Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L Connection Problem on ASA 5510

I have setup 2 VPN connections; one to a vendor's 3000 concentrator and the second to a branch office.

The branch office connects with a L2L type, however my vendors' connection is a "user" type. I have rebuild the connection and the same thing happens.

screen scrap of the sh crypto isa

1 IKE Peer: 68.xxx.xxx.xxx

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

2 IKE Peer: 12.xxx.xxx.xxx

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

the only difference in the config is the vendor is using a transform set of

crypto ipsec transform-set vendor esp-aes esp-md5-hmac

and the branch is using

crypto ipsec transform-set branch esp-3des esp-sha-hmac

any help?

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: L2L Connection Problem on ASA 5510

Acceptable transform set combinations are listed below:

1)ah-md5-hmac

2)esp-des

3)esp-3des and esp-md5-hmac

4)ah-sha-hmac and esp-des and esp-sha-hmac

5)comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)

6)esp-seal and esp-md5-hmac

Try using "esp-3des esp-sha-hmac" or "esp-aes and esp-md5-hmac" at both vendor and branch ends.

Refer the following url for more info:

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199028

2 REPLIES
Silver

Re: L2L Connection Problem on ASA 5510

Acceptable transform set combinations are listed below:

1)ah-md5-hmac

2)esp-des

3)esp-3des and esp-md5-hmac

4)ah-sha-hmac and esp-des and esp-sha-hmac

5)comp-lzs and esp-sha-hmac and esp-aes (In general, the comp-lzs transform set can be included with any other legal combination that does not already include the comp-lzs transform.)

6)esp-seal and esp-md5-hmac

Try using "esp-3des esp-sha-hmac" or "esp-aes and esp-md5-hmac" at both vendor and branch ends.

Refer the following url for more info:

http://www.cisco.com/en/US/docs/ios/12_3t/secur/command/reference/sec_c2gt.html#wp1199028

New Member

Re: L2L Connection Problem on ASA 5510

Thanks for the response. You are correct. The vendor side was not set correctly. We reconfigured both sides to esp-aes and esp-md5-hmac and the problem was resolved.

688
Views
0
Helpful
2
Replies