THe VPN 3000 series is one of the best appliances for debugs. Use them as a
tool.
On the security associations page:
Check the "Authentication Algorithm" against the 1760
Check the "Encryption Algorithm" against the 1760
Check the "Encapsulation Mode" against the 1760 (should be tunnel)
*****Check the "Perfect Forward Secrecy" against the 1760**** (Very common
mismatch perameter)
1st question:
Is there a NAT device in the path between the 1760 and the 3005?
-If so you may need IPSec/UDP encapsulation.
2nd question:
Do you have NAT-T turned on? Try turning it off.
Doran Jimmy wrote:
>
> Ernest
>
> Do your crypto-map ACLs *exactly* match the network list on the
> 3000 (with source/dest reversed, obviously)? They must be the
> same to achieve Phase II.
>
> Do a 'debug crypto isakmp' and 'debug crypto verbose'. Look
> for error message saying 'no matching SA' or something like
> this. Provided your transform sets are actually OK, it may be
> the ACL/Network Map not matching causing the problem.
>
> Try to simplify the config with a single ACE in the crypto-map
> and the same on the 3000 and see if this works. Also remember
> that network lists on the 3000 use wildcards.
>
>
> HTH
>
> Jimmy
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=95304&t=95285
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
