02-05-2008 01:06 AM - edited 02-21-2020 03:32 PM
I cureently have a site to site VPN tunnel (VPN1) between HK (Pix ver 6.1(2) & Leeds (ASA version 7.2(2). I am in the process of migrating the VPN tunnel to a newly deployed 10 Mb internet link in Leeds which has a Pix 506E Ver 7.0(2). I have decided to create a 2nd VPN tunnel to HK (VPN2) and will shutdown VPN1 when VPN2 is up.
On the HK PIX I am using the same isakmp policy, transform-set and have created another crypto map for the the new VPN (VPN2).
On passing intersting traffic to establish the new tunnel for the Leeds end, I am gettting the following debugging errors.
Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!
Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!
Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!
Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!
sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.0.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Site HK - PIX1(192.168.0.1)
crypto ipsec transform-set chevvie esp-des esp-md5-hmac
(crypto map for existing VPN (VPN1)
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer 192.168.0.2
crypto map transam 1 set transform-set chevvie
(New Crpto Map for new VPN (VPN2)
crypto map transam 2 ipsec-isakmp
crypto map transam 2 match address 101
crypto map transam 2 set peer 192.168.0.3
crypto map transam 2 set transform-set chevvie
crypto map transam interface outside
isakmp enable outside
isakmp key ****** address 192.168.0.2 netmask 255.255.255.255
isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp am-disable
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
Site - Leeds PIX2 (192.168.0.3)
crypto ipsec transform-set ford esp-des esp-md5-hmac
crypto map VPNHK 2 match address outside_crypto_acl
crypto map VPNHK 2 set peer 192.168.0.1
crypto map VPNHK 2 set transform-set ford
crypto map VPNHK interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
isakmp am-disable
tunnel-group 192.168.0.1 type ipsec-l2l
tunnel-group 192.168.0.1 ipsec-attributes
pre-shared-key ev0lut10n
sysopt connection permit-ipsec
Your assistance will be grately appreciated.
02-06-2008 04:52 AM
How could the HK PIX decide which tunnel to use if you apply the same ACL to both? You have to choose a different subnet to Leeds2.
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide