Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
4
Replies

Need help with VPN (Cisco831+ASA5510)

Go to solution
kpoon
Level 1
Level 1

‎12-01-2008 12:47 PM

Hello,

We are trying to establish a site-site VPN between a Cisco831 and an ASA5510.

I've attached the config files of both units and the error file from the ASA.

on the 831, we get:

KED1CSPSVPNr01#

*Mar 19 22:17:48.743: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 8.10.15.130

I can't seem to find out where the problem is. Could anyone help out please?

Thanks.

Labels:
Preview file
2 KB
Preview file
14 KB
Preview file
5 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10

‎12-01-2008 12:55 PM

try adding this to the ASA..

crypto map outside_map 1 set pfs

View solution in original post

0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎12-01-2008 01:07 PM

Ken,

The Crypto IPSEC ACL are not matching on the ASA and 831 router.

ASA

access-list outside_1_cryptomap extended permit ip 172.30.1.0 255.255.255.0 192.168.13.0 255.255.255.0

831

access-list 100 permit ip 10.0.0.0 0.255.255.255 172.30.0.0 0.0.255.255

access-list 100 permit ip 192.168.13.0 0.0.0.255 172.30.0.0 0.0.0.255

Make sure that you configure the IPSEC ACLs to be mirror images of each other and then bring up the tunnel. After you make the changes, do update your NAT 0 command accordingly.

Regards,

Arul

*Pls rate if it helps*

View solution in original post

0 Helpful
4 Replies 4

Go to solution
acomiskey
Level 10
Level 10

‎12-01-2008 12:55 PM

try adding this to the ASA..

crypto map outside_map 1 set pfs

0 Helpful

Go to solution
kpoon
Level 1
Level 1
In response to acomiskey

‎12-01-2008 01:01 PM

That's what I had to begin with but I got the same error messages.

0 Helpful

Go to solution
ajagadee
Cisco Employee
Cisco Employee

‎12-01-2008 01:07 PM

Ken,

The Crypto IPSEC ACL are not matching on the ASA and 831 router.

ASA

access-list outside_1_cryptomap extended permit ip 172.30.1.0 255.255.255.0 192.168.13.0 255.255.255.0

831

access-list 100 permit ip 10.0.0.0 0.255.255.255 172.30.0.0 0.0.255.255

access-list 100 permit ip 192.168.13.0 0.0.0.255 172.30.0.0 0.0.0.255

Make sure that you configure the IPSEC ACLs to be mirror images of each other and then bring up the tunnel. After you make the changes, do update your NAT 0 command accordingly.

Regards,

Arul

*Pls rate if it helps*

0 Helpful

Go to solution
kpoon
Level 1
Level 1
In response to ajagadee

‎12-02-2008 06:56 AM

Thanks!!!

I didn't notice that. It solved the problem and it's working now.

Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents