professorguy
MIS
I am trying to add another L2L tunnel to the many we already have working correctly. The settings for this tunnel are identical to the settings for all our other L2L tunnels, but I get this from a 'show isakmp sa detail' during an attempted telnet:
...
6 IKE Peer: 208.x.y.33
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime : 86400
7 IKE Peer: 208.w.z.227
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime : 0
...
The first one works, the second one with the wrong type and weird encryption/hash settings doesn't. However, looking at the running configuration, THERE ARE NO SETTING DIFFERENCES BETWEEN THESE TWO TUNNELS! Here's some highlights:
-----------
crypto map vpn_map 50 match address vpnVRC
crypto map vpn_map 50 set peer 208.x.y.33
crypto map vpn_map 50 set transform-set ESP-3DES-MD5
...
crypto map vpn_map 90 match address vpnMedHost
crypto map vpn_map 90 set peer 208.w.z.227
crypto map vpn_map 90 set transform-set ESP-3DES-MD5
-----------
access-list vpnVRC extended permit ip object-group PACS-Local object-group VRC-Remote
...
access-list vpnMedHost extended permit ip object-group MedHost-Local object-group MedHost-Remote
-----------
tunnel-group 208.x.y.33 type ipsec-l2l
tunnel-group 208.x.y.33 ipsec-attributes
pre-shared-key *
...
tunnel-group 208.w.z.227 type ipsec-l2l
tunnel-group 208.w.z.227 ipsec-attributes
pre-shared-key *
-----------
access-list acl_nonat extended permit ip object-group PACS-Local object-group VRC-Remote
...
access-list acl_nonat extended permit ip object-group MedHost-Local object-group MedHost-Remote
-----------
Anyone have any ideas as to why it is trying (and failing) to establish a USER tunnel instead of an L2L tunnel? It says type ipsec-l2l right in the tunnel-group! And why is it using the aes-256/sha settings when the crypto map specifies a transform set using 3des/md5?
Thanks in advance for any insight.
...
6 IKE Peer: 208.x.y.33
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime : 86400
7 IKE Peer: 208.w.z.227
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime : 0
...
The first one works, the second one with the wrong type and weird encryption/hash settings doesn't. However, looking at the running configuration, THERE ARE NO SETTING DIFFERENCES BETWEEN THESE TWO TUNNELS! Here's some highlights:
-----------
crypto map vpn_map 50 match address vpnVRC
crypto map vpn_map 50 set peer 208.x.y.33
crypto map vpn_map 50 set transform-set ESP-3DES-MD5
...
crypto map vpn_map 90 match address vpnMedHost
crypto map vpn_map 90 set peer 208.w.z.227
crypto map vpn_map 90 set transform-set ESP-3DES-MD5
-----------
access-list vpnVRC extended permit ip object-group PACS-Local object-group VRC-Remote
...
access-list vpnMedHost extended permit ip object-group MedHost-Local object-group MedHost-Remote
-----------
tunnel-group 208.x.y.33 type ipsec-l2l
tunnel-group 208.x.y.33 ipsec-attributes
pre-shared-key *
...
tunnel-group 208.w.z.227 type ipsec-l2l
tunnel-group 208.w.z.227 ipsec-attributes
pre-shared-key *
-----------
access-list acl_nonat extended permit ip object-group PACS-Local object-group VRC-Remote
...
access-list acl_nonat extended permit ip object-group MedHost-Local object-group MedHost-Remote
-----------
Anyone have any ideas as to why it is trying (and failing) to establish a USER tunnel instead of an L2L tunnel? It says type ipsec-l2l right in the tunnel-group! And why is it using the aes-256/sha settings when the crypto map specifies a transform set using 3des/md5?
Thanks in advance for any insight.