10-04-2014 01:29 AM
I can't seem to establish a VPN between remote ASA 5505 and my local 5550 ASA. In my logs I am getting the following:
IP = 62.73.210.83, IKE Initiator: New Phase 1, Intf inside, IKE Peer 62.73.210.83 local Proxy Address 10.199.1.0, remote Proxy Address 10.200.1.240, Crypto map (myMAP) |
IP = 62.73.210.83, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
IP = 62.73.210.83, Error: Unable to remove PeerTblEntry |
IP = 62.73.210.83, Removing peer from peer table failed, no match! |
Remote 5505 ASA:
crypto ipsec transform-set mytrans esp-des esp-md5-hmac
crypto map mymap 10 match address VPNL2L
crypto map mymap 10 set peer 62.73.210.83
crypto map mymap 10 set transform-set mytrans
crypto map mymap 10 set security-association lifetime seconds 3600
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 21
tunnel-group 65.181.59.210 type ipsec-l2l
tunnel-group 65.181.59.210 ipsec-attributes
pre-shared-key *
Local 5550 ASA:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set mySET esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto dynamic-map myDYN-MAP 5 set security-association lifetime seconds 28800
crypto dynamic-map myDYN-MAP 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map myMAP 1 match address outside_cryptomap_1
crypto map myMAP 1 set peer 62.73.210.83
crypto map myMAP 1 set transform-set mySET ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map myMAP 65000 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 21
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
nem enable
group-policy Mearsk internal
group-policy Mearsk attributes
vpn-tunnel-protocol IPSec
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group mytunnel type remote-access
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
pre-shared-key *
tunnel-group 62.73.210.83 type ipsec-l2l
tunnel-group 62.73.210.83 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
10-04-2014 07:17 AM
Your remote ASA 5505 has:
crypto map mymap 10 set peer 62.73.210.83
From what I can see it should be 65.181.59.210
10-04-2014 04:10 PM
Thank you for responding, I tried that too in the beginning and I get the same errors as above.
10-05-2014 08:12 AM
Well, whether or not that fixes the root cause, it will need to be set to that.
You should also confirm that the access-lists called by your crypto map for the respective ends are mirror images of each other. (VPNL2L and outside_cryptomap_1).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide