Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN between 6500 Sup720 with SPA accelerated card and NetScreen.

I have at least 20 other VPNs to Cisco Router IOS and ASA, with similar configuration.

but this connection from my side gets:

When I initiate the connection with debug cry is

peer does not accept paranoid keepalive.

deletes the connection after Phase 1.

When Netscreen initiates the connection it gets to:

Phase 2 and and QM_IDLE.

I working with the other end to try to get a debug when he tries to connect.

When I have seen this in the past, I just added cryto isakmp keepalives 30.

The NetScreen setup is:

External interface 3.3.3.14

VPN Peer 4.4.4.34

ESP-3DES-MD5

Encryption 3DES

Hash MD5

Group 2

2.2.2.145 Remote Server

3.3.3.184 Internal server

Preshared Key XXXX

Cisco configuration is 6500 Sup720 with SPA-IPSEC-2G, ver 12.2(18)SXF17a :

Crypto isakmp key XXXX address 3.3.3.14

Crypto isakmp transform-set 3des esp-3des esp-md5-hmac

Mode transport

Crypto isakmp policy 10

Enc 3des

Hash md5

Authentication pre-share

Crypt map IPSecTunnel 80 ipsec-isakmp

  Des VPN_NetScreen

  Set peer 3.3.3.14

  Set transform-set 3des

  Match address CryptoMap_NetScreen

Ip access-list extended CryptoMap_NetScreen

Permit ip host 2.2.2.145 host 3.3.3.184

Permit udp host 4.4.4.34 eq isakmp 3.3.3.14

3 REPLIES

Re: VPN between 6500 Sup720 with SPA accelerated card and NetScr

You might need to remove "Permit udp host 4.4.4.34 eq isakmp 3.3.3.14" from CAT6500 side.

Please provide the debug output if you would like us to troubleshoot it.

New Member

Re: VPN between 6500 Sup720 with SPA accelerated card and NetScr

I found the problem with my side anyway.

you need to set - pfs group2  if you are using group2 DH

New Member

Re: VPN between 6500 Sup720 with SPA accelerated card and NetScr

At least with Netscreen, I have customers with ASA that it works without.

345
Views
0
Helpful
3
Replies