap_40

crypto map Internet_map 40 set peer 165.98.233.180

crypto map Internet_map 40 set transform-set ESP-3DES-MD5

crypto map Internet_map 40 set security-association lifetime seconds 86400

crypto map Internet_map 40 set security-association lifetime kilobytes 4608000

crypto map Internet_map 60 match address Internet_cryptomap_60

crypto map Internet_map 60 set peer 200.50.2.114

crypto map Internet_map 60 set transform-set ESP-3DES-MD5

crypto map Internet_map 60 set security-association lifetime seconds 28800

crypto map Internet_map 60 set security-association lifetime kilobytes 4608000

crypto map Internet_map interface Internet

isakmp identity address

isakmp enable Internet

isakmp enable management

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 10 retry 2

tunnel-group 186.1.10.74 type ipsec-l2l

tunnel-group 186.1.10.74 ipsec-attributes

pre-shared-key *

tunnel-group 165.98.233.180 type ipsec-l2l

tunnel-group 165.98.233.180 ipsec-attributes

pre-shared-key *

tunnel-group 200.50.2.114 type ipsec-l2l

tunnel-group 200.50.2.114 ipsec-attributes

pre-shared-key *

Thanks in Advanced

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion