10-10-2012 02:57 AM - edited 02-21-2020 06:23 PM
Hi.
I'm having an issue with setting up remote access using easyvpn server on an 887 router. I have followed tutorials and also used cisco configuration professional easyvpn server wizard to do the configuration but still having a problem.
I can see Phase 1 completes, but Phase 2 fails with following error .....
Oct 10 09:43:26.515: ISAKMP:(2003):Checking IPSec proposal 8
Oct 10 09:43:26.515: ISAKMP: transform 1, ESP_AES
Oct 10 09:43:26.515: ISAKMP: attributes in transform:
Oct 10 09:43:26.515: ISAKMP: authenticator is HMAC-SHA
Oct 10 09:43:26.515: ISAKMP: key length is 128
Oct 10 09:43:26.515: ISAKMP: encaps is 1 (Tunnel)
Oct 10 09:43:26.515: ISAKMP: SA life type in seconds
Oct 10 09:43:26.515: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Oct 10 09:43:26.515: ISAKMP:(2003):atts are acceptable.
Oct 10 09:43:26.515: IPSEC(validate_proposal_request): proposal part #1
Oct 10 09:43:26.515: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 88.xx.xxx.174:0, remote= 80.177.185.185:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.21.12/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Oct 10 09:43:26.515: map_db_find_best did not find matching map
Oct 10 09:43:26.515: IPSEC(ipsec_process_proposal): proxy identities not supported
Oct 10 09:43:26.515: ISAKMP:(2003): IPSec policy invalidated proposal with error 32
Researching "proxy identities not supported" suggests a NAT issue maybe but I cannot see where that would be. I feel the issue is somewhere else.
I'm using VPN Client 5.0.07.0440 and using transparent tunneling (IPSec over TCP/10000) as the client is behind a firewall/NAT device.
Does anybody know what the issue may be? Full config attached.
Solved! Go to Solution.
10-10-2012 05:35 AM
Hello Mick
Before that one more try. .
Remote the pfs as follows
crypto ipsec profile RemoteAccess
no set pfs group2
remove and add the crypto back in virtual template
interface Virtual-Template1 type tunnel
no tunnel protection ipsec profile RemoteAccess
tunnel protection ipsec profile RemoteAccess
hopefully it will solve your issue
Harish,
10-10-2012 03:28 AM
Hello Mick
Can you change the virtual template configuration as follows and try
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel source dialer 0
regards
Harish.
10-10-2012 03:47 AM
Hi harish. Thanks for the suggestion. Unfortunately its still the same issue...
Oct 10 10:43:49.315: ISAKMP:(2006):Checking IPSec proposal 11
Oct 10 10:43:49.315: ISAKMP: transform 1, ESP_3DES
Oct 10 10:43:49.315: ISAKMP: attributes in transform:
Oct 10 10:43:49.315: ISAKMP: authenticator is HMAC-MD5
Oct 10 10:43:49.315: ISAKMP: encaps is 1 (Tunnel)
Oct 10 10:43:49.315: ISAKMP: SA life type in seconds
Oct 10 10:43:49.315: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Oct 10 10:43:49.315: ISAKMP:(2006):atts are acceptable.
Oct 10 10:43:49.315: IPSEC(validate_proposal_request): proposal part #1
Oct 10 10:43:49.315: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 88.xx.xxx.174:0, remote= 80.177.185.185:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.21.15/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 10 10:43:49.319: map_db_find_best did not find matching map
Oct 10 10:43:49.319: IPSEC(ipsec_process_proposal): proxy identities not supported
Oct 10 10:43:49.319: ISAKMP:(2006): IPSec policy invalidated proposal with error 32
10-10-2012 04:35 AM
Hello Mick,
I could simulate your scenario with same configuration and its working for me.. I believe then you shoud give a try with another version of VPN client
try this
5.0.07.0410
Harish.
10-10-2012 05:20 AM
I've tried that version vpn client but still not working. Same error again.
The 887 is running IOS 15.1.(4)M3
I'll try another version of IOS and see if it makes a difference
10-10-2012 05:35 AM
Hello Mick
Before that one more try. .
Remote the pfs as follows
crypto ipsec profile RemoteAccess
no set pfs group2
remove and add the crypto back in virtual template
interface Virtual-Template1 type tunnel
no tunnel protection ipsec profile RemoteAccess
tunnel protection ipsec profile RemoteAccess
hopefully it will solve your issue
Harish,
10-11-2012 10:57 AM
That sorted it thanks harish.
Sent from Cisco Technical Support Android App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: