[c-nsp] ASA5520 to Pix can't bring up IPSEC L2L tunnel
Scott Granados
gsgranados at comcast.net
Tue Sep 1 20:28:39 EDT 2009
Hi, I have a Pix out in the field and an ASA5520 that I'm trying to
configure to pass L2L traffic. I keep getting an error that says
IKEV1 IP=a.b.c.d removing peer from peer table failed, no match
ip=a.b.c.d unable to remove peer table entry
What am I doing wrong?
Here are the important config bits
asa-5520
crypto map
crypto ipsec transform-set vpn-transform1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set vpn-transform2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set vpn-transform3 esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set vpn-transform1 vpn-transform2
vpn-transform3
crypto dynamic-map dynmap 10 set reverse-route
crypto map vpn-ra-map 10 match address ny-vpn-acl
crypto map vpn-ra-map 10 set peer ny-fw-outside
crypto map vpn-ra-map 10 set transform-set vpn-transform2
crypto map vpn-ra-map 10 set reverse-route
crypto map vpn-ra-map 65535 ipsec-isakmp dynamic dynmap
crypto map vpn-ra-map interface outside
ISAKMP
isakmp enable outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 7
isakmp policy 5 lifetime 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-192
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
isakmp nat-traversal 20
isakmp reload-wait
and the acl
access-list ny-vpn-acl extended permit ip 10.1.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.18.0.0 255.255.254.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.14.0.0 255.254.0.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 157.254.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 141.11.0.0 255.255.0.0 10.18.15.0
255.255.255.192
access-list ny-vpn-acl extended permit ip 10.11.0.0 255.255.0.0 10.18.15.0
255.255.255.192
TUNNEL GROUP
tunnel-group 208.37.161.98 type ipsec-l2l
tunnel-group 208.37.161.98 general-attributes
tunnel-group 208.37.161.98 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
PIX
CRYPTO MAP and ISAKMP
crypto ipsec transform-set set1 esp-aes-192 esp-md5-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address vpn-1
crypto map map1 10 set peer vpnc
crypto map map1 10 set transform-set set1
crypto map map1 interface outside
isakmp enable outside
isakmp key *
address vpnc netmask 255.255.255.255
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
ACL
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.1.0.0 255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.18.0.0
255.255.240.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.14.0.0 255.254.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 157.254.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 141.11.0.0
255.255.0.0
access-list vpn-1 permit ip 10.18.15.0 255.255.255.192 10.11.0.0 255.255.0.0
)note on the ASA I use individual /24's and shortened the ACL for ease of
reasing. I do this to exclued 10.18.14.0/24 from the tunnels since that
houses the ASA's inside interface and client access)
Any pointers would be appreciated.
Thanks
Scott
More information about the cisco-nsp
mailing list