07-25-2011 01:57 PM - edited 02-21-2020 05:28 PM
I've looked and looked for the scenario I'm working with and haven't found much of anything. Perhaps that's a hint to not do this but I thought I'd throw it out there.
Phase 1 comes up fine but phase 2 always fails with phase 2 SA policy not acceptable! I've tried every debug and show command I could think of. I've done a stare and compare on the configs, tore it all down and rebuilt it. I always get the same result. The one thing that caught my eye was in the show crypto isakmp peers on the 7613.. Phase 1 id was the real IP address of the remote peer. Now in the world of Nat-T I'm not sure what that means. It seems like it could make sense that that info is exchanged during phase 1. It did make me think though, that perhaps I need to be referencing that IP address somewhere in my 7613 config. Agressive mode is disabled on both ends in case that matters.
Anyone? I'm stumped....
Peer: 5.5.5.5 Port: 4500 Local: 4.4.4.4 fvrf: testfvrf
Phase1 id: 10.250.250.9
Cisco 881
interface Loopback15
ip address 172.18.10.109 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
interface FastEthernet4
description Outside interface
ip address 10.250.250.9 255.255.255.252
ip access-group IP-ACCESS-IN in
no ip redirects
no ip proxy-arp
ip mtu 1400
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSEC-test
ip access-list extended IPSEC-test
permit ip 192.168.4.0 0.0.0.255 any
permit ip host 172.18.10.109 any
crypto keyring IPSEC-test
pre-shared-key address 4.4.4.4 key pass123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp aggressive-mode disable
crypto isakmp profile IPSEC-test
keyring IPSEC-test
match identity address 4.4.4.4 255.255.255.255
!
!
crypto ipsec transform-set TUNNEL-ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set TRANSPORT-ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode transport
!
crypto map IPSEC-test 10 ipsec-isakmp
set peer 4.4.4.4
set transform-set TUNNEL-ESP-AES256-SHA
set pfs group2
set isakmp-profile IPSEC-test
match address IPSEC-test
!
Cisco 7613
crypto keyring IPSEC-test vrf testfvrf
pre-shared-key address 5.5.5.5 key pass123
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile IPSEC-test
vrf test
keyring IPSEC-test
match identity address 5.5.5.5 255.255.255.255 IPSEC
crypto ipsec transform-set TUNNEL-ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set TRANSPORT-ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode transport
crypto map IPSEC-test local-address Loopback0
crypto map IPSEC-test
set peer 5.5.5.5
set transform-set TUNNEL-ESP-AES256-SHA
set pfs group2
set isakmp-profile IPSEC-test
match address IPSEC-test
ip access-list extended IPSEC-test
permit ip 192.168.4.0 0.0.0.255 any
permit ip host 172.18.10.109 any
ip access-list extended IPSEC-test
permit ip any 192.168.4.0 0.0.0.255
permit ip any host 172.18.10.109
interface Vlan671
description IPSEC-test
ip vrf forwarding test
ip address 10.254.1.254 255.255.255.0
crypto map IPSEC-test
crypto engine slot 4/0 inside
end
07-25-2011 11:25 PM
Hi
Did you include allowing all the ipsec port your access-list IP-ACCESS-IN? Similar to the below:
10 permit udp host source_peer_ip host destination_peer_ip eq isakmp
20 permit udp host source_peer_ip host destination_peer_ip eq non500-isakmp
30 permit ahp host source_peer_ip host destination_peer_ip
40 permit esp host source_peer_ip host destination_peer_ip
50 permit pcp host source_peer_ip host destination_peer_ip
07-26-2011 06:54 AM
Hello,
Yes I am actually permitting IP from the tunnel peer. I see Phase 1 start negotiation on UDP 500 and then move to UDP 4500 as I would expect with NAT T but Phase 2 keeps getting rejected from the IPSEC module end.
08-03-2011 03:37 PM
Hi David,
Is "crypto map IPSEC-test local-address" command there on 881?
-Atul
08-10-2011 06:35 AM
I ended up opening a TAC case to get some config help. It turns out we had to modify the isakmp profile to reflect the real private IP address of the 881 prior to NAT. I did not know this until now. Thank you all for your help! I guess I have more reading to do on IPSEC. Weeeee!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide