05-01-2008 04:21 AM - edited 03-03-2019 09:46 PM
Hi,
I am trying to configure a site-to-site VPN tunnel between PIX and 2811 router. The authentication is thru MS CA where both the PIX and the router have already got their certificates.
However, the vpn tunnel is not establishing and I get the following debug error on the PIX FW:
May 01 14:27:43 [IKEv1]: Error: Unable to remove PeerTblEntry
May 01 14:27:45 [IKEv1]: Removing peer from peer table failed, no match!
Please find attached both my PIX and router configs.
Any idea on what could the problme be related to?
R/ Haitham
05-02-2008 11:53 AM
It seems to me that you have not specified that it is a site to site VPN, the tunnel group that you have specifies only remote access. It also does not seem there is a problem with the certificates based on the error.
Try adding the following:
tunnel-group 10.1.1.254 type ipsec-l2l
tunnel-group 10.1.1.254 ipsec-attributes
pre-shared-key *
**Also the isakmp policy on the touter has no encryption where as the PIX has des, that could also cause a problem.**
05-02-2008 02:44 PM
05-05-2008 06:01 AM
Your phase 1 attributes still dont match.
The router has:
crypto isakmp policy 20
encr 3des
hash md5
group 2
The PIX has:
crypto isakmp policy 10
authentication rsa-sig
encryption des
hash md5
group 5
lifetime 86400
Dont worry about the lifetime (86400) and the authentication (rsa-sig) on the router that is the default. The encryption and the dh group has to be the same on both devices, so you need to go with group 2 or 5 on both and des or 3des on both. It doesnt seem to be getting pass phase 1 but if you fix this it should.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide