Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to Site Tunnel (Urgent)

Hi, I m making a tunnel site to site Vpn with ISP so can u guys please check the attached configuration. Tell me if i m missing anything in cnfiguration. Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: Site to Site Tunnel (Urgent)

ok just remove crypto map outside_map interface outside and enable it again.

Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.

Gold

Re: Site to Site Tunnel (Urgent)

disable pfs. your isp is clearly not using it.

and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.

11 REPLIES
New Member

Re: Site to Site Tunnel (Urgent)

Hi,

Please configure your split tunnel acl just like crypto acl.

reg

New Member

Re: Site to Site Tunnel (Urgent)

hi, i m getting this error in inspection logs

construct_ipsec_delete(): No SPI to identify Phase 2 SA!

please advice what to do with it.

I requested from ISP to show the configuration. The conf is in below:-

name 196.44.242.50 VOXIVADC_VPN_Peer

object-group network MTNRwanda

network-object host 196.44.242.13

network-object host 172.17.80.247

object-group network VOXIVADC

network-object host VOXIVADC_VPN_Peer

access-list from-free-in extended permit udp host 196.44.248.66 host VOXIVADC_VPN_Peer eq isakmp

access-list from-free-in extended permit esp host 196.44.248.66 host VOXIVADC_VPN_Peer

access-list MTNVPNVOXIVA extended permit ip object-group MTNRwanda object-group VOXIVADC

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.50.0 255.255.255.0

access-list MTNVPNVOXIVA extended permit ip host 172.17.80.247 192.168.51.0 255.255.255.0

nat (outside) 0 access-list MTNVPNVOXIVA

crypto ipsec transform-set ASPECT_MTNR esp-des esp-md5-hmac

crypto map ASPECT_MTNR 170 match address MTNVPNVOXIVA

crypto map ASPECT_MTNR 170 set peer VOXIVADC_VPN_Peer

crypto map ASPECT_MTNR 170 set transform-set ASPECT_MTNR

crypto map ASPECT_MTNR 170 set security-association lifetime kilobytes 10000

crypto map ASPECT_MTNR interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

tunnel-group 196.44.242.50 type ipsec-l2l

tunnel-group 196.44.242.50 ipsec-attributes

pre-shared-key *

Please advice where we r doing mistake

New Member

Re: Site to Site Tunnel (Urgent)

Please respond urgent.

New Member

Re: Site to Site Tunnel (Urgent)

why did u put "nat (outside) 0 access-list MTNVPNVOXIVA "

it should be nat (inside) 0 access-list MTNVPNVOXIVA

New Member

Re: Site to Site Tunnel (Urgent)

ok but what does it mean of following error

construct_ipsec_delete(): No SPI to identify Phase 2 SA!

New Member

Re: Site to Site Tunnel (Urgent)

probably the pfs or acl is not matching on both sides.

Please check this as well

New Member

Re: Site to Site Tunnel (Urgent)

no, any other solution

New Member

Re: Site to Site Tunnel (Urgent)

ok just remove crypto map outside_map interface outside and enable it again.

Can u remove pfs on both sites and then try (remove crypto map and enable it again) ..becoz this error normally shows the mismatch pfs issue.

Gold

Re: Site to Site Tunnel (Urgent)

disable pfs. your isp is clearly not using it.

and make sure your crypto acl matches theirs. at first glance, it doesn't. one of their acl entries is using object groups - make sure you've realized that.

New Member

Re: Site to Site Tunnel (Urgent)

All, Thank you very much now issue has been solved. Thanks once again.

New Member

Re: Site to Site Tunnel (Urgent)

No worries:)

207
Views
0
Helpful
11
Replies