[c-nsp] IPSec between Cisco and D-Link

twisted mac twist3dmac at gmail.com
Mon Dec 15 10:48:48 EST 2008


there are 2 peers (217.x.x.x  and 85.x.x.x)

and 2 matching acls (111 - 192.168.0.0/24 and 112-192.168.96.0/21)

why do u say

"Obviously 82.x and 217.x aren't the same as 192.168.200.0/24 and
192.168.0.0/24 "

can u explain?

2008/12/12 Tony Varriale <tvarriale at comcast.net>

> The transforms are fine and the debug says so.
>
> The ACL/proxy setup is failing.
>
> 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500
>>
> sport
>
>> 2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local
>>
> 82.x.x.x
>
>> remote 217.x.x.x)
>>
>
>  xxx#sh crypto map tag xxx
>> Crypto Map "xxx" 10 ipsec-isakmp
>>        Peer = 217.x.x.x
>>        Extended IP access list 111
>>            access-list 111 permit ip 192.168.200.0 0.0.0.255
>> 192.168.0.0 0.0.0.255
>>
>
> Obviously 82.x and 217.x aren't the same as 192.168.200.0/24 and
> 192.168.0.0/24
>
> tv
>
>
> ----- Original Message ----- From: "Mario Spinthiras" <
> spinthiras.mario at gmail.com>
> To: "Gamino, Rogelio (OCTO-Contractor)" <rogelio.gamino at dc.gov>
> Cc: <cisco-nsp at puck.nether.net>; "twisted mac" <twist3dmac at gmail.com>
> Sent: Friday, December 12, 2008 3:15 PM
> Subject: Re: [c-nsp] IPSec between Cisco and D-Link
>
>
>   I dont think thats the problem. It looks like the transform sets don't
>> match. Don't forget that ACLs come prior to phase 2.
>>
>> Regards,
>> Mario A. Spinthiras
>> http://www.spinthiras.net/
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>


More information about the cisco-nsp mailing list