cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1732
Views
0
Helpful
10
Replies
drvbaysued
Beginner

Cisco876 to Bintec VPN250: ISAKMP phase 2 SA policy not acceptable!

Hello!

We try to setup a vpn-connection between a Cisco 876 and a Bintec VPN 250 (Hub and Spoke-configuration).

VPN-Parameters are as follows:

- encryption-algorithm aes 128 bit

- authentication-algorithm sha1

- Diffie-Hellman Group 2

Transform set is as follows:

- encryption-algorithm aes 128 bit

- authentication-algorithm sha1

when the tunnel is built, the Cisco 876 (debug crypto routing) shows "ISAKMP phase 2 SA policy not acceptable!"

The (simplified) running-config of the Cisco876 is appended.

All help much appreciated!

10 REPLIES 10

Christian,

I can see that you use the ACL no. 135.

Does the remote site have a mirror of this ACL configured for this VPN tunnel?

Thanks.

Portu.

Please rate any helpful posts.

Hello, Portu,

thanks for the quick answer.

No - the colleague of the remote site tells me that such a ACL is not configured for the VPN tunnel.

Jakob

Well Jakob we need it for this to work.

LAN-to-LAN IPsec Tunnel Between Two Routers Configuration Example

As you could see from the link above the ACL defined in the "crypto map" with the "match address" command must match on both sites.

Thanks.

Portu.

Please rate any helpful posts

Hello, Portu,

I asked the colleague of the remote site (the site that uses the Bintec VPN250) again concerning the ACL. He tells me that the 2 IP-Adresses that are entered in our ACL no. 135 are also reflected in the Bintec-router. So this seems not to be the problem. This seems to have been a misunderstanding between me and the colleague at the remote site.

Jakob

Christian,

Please attach the "debug crypto isakmp" and "debug crypto ipsec" outputs.

Thanks.

Portu.

Here the desired outputs:

Thanks for the kind help!

Jakob

Christian,

This seems to point to a misconfiguration issue:

*Mar  6 01:03:31.323: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:

    {esp-aes esp-sha-hmac }

As simple way to know this is by creating a Dynamic map and include many transform-set combinations (just in case).

For instance:


crypto dynamic-map outside_dynamic

     set transform-set ESP-AES-SHA ESP-3DES-SHA

!

crypto map outside map 65535 ipsec-isakmp dynamic outside_dynamic

* BTW, you need to remove the static crypto map for the specific peer, otherwise the dynamic-map will never take effect.

Let me know.

Thanks.

Portu.

Portu,

we tried with different transform-set combinations.  When  I change the transform-set at the Cisco 876, "debug crypto ipsec"   shows the same error as you mentioned above (with the same parameters in   curly brackets). When the transform-set is changed at the Bintec,   "debug crypto ipsec" shows the changed parameters in curly brackets.   Nevertheless "show crypto ipsec transform-set" shows the parameters at   the Cisco 876.

It seems as if I only have to enter the parameters  in brackets  (from "debug crypto ipsec") in the Cisco 876 "crypto ipsec   transform-set"-command. But even then, it does not function.

Jakob

Jakob,

I am not sure if you followed the correct steps.

The idea to set up a dynamic tunnel is because the only required parameters required are:

ISAKMP policy

Pre-shared-key

Transform-set

So, when the tunnel comes up, we would be able to check the interesting traffic pushed by the remote site, so we could adjust the static crypto map.

By the way, you could try with ESP-3DES-SHA instead of ASP-AES-SHA.

Please review the steps and the configuration once more and test again.

HTH.

Portu.

Portu,

ok - now I tried with a dynamic map as follows (I was not able to enter the commands exactly as you told me):

crypto ipsec transform-set esp-aes esp-sha-hmac

!

!

crypto dynamic-map 7

set transform-set

!

!

crypto map VPN 4 ipsec-isakmp dynamic

!

"esp-aes esp-sha-hmac" on the Bintec-site

Crypto IPSEC debugging is on

#

*Mar  6 06:56:04.351: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar  6 06:56:04.511: IPSEC(validate_proposal_request): proposal part #1

*Mar  6 06:56:04.511: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= , remote= ,

    local_proxy= /255.255.255.255/0/0 (type=1),

    remote_proxy= /255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Mar  6 06:56:04.515: IPSEC(ipsec_process_proposal): transform proposal not supp

orted for identity:

    {esp-aes esp-sha-hmac }

!

crypto ipsec transform-set esp-3des esp-md5-hmac

!

"esp-aes esp-sha-hmac" on the Bintec-site

*Mar  6 06:54:06.587: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar  6 06:54:06.743: IPSEC(validate_proposal_request): proposal part #1

*Mar  6 06:54:06.743: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= , remote= ,

    local_proxy= /255.255.255.255/0/0 (type=1),

    remote_proxy= /255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

*Mar  6 06:54:06.743: IPSEC(ipsec_process_proposal): transform proposal not supp

orted for identity:

    {esp-aes esp-sha-hmac }

!

crypto ipsec transform-set esp-3des esp-md5-hmac

!

"esp-3des esp-md5-hmac" on the Bintec-site

*Mar  6 06:55:43.687: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Mar  6 06:55:43.867: IPSEC(validate_proposal_request): proposal part #1

*Mar  6 06:55:43.867: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= , remote= ,

    local_proxy= /255.255.255.255/0/0 (type=1),

    remote_proxy= /255.255.255.255/0/0 (type=1),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Mar  6 06:55:43.871: IPSEC(ipsec_process_proposal): transform proposal not supp

orted for identity:

    {esp-3des esp-md5-hmac }

Jakob

Content for Community-Ad