08-23-2019 06:09 AM - edited 02-21-2020 09:43 PM
Hi There
I am having an issue connecting our Cisco RV320 to a Cisco 4000 series router over IPSEC VPN
Both Sides have the following configs
RV320
PHASE1 DH: Group 5
PHASE1 Encryption: AES-256
PHASE1 Auth: SHA1
PHASE1 SA Lifetime: 86400
PHASE2 DH: Group 2
PHASE2 Encryption: AES-256
PHASE2 Auth: SHA1
PHASE2 SA Lifetime: 28800
AH Hash Algorithm: SHA1
CISCO 4000 Series
crypto isakmp policy 4
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 84600
crypto isakmp key ******************* address [BLOCKED]
crypto ipsec transform-set [BLOCKED] esp-aes 256 esp-sha-hmac
crypto map Gi1/0/2.1411 3 ipsec-isakmp
description [BLOCKED]
set peer [BLOCKED]
set security-association lifetime seconds 28800
set transform-set [BLOCKED]
set pfs group2
match address acl_[BLOCKED]
permit ip host [BLOCKED]
permit ip host [BLOCKED]
permit ip host [BLOCKED]
Unfortunately i DO NOT have access to the Cisco 4000 Series and am working through their Engineer.
PHASE 1 seems to work but PHASE 2 bombs out. I am asking him to DEBUG so we can see what the exact error is.
08-23-2019 06:40 AM
08-23-2019 06:48 AM
08-26-2019 06:44 AM
Our Phase 1 Establishes but our Phase 2 is showing the following error
DEBUG from Cisco 4000 series
Aug 26 15:33:00: ISAKMP-ERROR: (13730):IPSec policy invalidated proposal with error 256
Aug 26 15:33:00: ISAKMP-ERROR: (13730):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
Aug 26 15:33:00: ISAKMP-ERROR: (13730):deleting node 406028906 error TRUE reason "QM rejected"
08-26-2019 07:05 AM
08-27-2019 03:26 AM
This is what he just sent me:
Although it says "Diffie-Hellman group offered does not match policy" they are def both the same.
I am assuming it is "phase 2 SA policy not acceptable! "
se 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:19:39: ISAKMP-ERROR: (14715):deleting node 422682112 error TRUE reason "QM rejected"
.Aug 27 11:19:55: ISAKMP-ERROR: (14715):IPSec policy invalidated proposal with error 256
.Aug 27 11:19:55: ISAKMP-ERROR: (14715):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:19:55: ISAKMP-ERROR: (14715):deleting node 2535162168 error TRUE reason "QM rejected"
.Aug 27 11:19:57: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Aug 27 11:19:57: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:19:57: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
.Aug 27 11:19:57: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:19:57: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Aug 27 11:19:57: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:19:58: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:19:58: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:19:58: ISAKMP-ERROR: (14716):deleting node 326629726 error TRUE reason "QM rejected"
.Aug 27 11:20:15: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:20:15: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:20:15: ISAKMP-ERROR: (14716):deleting node 651367447 error TRUE reason "QM rejected"
.Aug 27 11:20:33: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:20:33: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:20:33: ISAKMP-ERROR: (14716):deleting node 3302211429 error TRUE reason "QM rejected"
.Aug 27 11:20:51: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:20:51: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:20:51: ISAKMP-ERROR: (14716):deleting node 2716808824 error TRUE reason "QM rejected"
.Aug 27 11:21:07: ISAKMP-ERROR: (14716):IPSec policy invalidated proposal with error 256
.Aug 27 11:21:07: ISAKMP-ERROR: (14716):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:21:07: ISAKMP-ERROR: (14716):deleting node 326629726 error TRUE reason "QM rejected"
.Aug 27 11:21:09: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Aug 27 11:21:09: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:21:09: ISAKMP-ERROR: (0):Encryption algorithm offered does not match policy!
.Aug 27 11:21:09: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:21:09: ISAKMP-ERROR: (0):Diffie-Hellman group offered does not match policy!
.Aug 27 11:21:09: ISAKMP-ERROR: (0):atts are not acceptable. Next payload is 0
.Aug 27 11:21:10: ISAKMP-ERROR: (14717):IPSec policy invalidated proposal with error 256
.Aug 27 11:21:10: ISAKMP-ERROR: (14717):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:21:10: ISAKMP-ERROR: (14717):deleting node 3755535469 error TRUE reason "QM rejected"
.Aug 27 11:21:27: ISAKMP-ERROR: (14717):IPSec policy invalidated proposal with error 256
.Aug 27 11:21:27: ISAKMP-ERROR: (14717):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:21:27: ISAKMP-ERROR: (14717):deleting node 427917793 error TRUE reason "QM rejected"
.Aug 27 11:21:45: ISAKMP-ERROR: (14717):IPSec policy invalidated proposal with error 256
.Aug 27 11:21:45: ISAKMP-ERROR: (14717):phase 2 SA policy not acceptable! (local *.*.*.* remote *.*.*.*)
.Aug 27 11:21:45: ISAKMP-ERROR: (14717):deleting node 2330581816 error TRUE reason "QM rejected"
.Aug 27 11:21:54: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.66.28.65:1812,1813 is not responding.
.Aug 27 11:21:54: %RADIUS-3-ALLDEADSERVER: Group radius: No active radius servers found. Id 83.
Config he sent me below:
crypto isakmp policy 4
encr aes 256
hash sha
authentication pre-share
group 5
lifetime 84600
crypto isakmp key ******************* address *.*.*.*
crypto ipsec transform-set <NAME> ah-sha-hmac esp-aes 256 esp-sha-hmac
crypto map Gi1/0/2.1411 3 ipsec-isakmp
description <NAME>
set peer *.*.*.*
set security-association lifetime seconds 28800
set transform-set <NAME TRANSFORM-SET>
set pfs group2
match address acl_<NAME>
permit ip host *.*.*.* *.*.*.* 0.0.0.1
permit ip host *.*.*.*.*.*.*.* 0.0.0.7
permit ip host *.*.*.* *.*.*.* 0.0.0.7
permit ip host *.*.*.* *.*.*.* 0.0.0.7
09-10-2019 11:41 PM
FINALLY got some more detailed logs!
We added [OUR PUBLIC IP] to their ACL for testing purposes and i am currently receiving the error below:
map_db_find_best did not find matching map on PHASE2
Sep 5 16:56:09: ISAKMP: (15455): SA life type in seconds
Sep 5 16:56:09: ISAKMP: (15455): SA life duration (basic) of 28800
Sep 5 16:56:09: ISAKMP: (15455): authenticator is HMAC-SHA
Sep 5 16:56:09: ISAKMP: (15455):atts are acceptable.
Sep 5 16:56:09: ISAKMP: (15455):Checking IPSec proposal 0
Sep 5 16:56:09: ISAKMP: (15455):transform 0, ESP_AES
Sep 5 16:56:09: ISAKMP: (15455): attributes in transform:
Sep 5 16:56:09: ISAKMP: (15455): group is 2
Sep 5 16:56:09: ISAKMP: (15455): encaps is 1 (Tunnel)
Sep 5 16:56:09: ISAKMP: (15455): SA life type in seconds
Sep 5 16:56:09: ISAKMP: (15455): SA life duration (basic) of 28800
Sep 5 16:56:09: ISAKMP: (15455): authenticator is HMAC-SHA
Sep 5 16:56:09: ISAKMP: (15455): key length is 256
Sep 5 16:56:09: ISAKMP: (15455):atts are acceptable.
Sep 5 16:56:09: IPSEC(validate_proposal_request): proposal part #1
Sep 5 16:56:09: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x:0[THEIR PUBLIC IP], remote= x.x.x.x:0[OUR PUBLIC IP],
local_proxy= [THEIR PUBLIC IP]/255.255.255.255/256/0,
remote_proxy= [OUR PUBLIC IP]/255.255.255.255/256/0,
protocol= AH, transform= ah-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Sep 5 16:56:09: IPSEC(validate_proposal_request): proposal part #2
Sep 5 16:56:09: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= [THEIR PUBLIC IP]:0, remote= [OUR PUBLIC IP]:0,
local_proxy= [THEIR PUBLIC IP]/255.255.255.255/256/0,
remote_proxy= [OUR PUBLIC IP]/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 5 16:56:09: map_db_find_best did not find matching map
Sep 5 16:56:09: Crypto mapdb : proxy_match
src addr : [THEIR PUBLIC IP]
dst addr : [OUR PUBLIC IP]
protocol : 0
src port : 0
dst port : 0
Sep 5 16:56:09: Crypto mapdb : proxy_match
src addr : [THEIR PUBLIC IP]
dst addr : [OUR PUBLIC IP]
protocol : 0
src port : 0
dst port : 0
Sep 5 16:56:09: map_db_find_best did not find matching map
Sep 5 16:56:09: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{ah-sha-hmac esp-aes 256 esp-sha-hmac }
Sep 5 16:56:09: ISAKMP-ERROR: (15455):IPSec policy invalidated proposal with error 256
Sep 5 16:56:09: ISAKMP-ERROR: (15455):phase 2 SA policy not acceptable! (local [THEIR PUBLIC IP] remote [OUR PUBLIC IP])
Sep 5 16:56:09: ISAKMP: (15455):set new node 3264005282 to QM_IDLE
Sep 5 16:56:09: ISAKMP: (15455):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 2
spi 140143385793816, message ID = 3264005282
Sep 5 16:56:09: ISAKMP-PAK: (15455):sending packet to [OUR PUBLIC IP] my_port 500 peer_port 500 (R) QM_IDLE
Sep 5 16:56:09: ISAKMP: (15455):Sending an IKE IPv4 Packet.
Sep 5 16:56:09: ISAKMP: (15455):purging node 3264005282
Sep 5 16:56:09: ISAKMP-ERROR: (15455):deleting node 3079088992 error TRUE reason "QM rejected"
Sep 5 16:56:09: ISAKMP: (15455):Node 3079088992, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Sep 5 16:56:09: ISAKMP: (15455):Old State = IKE_QM_READY New State = IKE_QM_READY
Sep 5 16:56:15: ISAKMP: (15454):purging SA., sa=7F75B0129160, delme=7F75B0129160
Sep 5 16:56:19: ISAKMP-PAK: (15455):received packet from [OUR PUBLIC IP] dport 500 sport 500 Global (R) QM_IDLE
Sep 5 16:56:19: ISAKMP: (15455):phase 2 packet is a duplicate of a previous packet.
Sep 5 16:56:19: ISAKMP: (15455):retransmitting due to retransmit phase 2
Sep 5 16:56:19: ISAKMP: (15455):Quick Mode is being processed. Ignoring retransmission
Sep 5 16:56:21: ISAKMP-PAK: (15455):received packet from [OUR PUBLIC IP] dport 500 sport 500 Global (R) QM_IDLE
Sep 5 16:56:21: ISAKMP: (15455):phase 2 packet is a duplicate of a previous packet.
Sep 5 16:56:21: ISAKMP: (15455):retransmitting due to retransmit phase 2
Sep 5 16:56:21: ISAKMP: (15455):Quick Mode is being processed. Ignoring retransmission
09-11-2019 12:22 PM
AH is still in use on one side.
protocol= AH, transform= ah-sha-hmac (Tunnel),
Don’t use AH, it only authenticates the header, whereas esp encrypts the entire packet.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: