[c-nsp] Fwd: asa ipsec problem
Sergey Alexanov
salexanov at gmail.com
Tue Jun 3 13:55:16 EDT 2008
2008/6/3 Peter Rathlev <peter at rathlev.dk>:
> On Tue, 2008-06-03 at 13:49 +0300, Sergey Alexanov wrote:
> > 2008/6/3 Peter Rathlev <peter at rathlev.dk>:
> > > On Mon, 2008-06-02 at 14:45 +0300, Sergey Alexanov wrote:
> > > > Jun 02 03:18:07 [IKEv1]: IKE Initiator unable to find policy: Intf
> > > > inside, Src: 192.168.56.1, Dst: 192.168.55.55
> <snip>
> > ISR# sh run
> > Current configuration : 4833 bytes
> > !
> > version 12.4
> > <snip>
> > crypto isakmp policy 10
> > encr 3des
> > hash md5
> > authentication pre-share
> > group 2
> > !
> > !
> > crypto isakmp key KEY1 address x.x.x.56
> > !
> > crypto map VPN_MAP1 1 ipsec-isakmp
> > set peer x.x.x.56
> > set transform-set ESP-AES-MD5
> > match address NET-192-168
> > !
> <snip>
> > crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
> <snip>
> > isakmp policy 1 authentication pre-share
> > isakmp policy 1 encryption 3des
> > isakmp policy 1 hash md5
> > isakmp policy 1 group 2
> > isakmp policy 1 lifetime 86400
>
> The only thing I can think of would be that your ISAKMP policies don't
> match your transform sets. I don't know why it would work one way though.
ASA# sh run ipsec | i transform-set
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
ISR# sh cry ipsec transform-set
Transform set ESP-AES-MD5: { esp-aes esp-md5-hmac }
will negotiate = { Tunnel, },
>
>
> Otherwise it might be CSCsk39154 (for 8.x)
it is possible, imho
> or mayby CSCsj80196.
but no this case
>
>
> Are you using dynamic maps for a specific reason?
no
> You seem to specify
> all the required parameters for a static map.
But I can't to define type of static map without reference to dynamic map:
# cry map TEST 1 ipsec-isakmp ?
configure mode commands/options:
dynamic Entry is a dynamic map
>
> Regards,
> Peter
>
>
>
More information about the cisco-nsp
mailing list