Re: Problems to bring up tunnels using pppoe in all sites and dy

sguerrero · ‎01-26-2005

I have a pix 515 in central site, in remote sites I have 501 models. All of them are using pppoe and I am using overload in outside instead of NAT, because only have a public IP address in each. Only in central site I have a static IP, but in the rest of equipments I have dynamic IP addresses. All peers seem to be up with show crypto isakmp sa. But I receive this message while debug crypto isakmp and debug crypto ipsec:ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable! ,

also, is it valid this configuration?

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= 200.x.x.x, remote= 201.x.x.x,

local_proxy= 10.0.10.7/255.255.255.255/0/0 (type=1),

remote_proxy= 10.0.44.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Quick Mode exchange, M-ID of -1971711055:8a7a13b1IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x33baa67b(867870331) for SA

from 201.x.x.x to 200.x.x.x for prot 3

crypto_isakmp_process_block:src:201.x.x.x, dest:200.x.x.x spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 867870331, message ID = 1358910254

ISAKMP (0): deleting spi 2074524211 message ID = 2323256241

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:201.x.x.x, dest:200.x.x.x spt:500 dpt:500

OAK_QM exchange

oakley_process_quick_mode:

OAK_QM_IDLE

ISAKMP (0): processing SA payload. message ID = 2728417642

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 28800

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 200.x.x.x src= 201.x.x.x,

dest_proxy= 10.0.44.0/255.255.255.0/0/0 (type=4),

src_proxy= 10.0.46.7/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) dest= 200.x.x.x, src= 201.x.x.x,

dest_proxy= 10.0.46.7/255.255.255.255/0/0 (type=1),

src_proxy= 10.0.44.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal

ISAKMP (0): SA not acceptable!

ISAKMP (0): sending NOTIFY message 14 protocol 3

return status is IKMP_ERR_NO_RETRANS

ISADB: reaper checking SA 0x13b2a64, conn_id = 0

Thanks for any help. This is a full mesh, I mean, have 3 pixes and configured peering to each others (two tunnels in each)

ehirsel · ‎01-26-2005

On which pix unit were the log messages from? The central site or one of the remotes?

Please post all isakmp policies and crypto maps from all 3 pix units here. The issue is a phase 2, and it may be due to the acls not being mirror images of each other. If you are using NAT on the central pix, and the ipsec tunnel terminates on the outside interface, the acl referred to in the crypto maps may need to refer to the translated address, unless you are bypassing nat for ipsec sessions.

With the two 501 units getting dynamic ip address assignments, I assume that you are using certificates for authentication, or are you using pre-share keys?

Problems to bring up tunnels using pppoe in all sites and dynamic addresses