Solved: Cisco 876: phase 2 SA policy not acceptable!

drvbaysued · ‎10-17-2012

Hello!

I want to setup a vpn tunnel from a Cisco VPN Client in the internet over a fritzbox to the Cisco 876 (Version 15.1(4)M3) so that the vpn tunnel terminates at the Cisco 876.

For that reason I used the command "crypto map mymap" on the int fastethernet 1. When I try to connect, the VPN Client opens the window for username and password but then ends with the message "not connected". When I do "debug crypto isakmp" the Cisco 876 shows the message:

"phase 2 SA policy not acceptable!"

Here is the "show run" output:

show run

Building configuration...

Current configuration : 1993 bytes

!

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Fernwartung

!

boot-start-marker

boot-end-marker

!

enable password xxxx

!

aaa new-model

!

aaa authentication login clientauth local

aaa authentication login yyyyyyy line

aaa authorization network groupauthor local

!

aaa session-id common

crypto pki token default removal timeout 0

!

dot11 syslog

ip source-route

!

ip cef

!

vtp mode transparent

username yyyyyyy-Group password 0 zzzzzzz

!

vlan 101

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group yyyyyyy-Group

key zzzzzzz

pool ippool

crypto isakmp profile VPNclient

match identity group yyyyyyy-Group

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 5

set transform-set myset

set isakmp-profile VPNclient

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

switchport access vlan 101

no ip address

crypto map mymap

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

ip address <ip-intern> <sn-mask-intern>

ip access-group 103 in

!

interface Vlan101

ip address <ip-extern> <sn-mask-extern>

!

ip local pool ippool <VPN-Client-IP>

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 <gw-extern>

!

access-list 103 permit ip host <server-ip-intern> host <VPN-Client-IP> log

!

control-plane

!

line con 0

password xxxxxxx

login authentication yyyyyyy

no modem enable

line aux 0

line vty 0 4

transport input all

!

end

All help would be much appreciated. Thank you for your kind help!!

Jennifer Halim · ‎10-17-2012

Crypto map needs to be applied to VLAN interface, not the physical interface.

You should apply crypto map on Vlan101

View solution in original post

Jennifer Halim · ‎10-17-2012

Crypto map needs to be applied to VLAN interface, not the physical interface.

You should apply crypto map on Vlan101

drvbaysued · ‎10-17-2012

Hello, Jennifer Halim,

thank you for the answer - now it works ok! :-)

Actually we already tried to apply crypto map on vlan 101 but we did not notice that when the error "phase 2 SA policy not acceptable" occurs, the pool-address is held in "Inuse addresses" (see: "show ip local pool ippool") and a reload is necessary to put the pool-address in the "Available addresses" again. So when the error occured applying crypto map on Vlan 101 lead to the same result at the VPN-Client: "not connected". With a reload now it works out ok.

Thank you again for the answer!

Jakob Blaette

Jennifer Halim · ‎10-17-2012

Excellent, thanks for the update and great to hear it's working now.