Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need help with VPN (Cisco831+ASA5510)

Hello,

We are trying to establish a site-site VPN between a Cisco831 and an ASA5510.

I've attached the config files of both units and the error file from the ASA.

on the 831, we get:

KED1CSPSVPNr01#

*Mar 19 22:17:48.743: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 8.10.15.130

I can't seem to find out where the problem is. Could anyone help out please?

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Green

Re: Need help with VPN (Cisco831+ASA5510)

try adding this to the ASA..

crypto map outside_map 1 set pfs

Cisco Employee

Re: Need help with VPN (Cisco831+ASA5510)

Ken,

The Crypto IPSEC ACL are not matching on the ASA and 831 router.

ASA

access-list outside_1_cryptomap extended permit ip 172.30.1.0 255.255.255.0 192.168.13.0 255.255.255.0

831

access-list 100 permit ip 10.0.0.0 0.255.255.255 172.30.0.0 0.0.255.255

access-list 100 permit ip 192.168.13.0 0.0.0.255 172.30.0.0 0.0.0.255

Make sure that you configure the IPSEC ACLs to be mirror images of each other and then bring up the tunnel. After you make the changes, do update your NAT 0 command accordingly.

Regards,

Arul

*Pls rate if it helps*

4 REPLIES
Green

Re: Need help with VPN (Cisco831+ASA5510)

try adding this to the ASA..

crypto map outside_map 1 set pfs

New Member

Re: Need help with VPN (Cisco831+ASA5510)

That's what I had to begin with but I got the same error messages.

Cisco Employee

Re: Need help with VPN (Cisco831+ASA5510)

Ken,

The Crypto IPSEC ACL are not matching on the ASA and 831 router.

ASA

access-list outside_1_cryptomap extended permit ip 172.30.1.0 255.255.255.0 192.168.13.0 255.255.255.0

831

access-list 100 permit ip 10.0.0.0 0.255.255.255 172.30.0.0 0.0.255.255

access-list 100 permit ip 192.168.13.0 0.0.0.255 172.30.0.0 0.0.0.255

Make sure that you configure the IPSEC ACLs to be mirror images of each other and then bring up the tunnel. After you make the changes, do update your NAT 0 command accordingly.

Regards,

Arul

*Pls rate if it helps*

New Member

Re: Need help with VPN (Cisco831+ASA5510)

Thanks!!!

I didn't notice that. It solved the problem and it's working now.

Cheers.

147
Views
0
Helpful
4
Replies