Hello All,
Not my strong area and in need of a little advice. I have 2 sites with DSL internet services. This is what I have
SITE1-Cisco881 Vlan4 (192.168.10.1)------ (192.168.10.254) NAT(BT Homehub) static IP--------¦internet¦----------static IP/ATM0-Dialer/Cisco877- SITE2
Basically I need to build an IPSEC VPN between the 881 and 877. I had an 887 at Site 1 with a DSL connection and was able to build the IPSEC tunnel ok, but the client demands that the BThomehub be present as demarcation of fault so I'm forced to Nat the tunnel through to the 881. The tunnel wont come up, but works fine when Cisco to Cisco.
I believe I have the right ports forwarded on the BT hub but it appears as though the 881 is rejecting the proposal because of the NAT. What am I missing?
Thanks in advance
Dave
debug crypto isakmp error and debug crypto ipsec err
877 Site2(config)#
*Jan 12 00:52:14.485: map_db_find_best did not find matching map
*Jan 12 00:52:14.485: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jan 12 00:52:14.485: ISAKMP:(2516): IPSec policy invalidated proposal with error 32
*Jan 12 00:52:14.485: ISAKMP:(2516): phase 2 SA policy not acceptable! (local x.x.x.x remote y.y.y.y)
*Jan 12 00:52:14.485: ISAKMP:(2516):deleting node -1658498082 error TRUE reason "QM re
*Jan 12 00:52:23.837: ISAKMP:(2515):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer y.y.y.y)
*Jan 12 00:52:23.837: ISAKMP:(2515):deleting SA reason "QM_TIMER expired" state (I) MM_KEY_EXCH (peer y.y.y.y)
*Jan 12 00:54:41.509: ISAKMP:(2519):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer y.y.y.y)
BT Home Hub port forwarding:
NAT public IP to 192.168.10.1
- udp port 500
- ESP 50
881 config
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key aaaaaaa address 0.0.0.0
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset
!
!
bridge irb
!
!
!
!
interface Tunnel0
ip address 192.168.255.14 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Vlan4
tunnel destination x.x.x.x (site 2 static public IP)
tunnel path-mtu-discovery
tunnel protection ipsec profile encrypt-tunnel
877 config
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key aaaaaaa address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Tunnel0
description vpn link to Main House
ip address 192.168.255.13 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer0
tunnel destination y.y.y.y (Site 1 Public IP)
tunnel path-mtu-discovery
tunnel protection ipsec profile encrypt-tunnel
I've been looking into the debugs and I see the following when debugging the sa. Looks like the fact that the 881 internal ip 192.168.10.1 is causing a problem with the verificaition of the encryption negotiation.
HPG_Router#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 192.168.10.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 96, #recv errors 0
local crypto endpt.: 192.168.10.1, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb Vlan4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:.
