Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Tunnel

I'm trying to configure a site-to-site VPN tunnel. I have a PIX 501, running 6.2(2). I clear Phase I, but not Phase II. My question is about transform sets. The vendor I'm working with is looking for one of the following 'sets': ESP-3DES-SHA esp-sha-hmac esp-3DES. I'm assuming that each of these are SETS and I need to have an EXACT match (e.g. ESP-3DES-SHA). When I try to configure the crypto ipsec transform-set, I only have these sets to work with:

[ ah-md5-hmac|ah-sha-hmac ]   [ esp-des|esp-3des|esp-null ]     [ esp-md5-hmac|esp-sha-hmac ]

My question is stated above: do I need an EXACT match with one of the transform 'sets'?

Thanks,

Chris

7 REPLIES
Cisco Employee

Re: VPN Tunnel

Yes, It should match either esp-sha-hmac or esp-3des as given by your  vendor

Community Member

Re: VPN Tunnel

Hey Asimalik,  thanks for the quick reply. Correct me if I'm wrong, but the process would go something like this: the vendor has the list of SETs as stated above and during the Phase II process, it would check each of the sets for a match--if the first doesn't match, it moves to the second set, then the third. The second set I have configured is ESP-3DES, which the vendor lists as their third option/set. I would think this should work, yet I'm still failing at Phase II. Any thoughts?

Cisco Employee

Re: VPN Tunnel

Hi Christopher,

We have to check the debugs

can you send the followingd debugs while you try to bring the tunnel up

debug crypto ipsec 128

debug crypto isakmp 128

Community Member

Re: VPN Tunnel

I'm trying to coordinate a test to generate debug log. Will provide asap.

Cisco Employee

Re: VPN Tunnel

Sure

Community Member

Re: VPN Tunnel

Asim,

Got it working! Passing incorrect transform set.

Thanks,

C

Cisco Employee

Re: VPN Tunnel

Awsome. No problem

Thanks

Asim

314
Views
0
Helpful
7
Replies
CreatePlease to create content