Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1909
Views
0
Helpful
10
Replies

site2site tunnel issue

epasqualotto
Level 1
Level 1

‎07-22-2009 02:57 AM - edited ‎03-11-2019 08:57 AM

Hi all, I have a problem with a VPN between a 857 router and ASA 5510. From log I can't understand what's the issue.

Debug:

*Jul 22 10:58:14.895: IPSEC(ipsec_process_proposal): invalid local address 1.1.1.1

*Jul 22 10:58:14.895: ISAKMP:(2003): IPSec policy invalidated proposal with error 8

*Jul 22 10:58:14.895: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

857 conf:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxx address 2.2.2.2

crypto isakmp fragmentation

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel 2.2.2.2

set peer 2.2.2.2

set transform-set ESP-3DES-SHA

set pfs group2

match address 100

!

ASA conf:

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map TELEFIN_LAN_map 1 match address OUTSIDE_1_cryptomap

crypto map TELEFIN_LAN_map 1 set pfs

crypto map TELEFIN_LAN_map 1 set peer 1.1.1.1

crypto map TELEFIN_LAN_map 1 set transform-set ESP-3DES-SHA

crypto map TELEFIN_LAN_map 1 set security-association lifetime seconds 28800

crypto map TELEFIN_LAN_map 1 set security-association lifetime kilobytes 4608000

crypto map TELEFIN_LAN_map interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

Anyone have idea of the possible problem?

TIA Enrico.

Labels:
0 Helpful
10 Replies 10

andrew.prince
Level 10
Level 10

‎07-22-2009 04:20 AM

Check the IP address of the peers and the physcial interfaces.

0 Helpful

epasqualotto
Level 1
Level 1
In response to andrew.prince

‎07-22-2009 04:57 AM

The ip address of two peers are correct, for physical interface what do you mean? Which check?

Thanks Enrico.

0 Helpful

andrew.prince
Level 10
Level 10
In response to epasqualotto

‎07-22-2009 05:04 AM

If one device has the VPN peer address of 1.1.1.1 - then it's local IP address must be 2.2.2.2

So the other device must have a VPN peer address of 2.2.2.2 so it's local IP address must be 1.1.1.1

0 Helpful

epasqualotto
Level 1
Level 1
In response to andrew.prince

‎07-22-2009 05:15 AM

Yes, IP are correct.

0 Helpful

hsbcsydney
Level 1
Level 1

‎07-22-2009 05:16 AM

Try setting the crypto map pfs on the ASA to group2 so that it matches the router.

crypto map TELEFIN_LAN_map 1 set pfs group2

0 Helpful

epasqualotto
Level 1
Level 1
In response to hsbcsydney

‎07-22-2009 05:55 AM

group2 of pfs is the default value

0 Helpful

jwalker
Level 3
Level 3

‎07-23-2009 06:32 AM

What do the crypto ACLs look like?

0 Helpful

epasqualotto
Level 1
Level 1
In response to jwalker

‎07-23-2009 11:16 PM

On the 857 router:

access-list 100 permit ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 permit ip 172.17.0.0 0.0.255.255 any

ip nat inside source route-map SDM_RMAP_1 pool net-ibs overload

route-map SDM_RMAP_1 permit 1

match ip address 101

On ASA

access-list DEV_Plant_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list DEV_Plant_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0

I hope this is all the necessary...

0 Helpful

fmjiang1966
Level 1
Level 1

‎07-24-2009 07:57 AM

Hi,

You missed the following on ASA:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp

####

phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

########

The dedug message essentially says: phase 2 SA policy not matching, and was not acceptable. After making changes, remove and re-apply crypto map.

Have it a try.

Fuming

0 Helpful

epasqualotto
Level 1
Level 1
In response to fmjiang1966

‎08-02-2009 11:41 PM

If I add the line:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ERROR: Unable to initialized crypto map entry

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card