VPN Tunnel

Unanswered Question
Aug 23rd, 2010

I'm trying to configure a site-to-site VPN tunnel. I have a PIX 501, running 6.2(2). I clear Phase I, but not Phase II. My question is about transform sets. The vendor I'm working with is looking for one of the following 'sets': ESP-3DES-SHA esp-sha-hmac esp-3DES. I'm assuming that each of these are SETS and I need to have an EXACT match (e.g. ESP-3DES-SHA). When I try to configure the crypto ipsec transform-set, I only have these sets to work with:

[ ah-md5-hmac|ah-sha-hmac ]   [ esp-des|esp-3des|esp-null ]     [ esp-md5-hmac|esp-sha-hmac ]

My question is stated above: do I need an EXACT match with one of the transform 'sets'?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Asim Malik Mon, 08/23/2010 - 09:27

Yes, It should match either esp-sha-hmac or esp-3des as given by your  vendor

christopher_hal... Mon, 08/23/2010 - 09:36

Hey Asimalik,  thanks for the quick reply. Correct me if I'm wrong, but the process would go something like this: the vendor has the list of SETs as stated above and during the Phase II process, it would check each of the sets for a match--if the first doesn't match, it moves to the second set, then the third. The second set I have configured is ESP-3DES, which the vendor lists as their third option/set. I would think this should work, yet I'm still failing at Phase II. Any thoughts?

Asim Malik Mon, 08/23/2010 - 09:53

Hi Christopher,

We have to check the debugs

can you send the followingd debugs while you try to bring the tunnel up

debug crypto ipsec 128

debug crypto isakmp 128


This Discussion