Solved: ipsec vpn between usg 2910 and cisco 2900

Gizbrekht Andrey · ‎05-20-2016

hi everyone!
i need council.

i try configure ipsec vpn between usg 2910 and cisco 2900, but nothing is worked.

usg configuration list below

l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
2016-05-19 15:44:38 UG %%01IKE/4/WARNING(l): phase2: proposal or pfs dh-group mismatch, please check ipsec proposal and pfs dh-group configuration.
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
firewall packet-filter basic-protocol enable
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
dns server 8.8.8.8
#
vlan batch 1
#
stp mode stp
#
firewall statistic system enable
#
pki certificate access-control-policy default permit
#
dns proxy enable
#
license-server domain lic.huawei.com
#
runmode firewall
#
update schedule ips daily 5:58
update schedule av daily 5:58
security server domain sec.huawei.com
#
web-manager enable
web-manager security enable port 8443
web-manager timeout 40
undo web-manager config-guide enable
#
user-manage web-authentication security port 8888
#
l2fwdfast enable
#
acl number 3000
rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
acl number 3001
#
ike proposal 1
encryption-algorithm 3des
dh group2
#
ike peer ike195113210660
exchange-mode auto
pre-shared-key %$%$6:qZ*K\b%C7/j:(FoP5Oimd[%$%$
ike-proposal 1
undo version 2
remote-address 192.168.10.1
#
ipsec proposal prop19511321066
encapsulation-mode auto
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#
ipsec policy ipsec1951132107 1 isakmp
security acl 3000
ike-peer ike195113210660
alias 2CISCO
undo policy enable
proposal prop19511321066
local-address applied-interface
sa duration traffic-based 1843200
sa duration time-based 3600
#
interface Vlanif1
ip address 192.168.40.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.40.1
dhcp server dns-list 192.168.40.1
#
interface Cellular5/0/0
link-protocol ppp
#
interface Cellular5/0/1
link-protocol ppp
#
interface Ethernet0/0/0
alias WAN
ip address 192.168.10.3 255.255.255.0
nat enable
detect ftp
#
interface Ethernet1/0/0
portswitch
port link-type access
#
interface Ethernet1/0/1
portswitch
port link-type access
#
interface Ethernet1/0/2
portswitch
port link-type access
#
interface Ethernet1/0/3
portswitch
port link-type access
#
interface Ethernet1/0/4
portswitch
port link-type access
#
interface Ethernet1/0/5
portswitch
port link-type access
#
interface Ethernet1/0/6
portswitch
port link-type access
#
interface Ethernet1/0/7
portswitch
port link-type access
#
interface Atm2/0/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
detect ftp
detect rtsp
detect pptp
add interface Ethernet1/0/0
add interface Ethernet1/0/1
add interface Ethernet1/0/2
add interface Ethernet1/0/3
add interface Ethernet1/0/4
add interface Ethernet1/0/5
add interface Ethernet1/0/6
add interface Ethernet1/0/7
add interface Vlanif1
add interface Wlan-Bss1
#
firewall zone untrust
set priority 5
detect ftp
detect rtsp
detect pptp
add interface Ethernet0/0/0
#
firewall zone dmz
set priority 50
detect ftp
detect rtsp
detect pptp
#
firewall interzone local trust
detect ftp
detect pptp
detect rtsp
#
firewall interzone local untrust
detect ftp
detect pptp
detect rtsp
#
firewall interzone local dmz
detect ftp
detect pptp
detect rtsp
#
firewall interzone trust untrust
detect ftp
detect pptp
detect rtsp
#
firewall interzone trust dmz
detect ftp
detect pptp
detect rtsp
#
firewall interzone dmz untrust
detect ftp
detect pptp
detect rtsp
#
#
aaa
local-user admin password irreversible-cipher %@%@E=(d~G3]fXa$P/D*Hb_XbMD;uq]s#bDyALXU,(ZV~VX#MSJE%@%@
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1

