cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
675
Views
0
Helpful
7
Replies

VPN Tunnel

I'm trying to configure a site-to-site VPN tunnel. I have a PIX 501, running 6.2(2). I clear Phase I, but not Phase II. My question is about transform sets. The vendor I'm working with is looking for one of the following 'sets': ESP-3DES-SHA esp-sha-hmac esp-3DES. I'm assuming that each of these are SETS and I need to have an EXACT match (e.g. ESP-3DES-SHA). When I try to configure the crypto ipsec transform-set, I only have these sets to work with:

[ ah-md5-hmac|ah-sha-hmac ]   [ esp-des|esp-3des|esp-null ]     [ esp-md5-hmac|esp-sha-hmac ]

My question is stated above: do I need an EXACT match with one of the transform 'sets'?

Thanks,

Chris

7 Replies 7

Asim Malik
Level 1
Level 1

Yes, It should match either esp-sha-hmac or esp-3des as given by your  vendor

Hey Asimalik,  thanks for the quick reply. Correct me if I'm wrong, but the process would go something like this: the vendor has the list of SETs as stated above and during the Phase II process, it would check each of the sets for a match--if the first doesn't match, it moves to the second set, then the third. The second set I have configured is ESP-3DES, which the vendor lists as their third option/set. I would think this should work, yet I'm still failing at Phase II. Any thoughts?

Hi Christopher,

We have to check the debugs

can you send the followingd debugs while you try to bring the tunnel up

debug crypto ipsec 128

debug crypto isakmp 128

I'm trying to coordinate a test to generate debug log. Will provide asap.

Sure

Asim,

Got it working! Passing incorrect transform set.

Thanks,

C

Awsome. No problem

Thanks

Asim

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: