Solved: Re: I get error message on debuging ipsec-l2l tunell

TOR PRETORIUS · ‎12-11-2009

Hi

Some one can help me to understand the debug message ?
I get error message on debuging ipsec-l2l tunell

I've been trying to setup an ASA5520 with an ipsec-l2l to ios router 1721

======= Router 1721 =====

Cisco 1721 (flash:c1700-k9o3sy7-mz.123-2.XC2.bin)
outside 80.89.47.102
inside 10.100.110.1 255.255.255.0

debug crypto ipsec
debug crypto isakmp

---------- config ---------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key 0 1234567890 address 128.39.189.10
!
!
crypto ipsec transform-set pix-set esp-3des
!
crypto map asa 10 ipsec-isakmp
set peer 128.39.189.10
set transform-set pix-set
match address 101
!
!
interface FastEthernet0

description outside-interface

ip address 80.89.47.102 255.255.255.252

ip nat outside

crypto map asa

!

interface Vlan10
description inside
ip address 10.100.110.1 255.255.255.0
ip nat inside

!

ip nat inside source route-map nonat interface FastEthernet0 overload

!

access-list 101 permit ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255

!

access-list 110 deny ip 10.100.110.0 0.0.0.255 10.100.4.0 0.0.3.255
access-list 110 permit ip 10.100.110.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 110
!

========= ASA Config ========

Cisco 5520 ASA Version 8.2(1)
outside 128.39.189.10
inside 10.100.4.255 255.255.252.0

debug crypto ipsec
debug crypto isakmp

----- Config -----
!
access-list nonat extended permit ip 10.100.4.0 255.255.252.0 10.100.110.0 255.255.255.0
!
access-list outside110 extended permit ip 10.100.4.0 255.255.252.0 10.100.110.0 255.255.255.0
!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 11 match address outside110
crypto map outside_map 11 set peer 80.89.47.102
crypto map outside_map 11 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

!

group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
vpn-tunnel-protocol IPSec

!

tunnel-group 80.89.47.102 type ipsec-l2l
tunnel-group 80.89.47.102 ipsec-attributes
pre-shared-key 1234567890

Regards
Tor

busterswt · ‎12-11-2009

Do you have a transform set on the ASA named ESP-3DES-MD5? Your crypto map refers to this but I don't see it listed in the config you posted. I don't have much experience with the routers, but is MD5 the default hashing algoritm (and why it's not listed)?

James

View solution in original post

busterswt · ‎12-11-2009

Do you have a transform set on the ASA named ESP-3DES-MD5? Your crypto map refers to this but I don't see it listed in the config you posted. I don't have much experience with the routers, but is MD5 the default hashing algoritm (and why it's not listed)?

James

TOR PRETORIUS · ‎12-11-2009

Yes I have it in the configuration, but missing it when copy the text...

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

busterswt · ‎12-11-2009

I don't know if this will help, but on the router you might try changing the transform set just incase sha is the default and not md5:

from: crypto ipsec transform-set pix-set esp-3des

to: crypto ipsec transform-set pix-set esp-3des esp-md5-hmac

TOR PRETORIUS · ‎12-11-2009

Thankyou four you help! now the vpn its work fine!!

busterswt · ‎12-11-2009

Fantastic! Thanks for letting me know

- James