ASA:
access-list vpnbey extended permit ip 192.168.100.0 255.255.255.0
192.168.40.0 255.255.248.0
access-list vpnbey extended permit ip 192.168.3.0 255.255.255.0 192.168.40.0
255.255.248.0
crypto ipsec transform-set dxbbey esp-des esp-none
crypto map interfacemap 5 set security-association lifetime seconds 28800
crypto map interfacemap 5 set security-association lifetime kilobytes
4608000
crypto map interfacemap 10 ipsec-isakmp dynamic dynmap
crypto map interfacemap 20 match address vpnbey
crypto map interfacemap 20 set peer 1.1.1.1
crypto map interfacemap 20 set transform-set dxbbey
crypto map interfacemap 20 set security-association lifetime seconds 28800
crypto map interfacemap 20 set security-association lifetime kilobytes
4608000
crypto map interfacemap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
PIX:
Show run | i crypto
crypto ipsec transform-set DXBBEY esp-des esp-none
crypto map OUTSIDE_MAP 20 match address VPNDXB
crypto map OUTSIDE_MAP 20 set peer 2.2.2.2
crypto map OUTSIDE_MAP 20 set transform-set DXBBEY
crypto map OUTSIDE_MAP interface OUTSIDEINT
access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0
192.168.100.0 255.255.255.0
access-list VPNDXB extended permit ip 192.168.40.0 255.255.248.0 192.168.3.0
255.255.255.0
Note that i changed the peers IPs ;)
Ali
On
Thu, Jun 18, 2009 at 3:10 PM, Ryan West <rwest_at_zyedge.com> wrote:
> Without seeing the relevant information that Phase 2 must match on
> (interesting traffic and transform sets), it is hard to tell. Please post
> the following:
>
> If you're running post 6.3(5), you can run the ASA commands on the PIX.
>
> ASA:
> Show run crypto
> Show run access-list <insert interesting traffic ACLs>
>
> PIX:
> Show run | i crypto
> Show run | i access-list <insert interesting traffic ACLs>
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Ali El Moussaoui
> Sent: Thursday, June 18, 2009 4:47 AM
> To: ccielab_at_groupstudy.com
> Subject: IPsec VPN
>
> Hello Experts,
>
> I am building an IPsec tunnel between 2 remote sites (ASA and PIX). The
> tunnel is comin up only when the ASA initiates the communication. When the
> pix initiate the tunnel negotiation the following error shows up:
>
> Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed,
> no match!
> Group = x.x.x.x, IP = x.x.x.x, Connection terminated for peer x.x.x.x.
> Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
> Group = x.x.x.x, IP = x.x.x.x, Received non-routine Notify message: No
> proposal chosen (14)
> Group = x.x.x.x, IP = x.x.x.x, PHASE 1 COMPLETED
>
> Any clue about what could cos the above?
>
> Ali
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 19 2009 - 09:13:11 ART
This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:37 ART