Replacing An Cisco 1711 with ASA5510

Unanswered Question
Oct 1st, 2010
User Badges:

I need some help getting some VPN connections up and running on an asa5510. I will Post the old config for the Cisco-1711. I have tried coping all the settings over to the asa, but I must not be copying them right. Let me know what i am doing wrong. I will also posts the error's i am getting in debug mode as well.


All but one of the remote vpns is a 1711. The remaning vpn is a 1811. I can get the config form the remote sites if needed.




Thank You

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
apsanghi Fri, 10/01/2010 - 19:45
User Badges:
  • Cisco Employee,

Hi Brandon,


From the config, I can see that you have setup 5 peers for the vpn. Could you please tell whether the vpn tunnel is not coming up with all the peers or only a few? In the later case please mention the peer ip addresses with which the IPSec tunnel is not coming up and attach the config for those peers.


I see a few mismatch in the router's and ASA's configs. The router is configured with tunnel interfaces and hence is using a GRE over IPSec tunnel with the remote peers. On the router, the crypto ACL's allow only gre traffic through the vpn tunnel, whereas on the ASA we are allowing all the traffic from one network to the remote network to go through the vpn tunnel.


From the debugs, I can see the following:


1>Oct 01 19:21:14 [IKEv1]: Group = 76.79.2.90, IP = 76.79.2.90, Session is being torn down. Reason: Phase 2 Mismatch


This suggests that there is a mismatch in phase 2 configuration, so it could either be the transform set or the crypto acl. If we check the config, we can see that the router is allowing only the gre traffic to go through the vpn tunnel but the ASA is allowing all traffic from 192.168.8.0/24 to 192.168.7.0/24

Could you please check if we have the corrosponding ACL in the crypto map at the peer site also.


2> We see the above debugs for peer 64.68.188.69:


Oct 01 19:22:59 [IKEv1]: Group = 64.68.188.69, IP = 64.68.188.69, Session is being torn down. Reason: Phase 2 Mismatch


So, it seems to be to the same issue with this peer as well.


I also see the following debugs:


Oct 01 19:23:17 [IKEv1]: Group = 24.111.19.58, IP = 24.111.19.58, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting


Could you also please check if the pre-shared-key for the peers are correct.


Regards

Apaar

Actions

This Discussion

Related Content