08-23-2010 09:21 AM
I'm trying to configure a site-to-site VPN tunnel. I have a PIX 501, running 6.2(2). I clear Phase I, but not Phase II. My question is about transform sets. The vendor I'm working with is looking for one of the following 'sets': ESP-3DES-SHA esp-sha-hmac esp-3DES. I'm assuming that each of these are SETS and I need to have an EXACT match (e.g. ESP-3DES-SHA). When I try to configure the crypto ipsec transform-set, I only have these sets to work with:
[ ah-md5-hmac|ah-sha-hmac ] [ esp-des|esp-3des|esp-null ] [ esp-md5-hmac|esp-sha-hmac ]
My question is stated above: do I need an EXACT match with one of the transform 'sets'?
Thanks,
Chris
08-23-2010 09:27 AM
Yes, It should match either esp-sha-hmac or esp-3des as given by your vendor
08-23-2010 09:36 AM
Hey Asimalik, thanks for the quick reply. Correct me if I'm wrong, but the process would go something like this: the vendor has the list of SETs as stated above and during the Phase II process, it would check each of the sets for a match--if the first doesn't match, it moves to the second set, then the third. The second set I have configured is ESP-3DES, which the vendor lists as their third option/set. I would think this should work, yet I'm still failing at Phase II. Any thoughts?
08-23-2010 09:53 AM
Hi Christopher,
We have to check the debugs
can you send the followingd debugs while you try to bring the tunnel up
debug crypto ipsec 128
debug crypto isakmp 128
08-23-2010 12:06 PM
I'm trying to coordinate a test to generate debug log. Will provide asap.
08-23-2010 08:38 PM
Sure
08-25-2010 09:16 AM
Asim,
Got it working! Passing incorrect transform set.
Thanks,
C
08-25-2010 09:29 AM
Awsome. No problem
Thanks
Asim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide