Anybody do alot of these. I am having a problem. Tunnel won't turn it (won't get past phase one). This is in my test environment between a Cisco ASA 5520 and a 2801. Take a look here:
ASA:
crypto ipsec transform-set Router2ASA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CryptoMap2Router 1 match address CryptoMap2Router
crypto map CryptoMap2Router 1 set peer X.X.X.9
crypto map CryptoMap2Router 1 set transform-set Router2ASA
crypto map CryptoMap2Router interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group XX.XX.XX.X9 type ipsec-l2l
tunnel-group XX.XX.XX.x9 ipsec-attributes
pre-shared-key *****
access-list CryptoMap2Router extended permit ip 192.168.9.0 255.255.255.0 10.0.100.0 255.255.255.0
Router:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key X.X.X.X address X.X.X.X8 no-xauth
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set ASAROUTER esp-aes 256 esp-sha-hmac
!
crypto map Router2ASA 1 ipsec-isakmp
set peer X.X.X.X8
set transform-set ASAROUTER
match address VPN
!
ip access-list extended VPN
permit ip 10.0.100.0 0.0.0.255 192.168.9.0 0.0.0.255
I keep getting these messages on the cisco router
*Sep 20 21:51:36.354: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from X.X.X.58 was not encrypted and it should've been.
I think it has something to do with killing the NATs between the two boxes like I have done here on the cisco router:
ip access-list extended Nat
deny ip 10.0.100.0 0.0.0.255 192.168.9.0 0.0.0.255
permit ip 10.0.100.0 0.0.0.255 any
I can't figure out how to do the same thing on the ASA (using 8.3). Anybody see anything I totally messed up?
