Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
0
Helpful
2
Replies

L2L Connection Problem on ASA 5510

Go to solution
dmooregfb
Level 5
Level 5

‎04-30-2008 11:24 AM - edited ‎02-21-2020 02:00 AM

I have setup 2 VPN connections; one to a vendor's 3000 concentrator and the second to a branch office.

The branch office connects with a L2L type, however my vendors' connection is a "user" type. I have rebuild the connection and the same thing happens.

screen scrap of the sh crypto isa

1 IKE Peer: 68.xxx.xxx.xxx

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

2 IKE Peer: 12.xxx.xxx.xxx

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

the only difference in the config is the vendor is using a transform set of

crypto ipsec transform-set vendor esp-aes esp-md5-hmac

and the branch is using

crypto ipsec transform-set branch esp-3des esp-sha-hmac

any help?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
smahbub
Level 6
Level 6

‎05-07-2008 06:19 AM

Acceptable transform set combinations are listed below:

1)ah-md5-hmac

2)esp-des

3)esp-3des and esp-md5-hmac

4)ah-sha-hmac and esp-des and esp-sha-hmac

5)comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)

6)esp-seal and esp-md5-hmac

Try using "esp-3des esp-sha-hmac" or "esp-aes and esp-md5-hmac" at both vendor and branch ends.

Refer the following url for more info:

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199028

View solution in original post

0 Helpful
2 Replies 2

Go to solution
smahbub
Level 6
Level 6

‎05-07-2008 06:19 AM

Acceptable transform set combinations are listed below:

1)ah-md5-hmac

2)esp-des

3)esp-3des and esp-md5-hmac

4)ah-sha-hmac and esp-des and esp-sha-hmac

5)comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)

6)esp-seal and esp-md5-hmac

Try using "esp-3des esp-sha-hmac" or "esp-aes and esp-md5-hmac" at both vendor and branch ends.

Refer the following url for more info:

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199028

0 Helpful

Go to solution
dmooregfb
Level 5
Level 5
In response to smahbub

‎05-07-2008 06:26 AM

Thanks for the response. You are correct. The vendor side was not set correctly. We reconfigured both sides to esp-aes and esp-md5-hmac and the problem was resolved.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card