11-25-2013 09:39 AM - edited 02-21-2020 07:20 PM
Hi All!
I'm trying to attached an ipsec tunnel on my 2811.
I have p1 up
173.X.0.X 24.X.237.X QM_IDLE 6237 ACTIVE
but p2 failes with the following when i do debug crypto ipsec
Nov 25 15:46:29.597: map_db_find_best did not find matching map
Nov 25 15:46:29.597: IPSEC(ipsec_process_proposal): proxy identities not supported
Nov 25 15:46:29.689: IPSEC(validate_proposal_request): proposal part #1
Nov 25 15:46:29.689: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 173.X.0.X:0, remote= 24.X.237.X:0,
local_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
the config part... let me know if u need anything else from the running config...
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key <password> hostname <DNSNAME> no-xauth
crypto isakmp keepalive 10 periodic
crypto map ParrentsVPn 1 ipsec-isakmp
set peer 70.X.119.X
set peer 24.X.237.X
set transform-set ParrentsVPn
match address 101
crypto ipsec profile VTI
set transform-set ParrentsVPn
crypto map ParrentsVPn 1 ipsec-isakmp
set peer 24.102.237.206
set transform-set ParrentsVPn
match address 101
crypto ipsec transform-set ParrentsVPn esp-aes 256 esp-sha-hmac
mode transport
Extended IP access list 101
10 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 (445190 matches)
20 permit ip 10.0.200.0 0.0.0.255 10.0.2.0 0.0.0.255
30 permit ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255 (93289 matches)
40 permit ip host 173.163.0.213 host 24.102.237.206
50 permit ip host 24.102.237.206 host 173.163.0.213
60 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
interface Tunnel90
ip address 10.0.2.254 255.255.255.0
ip mtu 1400
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
keepalive 60 3
tunnel source FastEthernet0/0
tunnel destination 24.X.237.X
tunnel protection ipsec profile VTI
11-26-2013 11:02 PM
There is very much quite strange with your config:
1) you are mixing crypto-map and VTI-config in a way that doesn't seem to make any sense. What exactly do you want to achieve?
2) in this scenario you probably can't use transport-mode
3) the crypto-ACL only needs the local view of the traffic that has to be protected.
4) the value used by ip tcp adjust-mss is too large for ipsec
Sent from Cisco Technical Support iPad App
11-27-2013 04:09 AM
Hey,
Thanks for the response. Im am really new at this which may help to explain why the config looks so odd.
THe current (working) setup is an ipsec tunnel but i have no way to monitor the tunnel except for pings. My end goal would be to move the ipsec traffic to a tunnel interface so i can monitor up / down's and traffic usage.
both ends are cable modems with one being a static ip address (the 70.x.119.x address). I would idealy only want that system to be accepting connections, and not trying to reachout to the other system.
The remote system is a edgemax (ubnt) system. Like i said... currently i have this working but its all tied to fa0/0 via the following.
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set ParrentsVPn esp-aes 256 esp-sha-hmac
mode transport
crypto map ParrentsVPn 1 ipsec-isakmp
set peer 24.x.237.x
set transform-set ParrentsVPn
match address 101
interface FastEthernet0/0
ip address 173.x.0.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map ParrentsVPn
ip nat inside source list 175 interface FastEthernet0/0 overload
access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 permit ip 10.0.200.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 101 permit ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 175 deny ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 175 deny ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 175 deny ip 10.0.200.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 175 permit ip 10.0.1.0 0.0.0.255 any
access-list 175 permit ip 192.168.80.0 0.0.0.255 any
access-list 175 permit ip 10.0.200.0 0.0.0.255 any
access-list 175 permit ip 10.0.3.0 0.0.0.255 any
access-list 175 permit ip 10.0.4.0 0.0.0.255 any
access-list 175 deny ip 10.0.10.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 175 permit ip 10.0.10.0 0.0.0.255 any
access-list 175 permit ip 192.168.81.0 0.0.0.255 any
access-list 175 permit ip 192.168.13.0 0.0.0.255 any
route-map nonat permit 10
match ip address 175
11-29-2013 09:46 AM
any idea how i can bring this traffic to a tun interface?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide