Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

IPSec decap error

Hello every one.

I have a funny problem with ASA5510 VPN

I have created two VPN tunnel with two offices.

ASA to D-LINK VPN router

ASA tp 1751 like Router.

both the tunnels are established and I can ping from D-LINK local net to ASA local net but I can not ping from the 1751 local net to ASA local net. the error I am getting is bellow

2 12:04:45 IPSEC_PACKET(decaps):

rec'd IPSEC packet from 192.168.1.2 to 192.168.240.200 does not agree with policy.

(SPI)destaddr=x.x.x.x,prot=-1515870811,spi=a5a5a5a5(-1515870811)

where the 192.168.240.200 is from 1751 local lan and 192.168.1.2 is the ASA lan

bellow is my config

ASA for the 1751

access-list SSDT extended permit ip 192.168.1.0 255.255.255.0 192.168.240.0 255.255.255.0

crypto map VPNmap 30 match address SSDT

crypto map VPNmap 30 set pfs

crypto map VPNmap 30 set peer x.x.x.x

crypto map VPNmap 30 set transform-set ESP-3DES-MD5

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

tunnel-group 202.22.193.176 type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

------

1751 config

crypto isakmp key cisco y.y.y.y 255.255.255.255

!

crypto isakmp policy 1

encryption 3des

group 2

hash md5

!

crypto ipsec transform-set ts

transform-type esp-3des esp-md5-hmac

!

crypto map vpn 1 ipsec-isakmp

set peer y.y.y.y

set pfs group2

set security-association lifetime seconds 86400

set transform-set ts

match address vpn

ip access-list extended vpn

permit ip 192.168.240.0 255.255.255.0 192.168.1.0 255.255.255.0 log

--

nat (inside) 0 access-list NONAT is implemented on the ASA side to exempt local net to go via nat for the remote office LAN.

can any one tell me why I am having this error

I have access-list implementd on the 1751 to block some specific traffic to the internet.

1 REPLY

Re: IPSec decap error

crypto map VPNmap 30 set pfs group 2

148
Views
0
Helpful
1
Replies
CreatePlease login to create content