01-10-2012 12:36 AM - edited 03-11-2019 03:12 PM
Hi,
I am having an issue with establishing L2L VPN with remote site. My side is cisco asa 5520 and other side is check point UTM-- tunnel is not up.
just wnated to confirm on my sidde if the configuration is OK.
al the parameters using are correct for both side. any issue with below conf ? default route is pointing to my next GW address is there additiona default is required for VPN ? to reach the remote LAN somthing like pointing to remote peer address.
to give a brief idea front end device is router as GW wher in internet is terminated and other wan connections ASA is behind ther GW rtr and outside int of asa and lan interface of GW rtr is having public ip. LAN switch is connected to ASA
access-list insideinterface_nat0_outbound extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0
access-list outsideinterface_cryptomap_40 extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0
nat (insideinterface) 0 access-list insideinterface_nat0_outbound
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outsideinterface_map_1 20 match address outsideinterface_cryptomap_20_1
crypto map outsideinterface_map_1 20 set peer 61.95.xxx.xxx
crypto map outsideinterface_map_1 20 set transform-set ESP-3DES-MD5
crypto map outsideinterface_map_1 40 match address outsideinterface_cryptomap_40
crypto map outsideinterface_map_1 40 set peer 61.95.xxx.xxx
crypto map outsideinterface_map_1 40 set transform-set ESP-3DES-MD5
crypto map outsideinterface_map_1 interface outsideinterface
isakmp identity address
isakmp enable outsideinterface
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 61.95.xxx.xxx type ipsec-l2l
tunnel-group 61.95.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 61.95.xxx.xxx
thanks
Solved! Go to Solution.
01-10-2012 03:46 AM
What troubleshooting have you performed? What debugs have you captured?
01-10-2012 04:02 AM
OK make sure that:-
1) You remove crypto map 40
2) that "crypto map outsideinterface_map_1 20 set peer 61.95.xxx.xxx" actually is 61.95.143.140
3) That "
tunnel-group 61.95.xxx.xxx type ipsec-l2l
tunnel-group 61.95.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 61.95.xxx.xxx
actually are "61.95.143.140"
Anf confirm your PSK is the same @ both ends.
01-10-2012 01:27 AM
Comments:-
1) You have 2 crypto maps - the only thing they reference is a differenet transform-set, which the only diff between the transform-sets is the hash. You can configure more than 1 encryption and or hash in a transform set, I suggest you do that and remove crypto map 40.
2) You have not posted you NAT config and more importantly the no-nat
3) You have not shown the "interesting traffic" acl so we cannot confirm that it's correct against your no-nat.
HTH>
01-10-2012 03:06 AM
Hi,
thanks for reply,
both are mentioned above as given below.
access-list insideinterface_nat0_outbound extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0
access-list outsideinterface_cryptomap_40 extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0
nat (insideinterface) 0 access-list insideinterface_nat0_outbound
01-10-2012 03:26 AM
That looks fine
01-10-2012 03:32 AM
Thanks, Tunnel is still down not even phase one.
sh crypto isakmp sa
There are no isakmp sas
is it because of any issue with remote site they are using check point UTM is multivendor product causing any issue ?
any thoughts ?
01-10-2012 03:46 AM
What troubleshooting have you performed? What debugs have you captured?
01-10-2012 03:58 AM
please see below out put debug crypto isakmp
Jan 10 04:00:51 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x3805ac8, mess id 0xf0dcf0a4)!
Jan 10 04:00:51 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!
Jan 10 04:00:53 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x3805ac8, mess id 0x7f48a5ec)!
Jan 10 04:00:53 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!
Jan 10 04:00:55 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x4c942d0, mess id 0x869e9e2f)!
Jan 10 04:00:55 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!
Jan 10 04:00:57 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x4921848, mess id 0x8cc099c6)!
Jan 10 04:00:57 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!
Jan 10 04:00:59 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x4823700, mess id 0xae5b6bf3)!
Jan 10 04:00:59 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!
01-10-2012 04:02 AM
OK make sure that:-
1) You remove crypto map 40
2) that "crypto map outsideinterface_map_1 20 set peer 61.95.xxx.xxx" actually is 61.95.143.140
3) That "
tunnel-group 61.95.xxx.xxx type ipsec-l2l
tunnel-group 61.95.xxx.xxx ipsec-attributes
pre-shared-key *
tunnel-group-map default-group 61.95.xxx.xxx
actually are "61.95.143.140"
Anf confirm your PSK is the same @ both ends.
01-10-2012 07:35 PM
thanks all is well now...
01-10-2012 11:57 PM
good
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide