https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313479#M859213 <HTML><HEAD></HEAD><BODY><P>Thanks for your help, we (the other side of the tunnel) seemed to have matched enough of the ISAKMP to create a whole new problem.</P><P>I'll start a new post</P></BODY></HTML> Mon, 22 Jun 2009 04:55:03 GMT techsupport 2009-06-22T04:55:03Z https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313474#M859207 <P>Trying to setup a l2l vpn between 2 ASAs and came across this in the log</P><P></P><P>Thanks</P><P></P><P>Jun 21 17:07:46 [IKEv1]: Group = 71.172.68.18, IP = 71.172.68.18, IKE Remote Peer configured for crypto map: vpn_map</P><P>Jun 21 17:07:46 [IKEv1 DEBUG]: Group = 71.172.68.18, IP = 71.172.68.18, processing IPSec SA payload</P><P>Jun 21 17:07:46 [IKEv1]: Group = 71.172.68.18, IP = 71.172.68.18, All IPSec SA proposals found unacceptable!</P><P>Jun 21 17:07:46 [IKEv1 DEBUG]: Group = 71.172.68.18, IP = 71.172.68.18, sending notify message</P> Mon, 11 Mar 2019 15:46:16 GMT https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313474#M859207 techsupport 2019-03-11T15:46:16Z https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313475#M859209 <HTML><HEAD></HEAD><BODY><P>Compare your crypto maps between the 2 firewalls. The IPSEC proposal is the phase 2 proposal (transform set, group, pfs, etc)</P></BODY></HTML> Sun, 21 Jun 2009 23:10:51 GMT https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313475#M859209 jeromecandiff 2009-06-21T23:10:51Z https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313476#M859210 <HTML><HEAD></HEAD><BODY><P>Sounds like a mis-matched transform set between the peers. </P><P></P><P>sh run crypto</P><P></P><P>Check the transform sets referenced by your crypto map. </P></BODY></HTML> Mon, 22 Jun 2009 00:05:28 GMT https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313476#M859210 Patrick0711 2009-06-22T00:05:28Z https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313477#M859211 <HTML><HEAD></HEAD><BODY><P>These are the two configs, I'm not clear on</P><P>how crypto maps are linked to isakmp policy.</P><P></P><P>Whats the best way to set both sides to the</P><P>same. I can see that both sides are using</P><P>3des sha group 2. I get confused about policy 1 vs. 10 , 20 etc</P><P></P><P></P><P>name 71.X.68.X ABC</P><P></P><P>access-list VPN_TO_ABC extended permit ip host 10.20.12.127 host 192.168.13.3 </P><P>access-list OUTSIDE_ACCESS_IN extended permit ip host 192.168.13.3 host 10.20.12.127 </P><P></P><P>access-list nonat_inside extended permit ip host 10.20.12.127 host 192.168.13.3</P><P>nat (inside) 0 access-list nonat_inside</P><P></P><P>crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac </P><P></P><P>crypto map vpn_map 26 match address VPN_TO_ABC</P><P>crypto map vpn_map 26 set peer ABC </P><P>crypto map vpn_map 26 set transform-set 3DES-SHA</P><P></P><P>tunnel-group 71.X.68.X type ipsec-l2l</P><P>tunnel-group 71.X.68.X ipsec-attributes</P><P> pre-shared-key *</P><P></P><P>crypto map vpn_map interface outside</P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 1</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption aes-256</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P>crypto isakmp policy 20</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 28800</P><P>crypto isakmp policy 30</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash md5</P><P> group 2</P><P> lifetime 86400</P><P>no crypto isakmp nat-traversal</P><P></P><P>---------------------------------------------------------------------------</P><P></P><P>name 198.63.227.53 XYZ</P><P></P><P>access-list VPN_TO_XYZ extended permit ip 192.168.13.0 255.255.255.0 host 10.20.12.127</P><P>access-list OUTSIDE_ACCESS_IN extended permit ip host 10.20.12.127 192.168.13.0 255.255.255.0 </P><P></P><P>access-list no_nat0 extended permit ip 192.168.13.0 255.255.255.0 host 10.20.12.127</P><P>nat (inside) 0 access-list no_nat0</P><P></P><P>crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac </P><P></P><P>crypto map outside_map 1 match address VPN_TO_XYZ</P><P>crypto map outside_map 1 set peer XYZ </P><P>crypto map outside_map 1 set transform-set ESP-3DES-SHA</P><P>crypto map outside_map interface outside</P><P>crypto isakmp enable outside</P><P>crypto isakmp policy 10</P><P> authentication pre-share</P><P> encryption 3des</P><P> hash sha</P><P> group 2</P><P> lifetime 86400</P><P></P><P>tunnel-group 198.X.227.X type ipsec-l2l</P><P>tunnel-group 198.X.227.X ipsec-attributes</P><P> pre-shared-key *</P></BODY></HTML> Mon, 22 Jun 2009 00:18:11 GMT https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313477#M859211 techsupport 2009-06-22T00:18:11Z https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313478#M859212 <HTML><HEAD></HEAD><BODY><P>The debug messages indicate a problem with the IKE phase 2 quick mode negotiation.</P><P></P><P>Is there a dynamic crypto map configured with a lower priority number in the first configuration? </P><P></P><P>I also noticed that the encryption domains do not match. One end specifies 192.168.13.0/24 while the other end specifies the 192.168.13.3 host. This will need to be corrected. </P><P> </P></BODY></HTML> Mon, 22 Jun 2009 03:15:57 GMT https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313478#M859212 Patrick0711 2009-06-22T03:15:57Z https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313479#M859213 <HTML><HEAD></HEAD><BODY><P>Thanks for your help, we (the other side of the tunnel) seemed to have matched enough of the ISAKMP to create a whole new problem.</P><P>I'll start a new post</P></BODY></HTML> Mon, 22 Jun 2009 04:55:03 GMT https://community.cisco.com/t5/network-security/ipsec-quot-all-ipsec-sa-proposals-found-unacceptable-quot/m-p/1313479#M859213 techsupport 2009-06-22T04:55:03Z