04-30-2008 11:24 AM - edited 02-21-2020 02:00 AM
I have setup 2 VPN connections; one to a vendor's 3000 concentrator and the second to a branch office.
The branch office connects with a L2L type, however my vendors' connection is a "user" type. I have rebuild the connection and the same thing happens.
screen scrap of the sh crypto isa
1 IKE Peer: 68.xxx.xxx.xxx
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 12.xxx.xxx.xxx
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
the only difference in the config is the vendor is using a transform set of
crypto ipsec transform-set vendor esp-aes esp-md5-hmac
and the branch is using
crypto ipsec transform-set branch esp-3des esp-sha-hmac
any help?
Solved! Go to Solution.
05-07-2008 06:19 AM
Acceptable transform set combinations are listed below:
1)ah-md5-hmac
2)esp-des
3)esp-3des and esp-md5-hmac
4)ah-sha-hmac and esp-des and esp-sha-hmac
5)comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)
6)esp-seal and esp-md5-hmac
Try using "esp-3des esp-sha-hmac" or "esp-aes and esp-md5-hmac" at both vendor and branch ends.
Refer the following url for more info:
http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199028
05-07-2008 06:19 AM
Acceptable transform set combinations are listed below:
1)ah-md5-hmac
2)esp-des
3)esp-3des and esp-md5-hmac
4)ah-sha-hmac and esp-des and esp-sha-hmac
5)comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)
6)esp-seal and esp-md5-hmac
Try using "esp-3des esp-sha-hmac" or "esp-aes and esp-md5-hmac" at both vendor and branch ends.
Refer the following url for more info:
http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199028
05-07-2008 06:26 AM
Thanks for the response. You are correct. The vendor side was not set correctly. We reconfigured both sides to esp-aes and esp-md5-hmac and the problem was resolved.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: