cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
817
Views
0
Helpful
6
Replies
Highlighted

887 router ezvpn server for remote access

Hi.

I'm having an issue with setting up remote access using easyvpn server on an 887 router.  I have followed tutorials and also used cisco configuration professional easyvpn server wizard to do the configuration but still having a problem.

I can see Phase 1 completes, but Phase 2 fails with following error .....

Oct 10 09:43:26.515: ISAKMP:(2003):Checking IPSec proposal 8

Oct 10 09:43:26.515: ISAKMP: transform 1, ESP_AES

Oct 10 09:43:26.515: ISAKMP:   attributes in transform:

Oct 10 09:43:26.515: ISAKMP:      authenticator is HMAC-SHA

Oct 10 09:43:26.515: ISAKMP:      key length is 128

Oct 10 09:43:26.515: ISAKMP:      encaps is 1 (Tunnel)

Oct 10 09:43:26.515: ISAKMP:      SA life type in seconds

Oct 10 09:43:26.515: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Oct 10 09:43:26.515: ISAKMP:(2003):atts are acceptable.

Oct 10 09:43:26.515: IPSEC(validate_proposal_request): proposal part #1

Oct 10 09:43:26.515: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 88.xx.xxx.174:0, remote= 80.177.185.185:0,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 192.168.21.12/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Oct 10 09:43:26.515: map_db_find_best did not find matching map

Oct 10 09:43:26.515: IPSEC(ipsec_process_proposal): proxy identities not supported

Oct 10 09:43:26.515: ISAKMP:(2003): IPSec policy invalidated proposal with error 32

                  

Researching "proxy identities not supported" suggests a NAT issue maybe but I cannot see where that would be.  I feel the issue is somewhere else.

I'm using VPN Client 5.0.07.0440 and using transparent tunneling (IPSec over TCP/10000) as the client is behind a firewall/NAT device. 

Does anybody know what the issue may be?  Full config attached.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Hello Mick

Before that one more try. .

Remote the pfs as follows

crypto ipsec profile RemoteAccess

no set pfs group2

remove and add the crypto back in virtual template

interface Virtual-Template1 type tunnel

no  tunnel protection ipsec profile RemoteAccess

tunnel protection ipsec profile RemoteAccess

hopefully it will solve your issue

Harish,

View solution in original post

6 REPLIES 6
Highlighted

Hello Mick

Can you change the virtual template configuration as follows and try

interface Virtual-Template1 type tunnel

ip unnumbered Dialer0

tunnel source dialer 0

regards

Harish.

Highlighted

Hi harish.  Thanks for the suggestion.  Unfortunately its still the same issue...

Oct 10 10:43:49.315: ISAKMP:(2006):Checking IPSec proposal 11

Oct 10 10:43:49.315: ISAKMP: transform 1, ESP_3DES

Oct 10 10:43:49.315: ISAKMP:   attributes in transform:

Oct 10 10:43:49.315: ISAKMP:      authenticator is HMAC-MD5

Oct 10 10:43:49.315: ISAKMP:      encaps is 1 (Tunnel)

Oct 10 10:43:49.315: ISAKMP:      SA life type in seconds

Oct 10 10:43:49.315: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B

Oct 10 10:43:49.315: ISAKMP:(2006):atts are acceptable.

Oct 10 10:43:49.315: IPSEC(validate_proposal_request): proposal part #1

Oct 10 10:43:49.315: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 88.xx.xxx.174:0, remote= 80.177.185.185:0,

    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

    remote_proxy= 192.168.21.15/255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Oct 10 10:43:49.319: map_db_find_best did not find matching map

Oct 10 10:43:49.319: IPSEC(ipsec_process_proposal): proxy identities not supported

Oct 10 10:43:49.319: ISAKMP:(2006): IPSec policy invalidated proposal with error 32

Highlighted

Hello Mick,

I could simulate your scenario with same configuration and its working for me.. I believe then you shoud give a try with another version of VPN client

try this

5.0.07.0410

Harish.

Highlighted

I've tried that version vpn client but still not working.  Same error again.

The 887 is running IOS 15.1.(4)M3

I'll try another version of IOS and see if it makes a difference

Highlighted

Hello Mick

Before that one more try. .

Remote the pfs as follows

crypto ipsec profile RemoteAccess

no set pfs group2

remove and add the crypto back in virtual template

interface Virtual-Template1 type tunnel

no  tunnel protection ipsec profile RemoteAccess

tunnel protection ipsec profile RemoteAccess

hopefully it will solve your issue

Harish,

View solution in original post

Highlighted

That sorted it thanks harish.

Sent from Cisco Technical Support Android App