Solved: VTI VPN - problem

birka.izik · ‎09-10-2012

hi

I'm trying to set up Site to Site VPN between ciso 3925 to PFsense firewall, phase one is up but when it tries to initiate phase 2 I get an error at the PFsense firewall that said networks in SA is not configured correctly

as far as i know on the CISCO router that configured with VTI I'm not supposed to set up a local network and remote network is simply encrypts everything that goes in tunnel

how am I supposed to configured the second FW ? I tried all the options including the establishment tunnel on the far side, without encryption everything works fine with genric tunnel.

this is my configuration on the cisco :

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key XXXXXXXXX address PEER-IP-ADDRESS

crypto ipsec transform-set YYYYY esp-aes 256 esp-sha-hmac

crypto ipsec profile ABCD

set transform-set YYYYY

interface tunnel201

description *******************

ip address 1.1.1.1 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip tcp adjust-mss 1360

load-interval 30

tunnel source MY IP ADDRESS

tunnel destination PEER IP ADDRESS

tunnel protection ipsec profile ABCD

ip route REMOTE-LAN REMOTE-SUBNET tunnel 201

olpeleri · ‎09-14-2012

It depends of the implementation of this 3rd party device. I had the impression where protecting a tunnel interface.

It seems your box places the crypto map on the public interface.

Possibly you can reach the management interface via the tunnel interface. If not you should revert the config.

It seems the crypto map config seems the only way.

View solution in original post

Javier Portuguez · ‎09-10-2012

Hi,

VTI is not supported with 3rd party devices.

I would suggest a LAN-to-LAN with a crypto map instead.

Thanks.

Please rate any post you found helpful.

olpeleri · ‎09-10-2012

Hey Izik,

According the configuration of tunnel201, you are doing ipsec over gre.

The other side proxy-id should be

Peer IP address to My IP address for IP Protocol 47 [ GRE ]

Cheers,

birka.izik · ‎09-11-2012

thanks for replay

i try configured that proxy-id , and stil it doesnt work.

should i configured a GRE tunnel in the other side ? can you write all the steps that you think i shoukd configured in the other side

javier are you sure it will not work with any configuration ?

if i have hub and spok topology , how can i configured lan to lan with crypto map for each site to site ?

thanks

izik

olpeleri · ‎09-11-2012

Yes, you need a gre tunnel on the other side. Is the third party device able to do so?

birka.izik · ‎09-11-2012

yes, i configured the GRE tunnel and it's works fine , but when i add the ipsec it stop work , and in the logs it's says that there is a problem with the proxy-id (phase 1 is up , phase 2 is down)

thanks

izik

olpeleri · ‎09-11-2012

Can you provide the output of debug crypto ipsec?

birka.izik · ‎09-11-2012

this is the output for relevent ipsec

Sep 10 20:58:29.698: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 1.1.1.1:0, remote=2.2.2.2:0,

local_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1)

Sep 10 20:58:29.698: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,

local_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

Sep 10 20:58:29.698: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 1.1.1.1:0, remote= 2.2.2.2:0,

local_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1)

Sep 10 20:58:29.698: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,

local_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),

remote_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),

protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

maybe i should configured tunnel mode ipsec on the cisco ?

i didnt understand how the GRE tunnel is combined with the ipsec on the other firewall.

olpeleri · ‎09-11-2012

So it seems the other side does not reply.

Can I get debug crypto isakmp + debug crypto ipsec?

thanks

birka.izik · ‎09-11-2012

my lan - 10.200.0.0/16

my wan - 2.2.2.2

remote lan - 10.203.79.128/25

remote wan - 1.1.1.1

Sep 11 14:44:42.335: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
Sep 11 14:44:42.335: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
Sep 11 14:44:42.335: ISAKMP: New peer created peer = 0x1F902F7C peer_handle = 0x8004040C
Sep 11 14:44:42.335: ISAKMP: Locking peer struct 0x1F902F7C, refcount 1 for crypto_isakmp_process_block
Sep 11 14:44:42.335: ISAKMP: local port 500, remote port 500
Sep 11 14:44:42.335: ISAKMP:(0):insert sa successfully sa = 1F9A0E5C
Sep 11 14:44:42.335: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 11 14:44:42.335: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Sep 11 14:44:42.335: ISAKMP:(0): processing SA payload. message ID = 0
Sep 11 14:44:42.335: ISAKMP:(0): processing vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0): processing IKE frag vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0):Support for IKE Fragmentation not enabled
Sep 11 14:44:42.335: ISAKMP:(0): processing vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0): vendor ID is DPD
Sep 11 14:44:42.335: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
Sep 11 14:44:42.335: ISAKMP:(0): local preshared key found
Sep 11 14:44:42.335: ISAKMP : Scanning profiles for xauth ...
Sep 11 14:44:42.335: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Sep 11 14:44:42.335: ISAKMP:      life type in seconds
Sep 11 14:44:42.335: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
Sep 11 14:44:42.335: ISAKMP:      encryption AES-CBC
Sep 11 14:44:42.335: ISAKMP:      keylength of 256
Sep 11 14:44:42.335: ISAKMP:      auth pre-share
Sep 11 14:44:42.335: ISAKMP:      hash SHA
Sep 11 14:44:42.335: ISAKMP:      default group 5
Sep 11 14:44:42.335: ISAKMP:(0):atts are acceptable. Next payload is 0
Sep 11 14:44:42.335: ISAKMP:(0):Acceptable atts:actual life: 0
Sep 11 14:44:42.335: ISAKMP:(0):Acceptable atts:life: 0
Sep 11 14:44:42.335: ISAKMP:(0):Fill atts in sa vpi_length:4
Sep 11 14:44:42.335: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Sep 11 14:44:42.335: ISAKMP:(0):Returning Actual lifetime: 86400
Sep 11 14:44:42.335: ISAKMP:(0)::Started lifetime timer: 86400.

Sep 11 14:44:42.335: ISAKMP:(0): processing vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0): processing IKE frag vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0):Support for IKE Fragmentation not enabled
RTR3925-Core-VPN-B#
Sep 11 14:44:42.335: ISAKMP:(0): processing vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0): vendor ID is DPD
Sep 11 14:44:42.335: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 11 14:44:42.335: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Sep 11 14:44:42.335: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
Sep 11 14:44:42.335: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 11 14:44:42.335: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 11 14:44:42.335: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Sep 11 14:44:42.345: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
Sep 11 14:44:42.345: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 11 14:44:42.345: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Sep 11 14:44:42.345: ISAKMP:(0): processing KE payload. message ID = 0
Sep 11 14:44:42.355: ISAKMP:(0): processing NONCE payload. message ID = 0
Sep 11 14:44:42.355: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
Sep 11 14:44:42.355: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 11 14:44:42.355: ISAKMP:(11197):Old State = IKE_R_MM3 New State = IKE_R_MM3

Sep 11 14:44:42.355: ISAKMP:(11197): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Sep 11 14:44:42.355: ISAKMP:(11197):Sending an IKE IPv4 Packet.
Sep 11 14:44:42.355: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 11 14:44:42.355: ISAKMP:(11197):Old State = IKE_R_MM3 New State = IKE_R_MM4

Sep 11 14:44:42.365: ISAKMP (11197): received packet from 1.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
Sep 11 14:44:42.365: ISAKMP:(11197):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 11 14:44:42.365: ISAKMP:(11197):Old State = IKE_R_MM4 New State = IKE_R_MM5

Sep 11 14:44:42.365: ISAKMP:(11197): processing ID payload. message ID = 0
Sep 11 14:44:42.365: ISAKMP (11197): ID payload
        next-payload : 8
        type         : 1
        address      : 1.1.1.1
        protocol     : 17
        port         : 500
        length       : 12
Sep 11 14:44:42.365: ISAKMP:(0):: peer matches *none* of the profiles
Sep 11 14:44:42.365: ISAKMP:(11197): processing HASH payload. message ID = 0
Sep 11 14:44:42.365: ISAKMP:(11197):SA authentication status:
        authenticated
Sep 11 14:44:42.365: ISAKMP:(11197):SA has been authenticated with 1.1.1.1
Sep 11 14:44:42.365: ISAKMP: Trying to insert a peer 2.2.2.2/1.1.1.1/500/, and inserted successfully 1F902F7C.
Sep 11 14:44:42.365: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 11 14:44:42.365: ISAKMP:(11197):Old State = IKE_R_MM5 New State = IKE_R_MM5

Sep 11 14:44:42.365: ISAKMP:(11197):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Sep 11 14:44:42.365: ISAKMP (11197): ID payload
        next-payload : 8
        type         : 1
        address      : 2.2.2.2
        protocol     : 17
        port         : 500
        length       : 12
Sep 11 14:44:42.365: ISAKMP:(11197):Total payload length: 12
Sep 11 14:44:42.365: ISAKMP:(11197): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Sep 11 14:44:42.365: ISAKMP:(11197):Sending an IKE IPv4 Packet.
Sep 11 14:44:42.365: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 11 14:44:42.365: ISAKMP:(11197):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Sep 11 14:44:42.365: ISAKMP:(11197):IKE_DPD is enabled, initializing timers
Sep 11 14:44:42.365: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Sep 11 14:44:42.365: ISAKMP:(11197):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Sep 11 14:44:43.347: ISAKMP (11197): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Sep 11 14:44:43.347: ISAKMP: set new node -2008173544 to QM_IDLE
Sep 11 14:44:43.347: ISAKMP:(11197): processing HASH payload. message ID = -2008173544
Sep 11 14:44:43.347: ISAKMP:(11197): processing SA payload. message ID = -2008173544
Sep 11 14:44:43.347: ISAKMP:(11197):Checking IPSec proposal 1
Sep 11 14:44:43.347: ISAKMP: transform 1, ESP_AES
Sep 11 14:44:43.347: ISAKMP:   attributes in transform:
Sep 11 14:44:43.347: ISAKMP:      SA life type in seconds
Sep 11 14:44:43.347: ISAKMP:      SA life duration (basic) of 3600
Sep 11 14:44:43.347: ISAKMP:      encaps is 1 (Tunnel)
Sep 11 14:44:43.347: ISAKMP:      key length is 256
Sep 11 14:44:43.347: ISAKMP:      authenticator is HMAC-SHA
Sep 11 14:44:43.347: ISAKMP:(11197):atts are acceptable.
Sep 11 14:44:43.347: IPSEC(validate_proposal_request): proposal part #1
Sep 11 14:44:43.347: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 2.2.2.2:0, remote= 1.1.1.1:0,
    local_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 10.203.79.128/255.255.255.128/0/0 (type=4),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: IPSEC(ipsec_process_proposal): proxy identities not supported
Sep 11 14:44:43.347: ISAKMP:(11197): IPSec policy invalidated proposal with error 32
Sep 11 14:44:43.347: ISAKMP:(11197): phase 2 SA policy not acceptable! (local 2.2.2.2 remote 1.1.1.1)
Sep 11 14:44:43.347: ISAKMP: set new node -2097135378 to QM_IDLE
Sep 11 14:44:43.347: ISAKMP:(11197):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 503509244, message ID = -2097135378
Sep 11 14:44:43.347: ISAKMP:(11197): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
Sep 11 14:44:43.347: ISAKMP:(11197):Sending an IKE IPv4 Packet.
RTR3925-Core-VPN-B#
Sep 11 14:44:43.347: ISAKMP:(11197):purging node -2097135378
Sep 11 14:44:43.347: ISAKMP:(11197):deleting node -2008173544 error TRUE reason "QM rejected"
Sep 11 14:44:43.347: ISAKMP:(11197):Node -2008173544, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Sep 11 14:44:43.347: ISAKMP:(11197):Old State = IKE_QM_READY New State = IKE_QM_READY
RTR3925-Core-VPN-B#
Sep 11 14:44:48.480: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 11 14:44:48.480: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Sep 11 14:44:48.480: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

olpeleri · ‎09-11-2012

That's expected.

U've configured the Cisco router in order to protect GRE over IPSEC

The other side sends

local_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4),

remote_proxy= 10.203.79.128/255.255.255.128/0/0 (type=4),

U should send

local_proxy= 2.2.2.2 protocol 47

remote_proxy= 1.1.1.1 protocol 47

birka.izik · ‎09-12-2012

ok, i change it , now i in the logs i get (this is logs from remote firewall)

[]: [2.2.2.2] ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.

and this is the debug from the cisco

Sep 12 07:30:19.375: ISAKMP (11220): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Sep 12 07:30:19.375: ISAKMP: set new node -1972890756 to QM_IDLE
Sep 12 07:30:19.375: ISAKMP:(11220): processing HASH payload. message ID = -1972890756
Sep 12 07:30:19.375: ISAKMP:(11220): processing SA payload. message ID = -1972890756
Sep 12 07:30:19.375: ISAKMP:(11220):Checking IPSec proposal 1
Sep 12 07:30:19.375: ISAKMP: transform 1, ESP_AES
Sep 12 07:30:19.375: ISAKMP:   attributes in transform:
Sep 12 07:30:19.375: ISAKMP:      SA life type in seconds
Sep 12 07:30:19.375: ISAKMP:      SA life duration (basic) of 3600
Sep 12 07:30:19.375: ISAKMP:      encaps is 1 (Tunnel)
Sep 12 07:30:19.375: ISAKMP:      key length is 256
Sep 12 07:30:19.377: ISAKMP:      authenticator is HMAC-SHA
Sep 12 07:30:19.377: ISAKMP:(11220):atts are acceptable.
Sep 12 07:30:19.377: IPSEC(validate_proposal_request): proposal part #1
Sep 12 07:30:19.377: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 2.2.2.2:0, remote= 1.1.1.1:0,
    local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
    remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: IPSEC(ipsec_process_proposal): proxy identities not supported
Sep 12 07:30:19.377: ISAKMP:(11220): IPSec policy invalidated proposal with error 32
Sep 12 07:30:19.377: ISAKMP:(11220): phase 2 SA policy not acceptable! (local 2.2.2.2 remote 1.1.1.1)
Sep 12 07:30:19.377: ISAKMP: set new node 25645188 to QM_IDLE
Sep 12 07:30:19.377: ISAKMP:(11220):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 503509244, message ID = 25645188
Sep 12 07:30:19.377: ISAKMP:(11220): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
Sep 12 07:30:19.377: ISAKMP:(11220):Sending an IKE IPv4 Packet.

Sep 12 07:30:19.377: ISAKMP:(11220):purging node 25645188
Sep 12 07:30:19.377: ISAKMP:(11220):deleting node -1972890756 error TRUE reason "QM rejected"
Sep 12 07:30:19.377: ISAKMP:(11220):Node -1972890756, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Sep 12 07:30:19.377: ISAKMP:(11220):Old State = IKE_QM_READY New State = IKE_QM_READY

Sep 12 07:30:23.752: ISAKMP:(11220):purging node -1979040987

Sep 12 07:30:29.386: ISAKMP (11220): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Sep 12 07:30:29.386: ISAKMP:(11220): phase 2 packet is a duplicate of a previous packet.
Sep 12 07:30:29.386: ISAKMP:(11220): retransmitting due to retransmit phase 2
Sep 12 07:30:29.386: ISAKMP:(11220): ignoring retransmission,because phase2 node marked dead -1972890756
Sep 12 07:30:29.598: ISAKMP (11188): received packet from 2.54.248.7 dport 4500 sport 35330 Global (R) QM_IDLE
Sep 12 07:30:29.598: ISAKMP: set new node 1382525766 to QM_IDLE

Sep 12 07:30:35.860: ISAKMP:(11220):purging node -1796200400
RTR3925-Core-VPN-B#
Sep 12 07:30:39.399: ISAKMP (11220): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Sep 12 07:30:39.399: ISAKMP:(11220): phase 2 packet is a duplicate of a previous packet.
Sep 12 07:30:39.399: ISAKMP:(11220): retransmitting due to retransmit phase 2
Sep 12 07:30:39.399: ISAKMP:(11220): ignoring retransmission,because phase2 node marked dead -1972890756

olpeleri · ‎09-12-2012

local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),

remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),

You are proposing IP between 2.2.2.2 and 1.1.1.1 while U need to negotiate GRE [ IP protocol 47].

Can you modify the remote config?

birka.izik · ‎09-12-2012

yes i can , but how i configure it ? there is only ip address options in the other FW

this is the phase2 configuration page on the other FW

olpeleri · ‎09-14-2012

Then 2 choices are possible

1- U configure your tunnel in tunnel mode ipsec ipv4. then the proxy id on the remote device will be 0.0.0.0/0 0.0.0.0/0 . That would work only if the remote device allows it.

2- Use a crypto map

crypto map mymap 10 ipsec-isakmp

set peer

set transform-set YYYYY

match address

ip access-list extended

permit ip

On the egress interface apply

interface <....>

crypto map mymap

no int tu201