Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
1
Replies

ipsec newbie having chronic problems...

jogdial
Level 1
Level 1

‎10-21-2004 05:27 AM - edited ‎02-21-2020 01:24 PM

Hi

I'm quite the newb at cisco routers and I am currently trying to create an ipsec tunnel from a Linux box (which I have a lot of experience setting VPNs up with) to a cisco 2621 router. I seem to be getting past phase 1 IKE ok, but failing in phase 2. The messages I am getting in the ISKMP debug are:

(0:10:HW:2):Checking IPSec proposal 0

000600: *Oct 21 13:45:51.307 UTC: ISAKMP: transform 0, ESP_3DES

000601: *Oct 21 13:45:51.307 UTC: ISAKMP: attributes in transform:

000602: *Oct 21 13:45:51.307 UTC: ISAKMP: group is 2

000603: *Oct 21 13:45:51.307 UTC: ISAKMP: encaps is 1 (Tunnel)

000604: *Oct 21 13:45:51.311 UTC: ISAKMP: SA life type in seconds

000605: *Oct 21 13:45:51.311 UTC: ISAKMP: SA life duration (basic) of 28800

000606: *Oct 21 13:45:51.311 UTC: ISAKMP: authenticator is HMAC-MD5

000607: *Oct 21 13:45:51.311 UTC: ISAKMP:(0:10:HW:2):atts are acceptable.

000608: *Oct 21 13:45:51.311 UTC: ISAKMP:(0:10:HW:2): IPSec policy invalidated proposal

000609: *Oct 21 13:45:51.311 UTC: ISAKMP:(0:10:HW:2): phase 2 SA policy not acceptable! (local 82.195.190.90 remote xxx.xxx.xxx.67)

000610: *Oct 21 13:45:51.315 UTC: ISAKMP: set new node -1377292731 to QM_IDLE

000611: *Oct 21 13:45:51.315 UTC: ISAKMP:(0:10:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 47, message ID = -1377292731

just cleaning up my cisco config up here and I'll attach it.. I'm trying to connect to freeswan on a redhat linux box. I have actually done this before, but there was a cisco expert on the other end that did the cisco box and I never got to see his config, my freeswan config is exactly the same as the one I set up to his router. There is also another tunnel on this to my ISPs cosign router, and I've left all that in .. I need to have both tunnels, not sure if they could be interfering with each other? Anyway attaching the running-config now...

Labels:
26972-chiefwiggum-confg
0 Helpful
1 Reply 1

sachinraja
Level 9
Level 9

‎10-26-2004 11:29 PM

Hello,

seeing your debug messages, it is clear that the parameters of SA doesnt match at either ends. make sure you give the same parameters with respect to encryption, authentication, lifetimes etc. (3des/md5/hmac etc).

Also take care of the inside access-lists on the LAN interface. Make sure there is a permission for the IPSEC traffic to flow to the destination.

interesting traffic access-lists should match both then ends..

try these and let us know.. All the best !!

0 Helpful
Customers Also Viewed These Support Documents