problem with phase 2 ipsec Cisco ASA 8.3(1)

sirlanzarot · ‎07-24-2012

Hi,

we have a problem with phase 2 between cisco ASA 5520 and VIGOR 2820, the problem is that does encryp phase 2 of some network, cisco asa up correctly the phase 2 but does not encrypt the packets.

Regards.

David.

Jennifer Halim · ‎07-24-2012

Do you have NAT exemption configured?

Can you pls share the config, and advised which crypto map is the VPN to VIGOR

sirlanzarot · ‎07-24-2012

Hi,

This is the config of Firewall ASA:

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key

peer-id-validate nocheck

isakmp keepalive disable

crypto map DMZ_map 37 match address DMZ_37_cryptomap

crypto map DMZ_map 37 set peer x.x.x.x

crypto map DMZ_map 37 set transform-set ESP-3DES-MD5

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

crypto isakmp policy 110

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication pre-share

encryption aes-192

hash sha

group 5

lifetime 86400

Regards.

David.

Jennifer Halim · ‎07-24-2012

what about the NAT exemption and the actual access-list DMZ_37_cryptomap

sirlanzarot · ‎07-24-2012

Hi,

I not have configured nat exception for this access, i try the access with nat exception and the result is the same.

regards.

David

Jennifer Halim · ‎07-24-2012

Pls share config from both ends as well as the output of "show cry isa sa" and "show cry ipsec sa"