Objective:
Configuring IPSec VPN between IOS Router and any Remote VPN Peer
Symptom:
Phase 1 Completes but Phase 2 is failing with the below error
*Dec 9 19:43:49.931: IPSEC(ipsec_process_proposal): invalid local address 172.31.1.3
*Dec 9 19:43:49.931: ISAKMP:(1008): IPSec policy invalidated proposal with error 8
*Dec 9 19:43:49.931: ISAKMP:(1008): phase 2 SA policy not acceptable! (local 172.31.1.3 remote 172.31.1.100)
Topology:
Current Crypto Configuration:
Some parts of Relevant Crypto Config on Router C, which is the HSRP Active Router.
RouterA is configured to peer with the HSRP VIP 172.31.1.3.
Router C:
crypto map outside-map 1 ipsec-isakmp
set peer 172.31.1.100
set transform-set 3des-sha
match address 102
interface Ethernet0/0
ip address 172.31.1.2 255.255.255.0
standby 1 ip 172.31.1.3
crypto map outside-map
Failed Debugs:
Below is snipped output from "debug crypto isakmp" and "debug crypto ipsec" from "Router C".
<SNIP>
*Dec 12 23:27:59.107: IPSEC(ipsec_process_proposal): invalid local address 172.31.1.3
*Dec 12 23:27:59.107: ISAKMP:(1004): IPSec policy invalidated proposal with error 8
*Dec 12 23:27:59.107: ISAKMP:(1004): phase 2 SA policy not acceptable! (local 172.31.1.3 remote 172.31.1.100)
*Dec 12 23:27:59.107: ISAKMP: set new node 87369274 to QM_IDLE
*Dec 12 23:27:59.107: ISAKMP:(1004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
Solution:
There can be more than one reason for this problem. The above configuration is one of the possible cases, where the remote router is configured to peer with HSRP VIP.
The problem with above config is that the Crypto Map is tied to the physical IP Address of the Interface and Not the HSRP VIP, which results in the Phase 2 failure. To fix this issue, you will need to make the below changes
interface Ethernet0/0
ip address 172.31.1.2 255.255.255.0
standby 1 ip 172.31.1.3
standby 1 name crypto-vip
crypto map outside-map redundancy crypto-vip
!
Other Possible Reason:
The below configuration will also result in the same error
Note: "Router A" is configured to peer with 172.31.31.31
Router C:
interface Ethernet0/0
ip address 172.31.1.2 255.255.255.0
crypto map outside-map
interface loopback0
ip address 172.31.31.31 255.255.255.255
In the above case the Crypto Map is applied to Ethernet0/0 but the Remote Router is configured to peer with the Loopback0 Address. This is a common configuration where a Loopback is used for Termination to provide redundancy
E.g. The loopback can be reachable through different WAN Interfaces
This issue can be fixed by adding the below configuration
crypto map outside-map local-address loopback0
References-------
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml