Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

img
New Member

L2L Vpn not establishing.

Hi,

I am trying to set up a site to site VPN,My end is PIX & other end is VPN concentrator.

but it seems that 2nd phase Quick mode is not coming up.

I have uploaded the debug , can someone please analyze it & let me know the cause of the problem.

Thanks in advance!

5 REPLIES
New Member

Re: L2L Vpn not establishing.

Hi,

From the log, I suspect that IPsec transform-set is not matching between the VPN end-points.

Can you please confirm it.

--Jaffer

img
New Member

Re: L2L Vpn not establishing.

Hi Jaffer,

below is the relevant config, i believe everything is alright in the configuration, can you confirm ?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list Test permit icmp any any

access-list ICMP permit icmp any any

access-list 101 permit ip 192.168.0.0 255.255.255.0 host 10.212.213.145

ip address outside a.b.c.d 255.255.255.248

ip address inside 192.168.0.4 255.255.255.0

nat (inside) 0 access-list 101

access-group Test in interface outside

sysopt connection permit-ipsec

crypto ipsec transform-set ing esp-3des esp-md5-hmac

crypto map ingmex 10 ipsec-isakmp

crypto map ingmex 10 match address 101

crypto map ingmex 10 set peer w.x.y.z

crypto map ingmex 10 set transform-set ing

crypto map ingmex interface outside

isakmp enable outside

isakmp key XXXXXX address w.x.y.z netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

thanks !

Cisco Employee

Re: L2L Vpn not establishing.

Can you go send the logs from the concentrator.

Set the severities to 1-13 for IKE, IKEDBG, IPSEC and IPSECDBG. Try to establish the tunnel and send me the logs from the concentrator.

Cheers

gilbert

Cisco Employee

Re: L2L Vpn not establishing.

From the logs, we are trying to bring up phase 2 but we received a delete from the concentrator side.

img
New Member

Re: L2L Vpn not establishing.

Ok Thanks!

After few hours, I have a concall with the client.

right now I can not get logs & config of their Concentrator but surely i will put forward these questions.

Thanks for all you help!

98
Views
0
Helpful
5
Replies