07-17-2014 11:35 AM
Hello
I wonder if it is the Crypto transform-set
Peer is using: ESP_AES_256_SHA
I am using.
crypto map VPN 780 set transform-set AES_256_SHA
crypto map VPN 790 set peer 74.x.x.x
crypto map VPN 790 set transform-set AES_256_SHA
Could this difference be causing problems with phase 1
I tried to change my end, but received “ERROR: transform set with tag "ESP_AES_256_SHA" does not exist.”
Please review and advise.
Solved! Go to Solution.
07-17-2014 11:59 AM
Hi,
The bolded section of the command that you have listed above is only the name of the "transform-set" its not the actual setting/parameter.
You can use the command "show run crypto ipsec" to list the Transform Set configurations
You can use the command "show run crypto map" to list all the Crypto Map configurations
I would presume that your Transform sets are identical but you can use the first command above to check if it is.
I think the Phase1 briefly comes up because the Phase2 doesnt go through. So I would look for missmatched configurations between your device and the remote device.
The above listed configuration is not the complete Crypto Map configuration for a single L2L VPN Connection. At minimum you will have to have a line with "peer", and line with the "match address" (ACL defining the protected networks) and a "transform-set" line.
The second command I listed above would show your whole Crypto Map configuration.
- Jouni
07-17-2014 12:15 PM
Hi,
Were you able to check the settings and get the connection working?
- Jouni
07-17-2014 11:59 AM
Hi,
The bolded section of the command that you have listed above is only the name of the "transform-set" its not the actual setting/parameter.
You can use the command "show run crypto ipsec" to list the Transform Set configurations
You can use the command "show run crypto map" to list all the Crypto Map configurations
I would presume that your Transform sets are identical but you can use the first command above to check if it is.
I think the Phase1 briefly comes up because the Phase2 doesnt go through. So I would look for missmatched configurations between your device and the remote device.
The above listed configuration is not the complete Crypto Map configuration for a single L2L VPN Connection. At minimum you will have to have a line with "peer", and line with the "match address" (ACL defining the protected networks) and a "transform-set" line.
The second command I listed above would show your whole Crypto Map configuration.
- Jouni
07-17-2014 12:10 PM
Jouni
Thank you for the reply.
07-17-2014 12:15 PM
Hi,
Were you able to check the settings and get the connection working?
- Jouni
07-17-2014 01:37 PM
Jouni
Please review and advise.
MyASA# show run crypto ipsec
crypto ipsec transform-set AES_256_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside
MyASA# sh run crypto map | in 790
crypto map VPN 790 match address (PeerNm)
crypto map VPN 790 set peer 74.x.x.x
crypto map VPN 790 set transform-set AES_256_SHA
PeerASA#show run crypto ipsec
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
PeerASA# sh run crypto map | in 595
crypto map outside_map 595 match address outside_595_cryptomap
crypto map outside_map 595 set peer 170.x.x.x
crypto map outside_map 595 set transform-set ESP-AES-256-SHA
crypto map outside_map 595 set security-association lifetime seconds 28800
crypto map outside_map 595 set security-association lifetime kilobytes 4608000
07-18-2014 11:22 AM
Jouni
No still having trouble.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: