03-18-2008 11:58 PM - edited 02-21-2020 01:56 AM
Hi all,
I got a problem with a Lan-2-Lan connection from my Active/standby 5510's with Sec Plus License
the config on the firewall is this
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set transform-set ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-128-SHA ESP-AES-128-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set reverse-route
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256 -SHA ESP-AES-256-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-128-SHA ESP-AES-128 -MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer 1.1.1.1
crypto map Outside_map 1 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto map Outside_map 1 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp disconnect-notify
and on the router is here
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key key-here address 10.10.10.10
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set strong-des esp-3des esp-sha-hmac
crypto ipsec transform-set FrasersVersion esp-aes 256 esp-sha-hmac
crypto ipsec transform-set fraser2 esp-aes esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 10.10.10.10
set transform-set FrasersVersion strong-des fraser2
set pfs group2
match address 150
but I still get errors such as the Log File below.
As soon as I let it build the tunnel all works fine but then a few seconds later it all falls down :-(
What am I missing ?
Please help.
03-19-2008 05:18 AM
Hi
Since you have not given the full config, i think there is an issue with your peer IP's and also crypto ACL (as per logs).
From your ASA config, the set peer is 1.1.1.1 but from LOG it shows as 11.11.11.11 and pls check the crypto acl also.
rgds
03-19-2008 07:50 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide