10-10-2012 02:57 AM - edited 02-21-2020 06:23 PM
Hi.
I'm having an issue with setting up remote access using easyvpn server on an 887 router. I have followed tutorials and also used cisco configuration professional easyvpn server wizard to do the configuration but still having a problem.
I can see Phase 1 completes, but Phase 2 fails with following error .....
Oct 10 09:43:26.515: ISAKMP:(2003):Checking IPSec proposal 8
Oct 10 09:43:26.515: ISAKMP: transform 1, ESP_AES
Oct 10 09:43:26.515: ISAKMP: attributes in transform:
Oct 10 09:43:26.515: ISAKMP: authenticator is HMAC-SHA
Oct 10 09:43:26.515: ISAKMP: key length is 128
Oct 10 09:43:26.515: ISAKMP: encaps is 1 (Tunnel)
Oct 10 09:43:26.515: ISAKMP: SA life type in seconds
Oct 10 09:43:26.515: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Oct 10 09:43:26.515: ISAKMP:(2003):atts are acceptable.
Oct 10 09:43:26.515: IPSEC(validate_proposal_request): proposal part #1
Oct 10 09:43:26.515: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 88.xx.xxx.174:0, remote= 80.177.185.185:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.21.12/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Oct 10 09:43:26.515: map_db_find_best did not find matching map
Oct 10 09:43:26.515: IPSEC(ipsec_process_proposal): proxy identities not supported
Oct 10 09:43:26.515: ISAKMP:(2003): IPSec policy invalidated proposal with error 32
Researching "proxy identities not supported" suggests a NAT issue maybe but I cannot see where that would be. I feel the issue is somewhere else.
I'm using VPN Client 5.0.07.0440 and using transparent tunneling (IPSec over TCP/10000) as the client is behind a firewall/NAT device.
Does anybody know what the issue may be? Full config attached.
Solved! Go to Solution.
10-10-2012 05:35 AM
Hello Mick
Before that one more try. .
Remote the pfs as follows
crypto ipsec profile RemoteAccess
no set pfs group2
remove and add the crypto back in virtual template
interface Virtual-Template1 type tunnel
no tunnel protection ipsec profile RemoteAccess
tunnel protection ipsec profile RemoteAccess
hopefully it will solve your issue
Harish,
10-10-2012 03:28 AM
Hello Mick
Can you change the virtual template configuration as follows and try
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel source dialer 0
regards
Harish.
10-10-2012 03:47 AM
Hi harish. Thanks for the suggestion. Unfortunately its still the same issue...
Oct 10 10:43:49.315: ISAKMP:(2006):Checking IPSec proposal 11
Oct 10 10:43:49.315: ISAKMP: transform 1, ESP_3DES
Oct 10 10:43:49.315: ISAKMP: attributes in transform:
Oct 10 10:43:49.315: ISAKMP: authenticator is HMAC-MD5
Oct 10 10:43:49.315: ISAKMP: encaps is 1 (Tunnel)
Oct 10 10:43:49.315: ISAKMP: SA life type in seconds
Oct 10 10:43:49.315: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
Oct 10 10:43:49.315: ISAKMP:(2006):atts are acceptable.
Oct 10 10:43:49.315: IPSEC(validate_proposal_request): proposal part #1
Oct 10 10:43:49.315: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 88.xx.xxx.174:0, remote= 80.177.185.185:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.21.15/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 10 10:43:49.319: map_db_find_best did not find matching map
Oct 10 10:43:49.319: IPSEC(ipsec_process_proposal): proxy identities not supported
Oct 10 10:43:49.319: ISAKMP:(2006): IPSec policy invalidated proposal with error 32
10-10-2012 04:35 AM
Hello Mick,
I could simulate your scenario with same configuration and its working for me.. I believe then you shoud give a try with another version of VPN client
try this
5.0.07.0410
Harish.
10-10-2012 05:20 AM
I've tried that version vpn client but still not working. Same error again.
The 887 is running IOS 15.1.(4)M3
I'll try another version of IOS and see if it makes a difference
10-10-2012 05:35 AM
Hello Mick
Before that one more try. .
Remote the pfs as follows
crypto ipsec profile RemoteAccess
no set pfs group2
remove and add the crypto back in virtual template
interface Virtual-Template1 type tunnel
no tunnel protection ipsec profile RemoteAccess
tunnel protection ipsec profile RemoteAccess
hopefully it will solve your issue
Harish,
10-11-2012 10:57 AM
That sorted it thanks harish.
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide