Re: IPsec VPN

Hi Ali.

A quick observation would be to look out for "crypto map interfacemap 10
ipsec-isakmp dynamic dynmap" on your ASA unit. Make sure you know what
it is and its dynamic part is configured correctly. Your VPN tunnel
originating from PIX might land on that crypto may and consequentiality
fail if that crypto map is not for that tunnel/traffic.

You also have "crypto map interfacemap 5" which is either incomplete or
you haven't posted the whole one. If it is incomplete in your config,
you'd better wipe it off.

HTH,
A.

Ali El Moussaoui wrote:
> ASA:
> access-list vpnbey extended permit ip 192.168.100.0 255.255.255.0
> 192.168.40.0 255.255.248.0
> access-list vpnbey extended permit ip 192.168.3.0 255.255.255.0 192.168.40.0
> 255.255.248.0
> crypto ipsec transform-set dxbbey esp-des esp-none
> crypto map interfacemap 5 set security-association lifetime seconds 28800
> crypto map interfacemap 5 set security-association lifetime kilobytes
> 4608000
> crypto map interfacemap 10 ipsec-isakmp dynamic dynmap
> crypto map interfacemap 20 match address vpnbey
> crypto map interfacemap 20 set peer 1.1.1.1
> crypto map interfacemap 20 set transform-set dxbbey
> crypto map interfacemap 20 set security-association lifetime seconds 28800
> crypto map interfacemap 20 set security-association lifetime kilobytes
> 4608000
> crypto map interfacemap interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 20
> authentication pre-share
> encryption des
> hash sha
> group 5
> lifetime 86400
> PIX:
> Show run | i crypto
> crypto ipsec transform-set DXBBEY esp-des esp-none
> crypto map OUTSIDE_MAP 20 match address VPNDXB
> crypto map OUTSIDE_MAP 20 set peer 2.2.2.2
> crypto map OUTSIDE_MAP 20 set transform-set DXBBEY
> crypto map OUTSIDE_MAP interface OUTSIDEINT
>
> access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0
> 192.168.100.0 255.255.255.0
> access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0 192.168.3.0
> 255.255.255.0
>
>
> Note that i changed the peers IPs ;)
>
> Ali
> On
> Thu, Jun 18, 2009 at 3:10 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>
>> Without seeing the relevant information that Phase 2 must match on
>> (interesting traffic and transform sets), it is hard to tell. Please post
>> the following:
>>
>> If you're running post 6.3(5), you can run the ASA commands on the PIX.
>>
>> ASA:
>> Show run crypto
>> Show run access-list <insert interesting traffic ACLs>
>>
>> PIX:
>> Show run | i crypto
>> Show run | i access-list <insert interesting traffic ACLs>
>>
>> -ryan
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Ali El Moussaoui
>> Sent: Thursday, June 18, 2009 4:47 AM
>> To: ccielab_at_groupstudy.com
>> Subject: IPsec VPN
>>
>> Hello Experts,
>>
>> I am building an IPsec tunnel between 2 remote sites (ASA and PIX). The
>> tunnel is comin up only when the ASA initiates the communication. When the
>> pix initiate the tunnel negotiation the following error shows up:
>>
>> Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed,
>> no match!
>> Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x.
>> Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
>> Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No
>> proposal chosen (14)
>> Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
>>
>> Any clue about what could cos the above?
>>
>> Ali
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 19 2009 - 17:12:31 ART