Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5540 to Watchguard VPN

I am trying to configure a VPN to a partner company with a watchguard firewall.

I am running a 5540 ASA version 7.2.

It's a pre-shared key config, and passes phase 1. I don't get any debug entries after that and no errors.

A show crypto isakmp sa gives the following:

19 IKE Peer: 64.xxx.xxx.xxx

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

But a show crypto ipsec doesn't have it listed anywhere.

My crypo config is as follows:

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 100 match address outside_xxxxx_cryptomap

crypto map outside_map 100 set peer 64.xxx.xxx.xxx

crypto map outside_map 100 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp nat-traversal 20

My tunnel config is as follows:

tunnel-group 64.xxx.xxx.xxx type ipsec-l2l

tunnel-group 64.xxx.xxx.xxx ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

isakmp keepalive disable

2 REPLIES
Bronze

Re: ASA 5540 to Watchguard VPN

Clear the SA using command "clear crypto isakmp sa" and re enter the pre shared keys. If this does not works remove and re-apply crypto maps. Following link may help you

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Cisco Employee

Re: ASA 5540 to Watchguard VPN

Can you post the "deb cry is" and "deb cry ipsec" when you try and bring up the tunnel.

Regards,

Arul

1335
Views
0
Helpful
2
Replies