[c-nsp] asa ipsec problem
Peter Rathlev
peter at rathlev.dk
Tue Jun 3 14:36:44 EDT 2008
On Tue, 2008-06-03 at 20:55 +0300, Sergey Alexanov wrote:
> 2008/6/3 Peter Rathlev <peter at rathlev.dk>:
> > The only thing I can think of would be that your ISAKMP policies don't
> > match your transform sets. I don't know why it would work one way though.
> ASA# sh run ipsec | i transform-set
> crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
>
> ISR# sh cry ipsec transform-set
> Transform set ESP-AES-MD5: { esp-aes esp-md5-hmac }
> will negotiate = { Tunnel, },
Transform sets match on both sides yes, but your ISAKMP policies don't
match your transform sets. You seem to only define e.g. policy 1 with
3DES-MD5, but not a policy allowing AES-MD5 which you use.
I may have misunderstood that part of ISAKMP, but shouldn't your
transform set be allowed in an ISAKMP policy for Phase 1 to complete?
> > Are you using dynamic maps for a specific reason?
>
> no
>
> > You seem to specify
> > all the required parameters for a static map.
>
> But I can't to define type of static map without reference to dynamic map:
> # cry map TEST 1 ipsec-isakmp ?
>
> configure mode commands/options:
> dynamic Entry is a dynamic map
I can do it without problems on an ASA 5550 7.2(2):
ASA/act(config)# crypto map TEST 1 ipsec-isakmp ?
configure mode commands/options:
dynamic Entry is a dynamic map
<cr>
ASA/act(config)# crypto map TEST 1 ipsec-isakmp
ASA/act(config)#
Regards,
Peter
More information about the cisco-nsp
mailing list