05-08-2019 08:01 PM
I am creating a VPN with another router and for some reason PFS is not being enabled from my end. Here's my crypto config:
crypto isakmp policy 10 encr des hash md5 authentication pre-share ! crypto isakmp key ABC123456 address 20.30.40.50 crypto isakmp invalid-spi-recovery crypto isakmp nat keepalive 20 ! ! crypto ipsec transform-set des-md5 esp-des esp-md5-hmac mode tunnel ! ! crypto map map1 30 ipsec-isakmp set peer 20.30.40.50 set transform-set des-md5 set pfs group2 match address SECRET_STUFF
Here's the output of sh crypto ipsec sa:
protected vrf: (none) local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0) current_peer 20.30.40.50 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 821, #recv errors 0 local crypto endpt.: 1.2.3.4, remote crypto endpt.: 20.30.40.50 plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan10 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none <<<
And here's sh crypto map:
Crypto Map IPv4 "map1" 30 ipsec-isakmp Peer = 20.30.40.50 Extended IP access list VPN_TRAFFIC access-list SECRET_STUFF permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): Y <<< DH group: group2 Mixed-mode : Disabled Transform sets={ des-md5: { esp-des esp-md5-hmac } , } Interfaces using crypto map map1: Vlan3
What am I doing wrong here? I also get the following error in the logs:
*May 9 01:52:29.850: ISAKMP:(2046): phase 2 SA policy not acceptable! (local 1.2.3.4 remote 20.30.40.50)
Both Phase 1 encr, hash and group are double checked on both sides. They match.
05-08-2019 11:07 PM
Can please let us know the Environment ? Device Models, and Version of IOS you running.
how about other side Device ? ASA or Cehckpoint ? if possible can you post both the side config please to review.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide