Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
322
Views
0
Helpful
0
Replies

IPSEC Phase 2 is always failing

mac_mac_net83
Level 1
Level 1

‎07-25-2022 05:39 AM

Dear Community, 

I have issues below and can't figure out why my Phase2 is not coming up, even my router and the remote end has the same transform set settings. 

Below is the log in phase 2. 

My router is 5.5.5.5 , remote is 3.3.3.3. The remote peer is using NAT. NAT traversal is working since I have verified it is negotiated during the debug , and Phase 1 is successful. 

Jul 11 08:15:27 eastern: ISAKMP:(7094):Checking IPSec proposal 1
Jul 11 08:15:27 eastern: ISAKMP: transform 1, ESP_AES
Jul 11 08:15:27 eastern: ISAKMP: attributes in transform:
Jul 11 08:15:27 eastern: ISAKMP: key length is 256
Jul 11 08:15:27 eastern: ISAKMP: authenticator is HMAC-SHA
Jul 11 08:15:27 eastern: ISAKMP: encaps is 3 (Tunnel-UDP)
Jul 11 08:15:27 eastern: ISAKMP:(7094):atts are acceptable.
Jul 11 08:15:27 eastern: IPSEC(validate_proposal_request): proposal part #1
Jul 11 08:15:27 eastern: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 5.5.5.5:0, remote= 3.3.3.3:0,
local_proxy= 172.16.3.0/255.255.255.0/256/0,
remote_proxy= 10.5.5.0/255.255.255.0/256/0,
protocol= ESP, transform= NONE (Tunnel-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Jul 11 08:15:27 eastern: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-sha-hmac }
Jul 11 08:15:27 eastern: ISAKMP:(7094): IPSec policy invalidated proposal with error 256
Jul 11 08:15:27 eastern: ISAKMP:(7094): phase 2 SA policy not acceptable! (local 5.5.5.5 remote 3.3.3.3)
Jul 11 08:15:27 eastern: ISAKMP: set new node 1505819779 to QM_IDLE
Jul 11 08:15:27 eastern: ISAKMP:(7094):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 580731600, message ID = 1505819779

 

My concern is the line below:

protocol= ESP, transform= NONE (Tunnel-UDP),

Based on my recent lab tests, the transform set should not be None, and should have the same values set by the remote peer. 

Could it be the reason why is it failing? 

Also, there is an existing crypto map on the main interfaces when I added the policy, transform sets and crypto settings  for this new connection. I have not tried to remove and reapply the crypto map yet on the interface (its because there are other S2S VPNs in production). But will it help? 

Appreciate the feedback here. 

Mac

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents