Two VPN L2L tunnels between one Cisco 871 and two ASA 5500

Unanswered Question
Oct 4th, 2010

Hello, all

I'm trying without succes to establish, from a Cisco 871 VPN router, two IPSEC L2L tunnels :

- one going to an ASA

- another going to another ASA

To do that I found the following on the net, but I can't manage to establish the phase 2 !

First of all, is this configuration suitable to establish two l2L tunnels from one 871 to differents ASAs??


Thanks, Patrick

  1. crypto keyring site-1-keyring   
  2.   pre-shared-key address key abcd  
  3.   pre-shared-key address key abcd  
  4. crypto keyring site-2-keyring   
  5.   pre-shared-key address key abcd  
  6. !  
  7. crypto isakmp policy 1  
  8. encr 3des  
  9. authentication pre-share  
  10. group 2  
  11. crypto isakmp profile site-1-a-prof  
  12.    keyring site-1-keyring  
  13.    match identity address   
  14. crypto isakmp profile site-1-b-prof  
  15.    keyring site-1-keyring  
  16.    match identity address   
  17. crypto isakmp profile site-2-prof  
  18.    keyring site-2-keyring  
  19.    match identity address   
  20. !  
  21. !  
  22. crypto ipsec transform-set strong ah-sha-hmac esp-3des   
  23. !  
  24. crypto map ipsec-maps 10 ipsec-isakmp   
  25. description ** Site 1 VPN A **  
  26. set peer  
  27. set transform-set strong   
  28. set isakmp-profile site-1-a-prof  
  29. match address site-1-a-acl  
  30. crypto map ipsec-maps 20 ipsec-isakmp   
  31. description ** Site 1 VPN B **  
  32. set peer  
  33. set transform-set strong   
  34. set isakmp-profile site-1-b-prof  
  35. match address site-1-b-acl  
  36. crypto map ipsec-maps 30 ipsec-isakmp   
  37. description ** Site 2 **  
  38. set peer  
  39. set transform-set strong   
  40. set isakmp-profile site-2-prof  
  41. match address site-2-acl  
  42. !  
  43. interface Dialer1  
  44. crypto map ipsec-maps  
  45. !  
  46. ip access-list extended site-1-a-acl  
  47. permit ip  
  48. ip access-list extended site-1-b-acl  
  49. permit ip  
  50. ip access-list extended site-2-acl  
  51. permit ip 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jitendriya Athavale Mon, 10/04/2010 - 06:21

please paste the config on the other site or the asa too

verify phase 2 paramenter whether they r matching

ah-sha-hmac esp-3des  - looks like u have ah make sure u need ah and have it configured on the asa if not change this ah to 3 des

also please enable debugs and paste them here

debug crypto isakmp

debug crypto ipsec

roquette Tue, 10/05/2010 - 01:22


I've attached the files concerning the lab configuration : 871 and one of the two ASAs.

Also a debug crypto ipsec and isakmp on the 871 and the logging on the ASA.

I can't manage to fix out this issue so then it seems easy to do with the following asa error ...

Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-5-713119: Group =, IP =, PHASE 1 COMPLETED
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-5-713904: Group =, IP =, All IPSec SA proposals found unacceptable!
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-3-713902: Group =, IP =, QM FSM error (P2 struct &0xd89cc148, mess id 0x8b43176a)!
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-3-713902: Group =, IP =, Removing peer from correlator table failed, no match!
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-5-713259: Group =, IP =, Session is being torn down. Reason: Phase 2 Mismatch
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-4-113019: Group =, Username =, IP =, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Many thanks for your help

Have a good day.

roquette Fri, 10/08/2010 - 00:05

Hi "Jathaval" ...

Did you spent time on my issue ?

Is the configuration I took as a sample suitable for opening, on a CISCO 871 VPN router, two ipsec l2l tunnels ?

(end-point of the tunnels are CISCO ASA 5500).


Patrick Letendart

roquette Fri, 10/08/2010 - 08:24

Hello Stefano,

Thanks for your help.

It's getting better ... one of the two tunnels goes up !

I'm looking at the second one.

After that it'll "just remains" me to deal with the routing ...

I"ll take all of you aware on next monday.

Managing to create a running configuration (with your great help) is getting a contest for me ...

Bye and have a nice we

roquette Fri, 10/08/2010 - 09:14

Hi all,

Thanks to Stefano, I managed to establish the two tunnels (PFS disable, DES instead of 3DES, one reversal in one ACL, an error in an other one ...).

So and then, I get two tunnels up and now it "remains for me" to implement the routing.

OSPF is the solution ? or ?

Following is the configuration of the Cisco 871

no ip source-route
ip cef
crypto keyring ST
  pre-shared-key address key 6 XAi[WbI_AB\V]Ub[RFDYLDSPI`LObaCL\
crypto keyring Lestrem
  pre-shared-key address key 6 JYR^BARI\LZcGAbec^IZeFWAffB]GZFHM
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile ST-prof
   keyring ST
   match identity address
crypto isakmp profile Lestrem-prof
   keyring Lestrem
   match identity address
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set ESP-3DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear
crypto map dual-tunnel 10 ipsec-isakmp
description ST
set peer
set transform-set ESP-3DES-MD5
set isakmp-profile ST-prof
match address ST
crypto map dual-tunnel 20 ipsec-isakmp
description Lestrem
set peer
set transform-set ESP-3DES-MD5
set isakmp-profile Lestrem-prof
match address Lestrem
interface FastEthernet4
description $ETH-WAN$
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map dual-tunnel
interface Vlan1
description ADMIN
ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
standby 1 ip
standby 1 priority 20
standby 1 preempt
ip forward-protocol nd
ip route
ip route
no ip http server
no ip http secure-server
ip nat pool branch netmask
ip nat inside source route-map nonat pool branch overload
ip access-list extended Lestrem
permit ip
ip access-list extended ST
permit ip
access-list 130 deny   ip
access-list 130 permit ip any
route-map nonat permit 10
match ip address 130

Thanks gentlemen !

Stefano De Crescenzo Fri, 10/08/2010 - 23:27


I am not sure what you intended with "now i need to configure the routing" . If your goal is to have a routing protocol to be passed via the tunnel so that the internal host can become neighbor, this is not possible with normal L2L and you would need to use either GRE or VTI (that are not supported on ASA).

So you do not have much options:

1- use static routing

2- use GRE or VTI but then you need to put another router behind the ASA to terminate those tunnel (so much more complicated solution)

Hope it helps


roquette Mon, 10/11/2010 - 02:58

Thanks Marcin and Stefano,

I'll try to use OSPF following the sample Marcin helpfully gave me.

As soon as I manage to make it runs I come back on this discussion.



This Discussion

Related Content