- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: VPN 3000 to 1760 [7:95285] posted 12/12/2004
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

THe VPN 3000 series is one of the best appliances for debugs.  Use them as a

On the security associations page:
Check the "Authentication Algorithm" against the 1760
Check the "Encryption Algorithm" against the 1760
Check the "Encapsulation Mode" against the 1760 (should be tunnel)
*****Check the "Perfect Forward Secrecy" against the 1760**** (Very common
mismatch perameter)

1st question: 
Is there a NAT device in the path between the 1760 and the 3005?
   -If so you may need IPSec/UDP encapsulation.

2nd question:
Do you have NAT-T turned on?  Try turning it off.

Doran Jimmy wrote:
> Ernest
> Do your crypto-map ACLs *exactly* match the network list on the
> 3000 (with source/dest reversed, obviously)?  They must be the
> same to achieve Phase II.
> Do a 'debug crypto isakmp' and 'debug crypto verbose'.  Look
> for error message saying 'no matching SA' or something like
> this.  Provided your transform sets are actually OK, it may be
> the ACL/Network Map not matching causing the problem.
> Try to simplify the config with a single ACE in the crypto-map
> and the same on the 3000 and see if this works.  Also remember
> that network lists on the 3000 use wildcards.
> Jimmy

Message Posted at:
FAQ, list archives, and subscription info: