VPN between 6500 Sup720 with SPA accelerated card and NetScreen.

Unanswered Question
Aug 25th, 2010

I have at least 20 other VPNs to Cisco Router IOS and ASA, with similar configuration.

but this connection from my side gets:

When I initiate the connection with debug cry is

peer does not accept paranoid keepalive.

deletes the connection after Phase 1.

When Netscreen initiates the connection it gets to:

Phase 2 and and QM_IDLE.

I working with the other end to try to get a debug when he tries to connect.

When I have seen this in the past, I just added cryto isakmp keepalives 30.

The NetScreen setup is:

External interface 3.3.3.14

VPN Peer 4.4.4.34

ESP-3DES-MD5

Encryption 3DES

Hash MD5

Group 2

2.2.2.145 Remote Server

3.3.3.184 Internal server

Preshared Key XXXX

Cisco configuration is 6500 Sup720 with SPA-IPSEC-2G, ver 12.2(18)SXF17a :

Crypto isakmp key XXXX address 3.3.3.14

Crypto isakmp transform-set 3des esp-3des esp-md5-hmac

Mode transport

Crypto isakmp policy 10

Enc 3des

Hash md5

Authentication pre-share

Crypt map IPSecTunnel 80 ipsec-isakmp

  Des VPN_NetScreen

  Set peer 3.3.3.14

  Set transform-set 3des

  Match address CryptoMap_NetScreen

Ip access-list extended CryptoMap_NetScreen

Permit ip host 2.2.2.145 host 3.3.3.184

Permit udp host 4.4.4.34 eq isakmp 3.3.3.14

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Wed, 08/25/2010 - 13:34

You might need to remove "Permit udp host 4.4.4.34 eq isakmp 3.3.3.14" from CAT6500 side.

Please provide the debug output if you would like us to troubleshoot it.

geraldjacksontx Thu, 08/26/2010 - 11:16

I found the problem with my side anyway.

you need to set - pfs group2  if you are using group2 DH

Actions

This Discussion