GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: VPN 3000 to 1760 [7:95285] posted 12/12/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


THe VPN 3000 series is one of the best appliances for debugs.  Use them as a
tool.

On the security associations page:
Check the "Authentication Algorithm" against the 1760
Check the "Encryption Algorithm" against the 1760
Check the "Encapsulation Mode" against the 1760 (should be tunnel)
*****Check the "Perfect Forward Secrecy" against the 1760**** (Very common
mismatch perameter)

1st question: 
Is there a NAT device in the path between the 1760 and the 3005?
   -If so you may need IPSec/UDP encapsulation.

2nd question:
Do you have NAT-T turned on?  Try turning it off.




Doran Jimmy wrote:
> 
> Ernest
> 
> Do your crypto-map ACLs *exactly* match the network list on the
> 3000 (with source/dest reversed, obviously)?  They must be the
> same to achieve Phase II.
> 
> Do a 'debug crypto isakmp' and 'debug crypto verbose'.  Look
> for error message saying 'no matching SA' or something like
> this.  Provided your transform sets are actually OK, it may be
> the ACL/Network Map not matching causing the problem.
> 
> Try to simplify the config with a single ACE in the crypto-map
> and the same on the 3000 and see if this works.  Also remember
> that network lists on the 3000 use wildcards.
> 
> 
> HTH
> 
> Jimmy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=95304&t=95285
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html