Cisco L2L Help

Been having issues setting up this cisco L2L - i had it all working but then users couldnt connect to ssl-vpn and found my mistake. now i am not sure what i am missing. any help will be appreciated. :)
HQ FIREWALL

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map SITELINKS 10 ipsec-isakmp dynamic Outside_dyn_map
crypto map SITELINKS 20 match address inside_nat0_outbound
crypto map SITELINKS 20 set pfs
crypto map SITELINKS 20 set peer 168.168.168.10
crypto map SITELINKS 20 set transform-set ESP-3DES-SHA
crypto map SITELINKS interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

tunnel-group 168.168.168.10 type ipsec-l2l
tunnel-group 168.168.168.10 ipsec-attributes
 pre-shared-key *


REMOTE SITE

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address inside_nat0_outbound
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 192.192.192.10
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400


tunnel-group 192.192.192.10 type ipsec-l2l
tunnel-group 192.192.192.10 ipsec-attributes
 pre-shared-key *****

Open in new window

matt2008Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

piersonmCommented:
At first glance the subnet mask on your HQ SITE access-list inbound_nat0_outbound doesn't match the remote site.

HQ FIREWALL
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.10.10.0 255.255.255.0

REMOTE SITE
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.1.0.0 255.255.255.0
0
matt2008Author Commented:
yeah i fixed that - good catch though. still down. i didnt really change much except renamed outside_map to SITELINKS  on hq side

0
piersonmCommented:
what error messages are you receiving?
can you provide information from the show commands:
   show crypto isakmp sa
   show crypto ipsec sa peer <IP Address>
   
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

matt2008Author Commented:
There are no isakmp sas
0
matt2008Author Commented:
I've requested that this question be deleted for the following reason:

found my own solution.
0
piersonmCommented:
What was the resolution?
0
matt2008Author Commented:
removed crypto map outside_map 20 set pfs from each side and came right up. took a few to renegotiate.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
South ModModeratorCommented:
All,
 
Following an 'Objection' by piersonm (at http://www.experts-exchange.com/Q_27390508.html) to the intended closure of this question, it has been reviewed by at least one Moderator and is being closed as recommended by the Expert.
 
At this point I am going to re-start the auto-close procedure.
 
Thank you,
 
SouthMod
Community Support Moderator
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.