Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
546
Views
0
Helpful
0
Replies

Cisco C111 VPN Issue with SonicWall

InSysProllc
Level 1
Level 1

‎04-07-2021 02:38 PM - edited ‎04-09-2021 08:19 AM

Hello,

I've been going up and down this issue with trying to create VPN tunnel from our Cisco 1111 to a remote sonicwall that keeps failing phase 2 with an error :

ISAKMP-ERROR: (1097):IPSec policy invalidated proposal with error 32

ISAKMP-ERROR: (1097):phase 2 SA policy not acceptable!

It seem to point to somewhere on the ACL but I've gone through the statements and I'm not coming up with anything.

The internal networks set to traverse the VPN are

Cisco 1111

Network: 10.2.1.46/27

SonicWall:

Network: 10.0.0.100/24


The internal network is on the Cisco is on a separate and is the only network that needs access. For the config on my end I have:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key PASSWORD address X.X.X.X
crypto isakmp profile SAGEVPN
match identity address 10.0.0.100 255.255.255.255
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map SAGE 10 ipsec-isakmp
set peer X.X.X.X
set transform-set TS
match address SAGE-VPN
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description OUTSIDE
ip address X.X.X.X 255.255.255.224
ip nat outside
negotiation auto
crypto map SAGE
!
!
!
!
!
!
interface Vlan14
ip address 10.2.1.46 255.255.255.240
ip nat inside

!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
!
ip access-list extended SAGE-VPN
permit ip 10.2.1.32 0.0.0.15 10.0.0.0 0.0.0.255
!
access-list 1 permit 10.2.1.0 0.0.0.255
access-list 1 permit 10.2.2.0 0.0.0.255
access-list 1 permit 10.2.3.0 0.0.0.255
access-list 1 permit 10.2.4.0 0.0.0.255
access-list 1 permit 10.14.251.0 0.0.0.255
access-list 1 permit 10.14.253.0 0.0.0.255
access-list 100 deny ip 10.2.1.0 0.0.0.240 10.0.0.0 0.0.0.255
access-list 100 deny ip 10.2.1.14 0.0.0.240 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.2.1.0 0.0.0.255 any
!

The remote site is setup on a Sonicwall and they can see the port 500 traffic but they just receive policy not accepted.

the only other error I can see is a note on whitespaces on the password under the sho crypto tech.

I would just like to know if I may have missed anything on my end. any advice would be greatly appreciated.

 

UPDATE- I've been checking up and several people have mentioned that ACl's are not necessary on the C1111. Has anyone else heard of this aspect?

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents