Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

IPSec decap error

Hello every one.

I have a funny problem with ASA5510 VPN

I have created two VPN tunnel with two offices.

ASA to D-LINK VPN router

ASA tp 1751 like Router.

both the tunnels are established and I can ping from D-LINK local net to ASA local net but I can not ping from the 1751 local net to ASA local net. the error I am getting is bellow

2 12:04:45 IPSEC_PACKET(decaps):

rec'd IPSEC packet from to does not agree with policy.


where the is from 1751 local lan and is the ASA lan

bellow is my config

ASA for the 1751

access-list SSDT extended permit ip

crypto map VPNmap 30 match address SSDT

crypto map VPNmap 30 set pfs

crypto map VPNmap 30 set peer x.x.x.x

crypto map VPNmap 30 set transform-set ESP-3DES-MD5

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

tunnel-group type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

peer-id-validate nocheck


1751 config

crypto isakmp key cisco y.y.y.y


crypto isakmp policy 1

encryption 3des

group 2

hash md5


crypto ipsec transform-set ts

transform-type esp-3des esp-md5-hmac


crypto map vpn 1 ipsec-isakmp

set peer y.y.y.y

set pfs group2

set security-association lifetime seconds 86400

set transform-set ts

match address vpn

ip access-list extended vpn

permit ip log


nat (inside) 0 access-list NONAT is implemented on the ASA side to exempt local net to go via nat for the remote office LAN.

can any one tell me why I am having this error

I have access-list implementd on the 1751 to block some specific traffic to the internet.


Re: IPSec decap error

crypto map VPNmap 30 set pfs group 2

CreatePlease login to create content