Site to Site VPN using Cisco 2651XM and ASA5505

Answered Question
Jul 14th, 2009

Hello Experts,

I have an issue setting up site to site VPN between Cisco 2651XM and ASA505.

Here's the config from both the devices.

On Cisco 2651XM

===============

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco12345 address 205.200.8.XXX

!

!

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

!

crypto map SDM_CMAP_2 1 ipsec-isakmp

description Tunnel to205.200.8.251

set peer 205.200.8.XXX

set transform-set ESP-DES-SHA

match address 102

qos pre-classify

interface Dialer1

ip nbar protocol-discovery

crypto map SDM_CMAP_2

On ASA 5505

===========

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list outside_6_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 6 match address outside_6_cryptomap_1

crypto map outside_map 6 set pfs

crypto map outside_map 6 set peer 205.200.9.xxx

crypto map outside_map 6 set transform-set ESP-DES-SHA

crypto map outside_map interface outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

tunnel-group 205.200.9.203 type ipsec-l2l

tunnel-group 205.200.9.203 ipsec-attributes

pre-shared-key *

Here's the output log from ASA5505

IP = 205.200.9.XXX Received encrypted packet with no matching SA, dropping

Group = 205.200.9.XXX Username = 205.200.9.XXX IP = 205.200.9.XXX Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Group = 205.200.9.XXX IP = 205.200.9.XXX Removing peer from correlator table failed, no match!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, QM FSM error (P2 struct &0xd7b42260, mess id 0x84b2979c)!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, All IPSec SA proposals found unacceptable!

Group = 205.200.9.XXX, IP = 205.200.9.XXX, PHASE 1 COMPLETED

Please help me out.

OJ

I have this problem too.
0 votes
Correct Answer by Collin Clark about 7 years 5 months ago
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
bansal.ojasvi Tue, 07/14/2009 - 19:56

Went through the link. Tried doing what relates to my issue but no luck. Any other idea?

bansal.ojasvi Wed, 07/15/2009 - 20:30

I found out the issue. It was PFS group issue. Sh crypto map command helped me. It was showing DH1, I changed it to DH2 and the issue was resolved. Thanks for your help though.

Actions

This Discussion