there are 2 peers (217.x.x.x and 85.x.x.x) and 2 matching acls (111 - 192.168.0.0/24 and 112-192.168.96.0/21)
why do u say "Obviously 82.x and 217.x aren't the same as 192.168.200.0/24 and 192.168.0.0/24 " can u explain? 2008/12/12 Tony Varriale <[email protected]> > The transforms are fine and the debug says so. > > The ACL/proxy setup is failing. > > 2d23h: ISAKMP (0:134217749): received packet from 217.x.x.x dport 500 >> > sport > >> 2d23h: ISAKMP:(0:21:SW:1): phase 2 SA policy not acceptable! (local >> > 82.x.x.x > >> remote 217.x.x.x) >> > > xxx#sh crypto map tag xxx >> Crypto Map "xxx" 10 ipsec-isakmp >> Peer = 217.x.x.x >> Extended IP access list 111 >> access-list 111 permit ip 192.168.200.0 0.0.0.255 >> 192.168.0.0 0.0.0.255 >> > > Obviously 82.x and 217.x aren't the same as 192.168.200.0/24 and > 192.168.0.0/24 > > tv > > > ----- Original Message ----- From: "Mario Spinthiras" < > [email protected]> > To: "Gamino, Rogelio (OCTO-Contractor)" <[email protected]> > Cc: <[email protected]>; "twisted mac" <[email protected]> > Sent: Friday, December 12, 2008 3:15 PM > Subject: Re: [c-nsp] IPSec between Cisco and D-Link > > > I dont think thats the problem. It looks like the transform sets don't >> match. Don't forget that ACLs come prior to phase 2. >> >> Regards, >> Mario A. Spinthiras >> http://www.spinthiras.net/ >> _______________________________________________ >> cisco-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
