07-24-2012 03:12 AM - edited 02-21-2020 06:13 PM
Hi,
we have a problem with phase 2 between cisco ASA 5520 and VIGOR 2820, the problem is that does encryp phase 2 of some network, cisco asa up correctly the phase 2 but does not encrypt the packets.
Regards.
David.
07-24-2012 03:23 AM
Do you have NAT exemption configured?
Can you pls share the config, and advised which crypto map is the VPN to VIGOR
07-24-2012 04:00 AM
Hi,
This is the config of Firewall ASA:
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key
peer-id-validate nocheck
isakmp keepalive disable
crypto map DMZ_map 37 match address DMZ_37_cryptomap
crypto map DMZ_map 37 set peer x.x.x.x
crypto map DMZ_map 37 set transform-set ESP-3DES-MD5
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
Regards.
David.
07-24-2012 04:13 AM
what about the NAT exemption and the actual access-list DMZ_37_cryptomap
07-24-2012 04:44 AM
Hi,
I not have configured nat exception for this access, i try the access with nat exception and the result is the same.
regards.
David
07-24-2012 08:20 AM
Pls share config from both ends as well as the output of "show cry isa sa" and "show cry ipsec sa"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: