IPSEC(ipsec_process_proposal): invalid local address

guy.zwerdling · ‎08-07-2019

I build recently some lab that contain 5 routers:

R1

R2

R3

R4

R5 = ISP router

the topology is sort of Hub and Spoke which my R1 is the hub,

I setup on R1 IKEv2 Policy which use some proposal that contain the following:

encryption aes-cbc-256
integrity sha1
group 5

On IKEv2 Profile I match some certificate map that contain issuer name

I configured virtual-template 1 type tunnel and try to make IPSEC connectivity to R2, but I have some issue to bring that connection up, if I use interface tunnel instade of virtual-template everything work grate but I specifically need to use virtual-template. If I run dome debug I get the following error:

IPSEC(ipsec_process_proposal): invalid local address

I google it and found cases of misconfigured or bug report (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud69442/?rfs=iqvred)

I use version 15.2(4)S7

I working on it tree friking days so I decided to use the community...

If someone can tell me what went failed in my case I really appreciate it

I attach file of R1, R2 and R5

Thanks in advance

Rob Ingram · ‎08-07-2019

Hi,

On R1 which is acting as the Hub you need to reference the Virtual-Template under the IKEv2 Profile. e.g.

crypto ikev2 profile IKEv2-Profile
match certificate CMAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA

virtual-template 1

You also don't need to reference the tunnel destination

interface Virtual-Template1 type tunnel
no tunnel destination dynamic

HTH

guy.zwerdling · ‎08-07-2019

I don't know why I forgat to specefied those command in the configuration files,

but even then with those command still I have the same issue,

I post here the debug I am running.

To start an event I run shut/no shut the interface Tu0 on R2.