Cisco Support Community
Community Member

Crypto L2L problem



I was hoping somebody could help me with the problem i have with creating a site to site tunnel.


The site i am working on has a ASA 5505+ which VPN works but another site (which i do not have access to) wants L2L configuring but they only use a fortigate router.

I'm still learning ASA but i have succeeded with other sites to create a tunnel, but they are asa to asa.


This is the info the fortigate router is configured for the tunnel,

Phase 1 –

Encryption = 3DES , Authentication = SHA1 DH Group = 5 Keylife = 86400 NAT Traversal enabled

Phase 2 –

Encryption = AES256, Authentication = SHA1 Enable PFS DH Group = 5 Keylife = 3600 Our source address = /24  to their destination address = /24


This what i have created on the ASA;

access-list nonat extended permit ip

access-list TEST extended permit ip


crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac

crypto ipsec transform-set S2SSET esp-aes-256 esp-sha-hmac

crypto dynamic-map dynmap 100 set transform-set VPNSET

crypto dynamic-map dynmap 120 set pfs

crypto map BBMAP 1 match address TEST

crypto map BBMAP 1 set pfs group1

crypto map BBMAP 1 set peer

crypto map BBMAP 1 set transform-set S2SSET

crypto map BBLMAP 10 set security-association lifetime seconds 3600

crypto map BBMAP 65535 ipsec-isakmp dynamic dynmap

crypto map BBMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 20

 authentication pre-share

 encryption 3des

 hash sha

 group 5

 lifetime 86400

crypto isakmp nat-traversal  20


I created isakmp policy 20 for the tunnel


tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

 pre-shared-key *


this is the log for debug isakmp


Mar 26 19:03:14 [IKEv1]: Group =, IP =, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting
Mar 26 19:03:16 [IKEv1]: Group =, IP =, Removing peer from peer table failed, no match!
Mar 26 19:03:16 [IKEv1]: Group =, IP =, Error: Unable to remove PeerTblEntry
Mar 26 19:03:19 [IKEv1]: Group =, IP =, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0


Any help would be appriciated.

Community Member

I've edited crypto map BBLMAP

I've edited crypto map BBLMAP 10 set security-association lifetime seconds 3600 to crypto map BBLMAP 1 set security-association lifetime seconds 3600


I see couple things that you

I see couple things that you might want to take a look at.

- Looking at the debug output, it says that the pre-shared key configured on the Fortigate and ASA might be different. They need to be the same, you might want to check the keys again.

- The access-list for no-nat traffic should be permitting traffics from your side destined to the remote end. Only these specific traffics that will be not natted. Your current no-nat ACL is saying the other way around. 

- Your DH group value for phase 2 on the Fortigate and ASA are different. From what I understand, they need to be the same. 


Community Member

Thank you for the reply. I am

Thank you for the reply.


I am waiting for confirmation from the fortigate site regarding the pre shared key.

As for the nonat and ACL, i thought all i needed to do was the them coming in and they do the reverse at there end?

DH on phase 2, i created policy 20 for this as policy 10 is for the VPNSET, will this not work?


thank you again.

The purpose of nonat ACL is

The purpose of nonat ACL is actually to prevent the ASA on natting the ip addresses that are going through the tunnel. 

Crypto isakmp policy is the policy for vpn phase 1, both ends need to have same policy. Cypto map is where the policy for phase 2. Phase 2 will only take place after phase 1 is completed/successful. 

See following configuration example to understand better how the process works: link 

You are welcome, please rate if you find it helpful.

CreatePlease to create content