config site-site vpn between cisco router and watchguard firebox700

lylyong · ‎02-24-2007

i need to config ipsec site-site vpn betweent cisco 3745 router and watchguard firebox700.after configuration, i check the phaseI between 3745 and firebox700 already setting up,C3745 gives log below:

Feb 25 2007 08:25:29: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 220.*.*.175

Feb 25 2007 08:26:19: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 172.16.1.12, remote= 220.200.1.175,

local_proxy= 172.16.251.1/255.255.255.255/0/0 (type=1),

remote_proxy= 172.16.251.98/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-sha-hmac (unknown),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Feb 25 2007 08:26:19: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-3des esp-sha-hmac }

pls help me solve this problem,my ios version is c3745-advipservicesk9-mz.123-14.T7.bin Firebox running version 7.3

ROBERTO TACCON · ‎02-25-2007

Have you check the parameters os the phase II ?

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#tform_not

lylyong · ‎02-25-2007

yeah,i have checked ,both side in ipsec phaseII use esp-3des esp-sha-hmac .i think the key point is here "protocol= ESP, transform= esp-3des esp-sha-hmac (unknown)".i use "show crypto isakmp sa " command in C3745,it shows below

172.16.1.12 220.200.1.175 QM_IDLE 623 0 ACTIVE