#
stelnet server enable
#
banner enable
#
user-interface con 0
user-interface tty 2 3
modem both
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
#
ip address-set c2900 type object
description cisco 2900
address 0 192.168.10.1 mask 32
#
slb
#
cwmp
#
right-manager server-group
#
wlan srm
dot11a mandatory-rate 6 9 12 24
dot11a supported-rate 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-class 0 plain
ssid gateway
station max-number 124
service-class enable
#
wlan service-class 1 plain
ssid gateway1
station max-number 124
#
interface Wlan-Bss0
#
interface Wlan-Bss1
#
interface Wlan-rf4/0/0
radio-type dot11gn
channel auto
bind service-class 0 interface wlan-bss 0
bind service-class 1 interface wlan-bss 1
#
#
sim 1
sim 2
#
policy interzone local untrust inbound
policy 0
action permit
policy source address-set c2900
#
policy interzone trust untrust inbound
policy 1
action permit
policy source 192.168.20.0 0.0.0.255
policy destination 192.168.40.0 0.0.0.255
#
policy interzone trust untrust outbound
policy 1
action permit
policy source 192.168.40.0 0.0.0.255
policy destination 192.168.20.0 0.0.0.255

cisco configuration list below

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
[b]crypto isakmp policy 20
encr 3des
authentication pre-share
group 2[/b]
crypto isakmp key TESTKEY address 192.168.10.2 no-xauth
[b]crypto isakmp key TESTKEY address 192.168.10.3 no-xauth[/b]
!
!
crypto ipsec transform-set c2900-c881 esp-aes 256 esp-sha-hmac
[b]crypto ipsec transform-set c2900-HYA esp-3des esp-sha-hmac[/b]
!
crypto map tunnelmap 10 ipsec-isakmp
set peer 192.168.10.2
set transform-set c2900-c881
match address 101
crypto map tunnelmap 20 ipsec-isakmp
set peer 192.168.10.3
match address 102
!
!
!
!
!
interface Tunnel1
description ciscoTOcisco
ip unnumbered GigabitEthernet0/0
ip mtu 1400
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel destination 192.168.10.2
tunnel checksum
tunnel path-mtu-discovery
!
[b]interface Tunnel2
description HUAwei
ip unnumbered GigabitEthernet0/0
ip mtu 1400
no ip route-cache cef
no ip route-cache
tunnel source GigabitEthernet0/0
tunnel destination 192.168.10.3
tunnel checksum
tunnel path-mtu-discovery[/b]
!
interface GigabitEthernet0/0
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
crypto map tunnelmap
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/0/2
!
interface GigabitEthernet0/0/3
!
interface Vlan1
ip address 192.168.20.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 192.168.30.0 255.255.255.0 Tunnel1
ip route 192.168.40.0 255.255.255.0 Tunnel2
!
access-list 101 permit gre host 192.168.10.1 host 192.168.10.2
access-list 102 permit gre host 192.168.10.1 host 192.168.10.3

session status on cisco

2900#sh crypto session

Код:

Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 192.168.10.2 port 500
IPSEC FLOW: permit 47 host 192.168.10.1 host 192.168.10.2
Active SAs: 0, origin: crypto map

Interface: GigabitEthernet0/0
Session status: UP-IDLE
Peer: 192.168.10.3 port 500
IKEv1 SA: local 192.168.10.1/500 remote 192.168.10.3/500 Active
IKEv1 SA: local 192.168.10.1/500 remote 192.168.10.3/500 Inactive
IKEv1 SA: local 192.168.10.1/500 remote 192.168.10.3/500 Inactive
IKEv1 SA: local 192.168.10.1/500 remote 192.168.10.3/500 Active
IPSEC FLOW: permit 47 host 192.168.10.1 host 192.168.10.3
Active SAs: 0, origin: crypto map

debug on cisco

*May 19 09:28:05.995: IPSEC(ipsec_process_proposal): proxy identities not supported
*May 19 09:28:05.995: ISAKMP:(1635): IPSec policy invalidated proposal with error 32
*May 19 09:28:05.995: ISAKMP:(1635): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 192.168.10.3)
*May 19 09:28:05.995: ISAKMP:(1635):deleting node 1471795379 error TRUE reason "QM rejected"
*May 19 09:28:06.275: ISAKMP:(1635):deleting SA reason "Recevied fatal informational" state (R) QM_IDLE (peer 192.168.10.3)
*May 19 09:28:06.275: ISAKMP:(1635):deleting SA reason "Recevied fatal informational" state (R) QM_IDLE (peer 192.168.10.3)
*May 19 09:28:08.995: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 19 09:28:08.995: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 19 09:28:36.271: ISAKMP:(1636):deleting SA reason "Recevied fatal informational" state (R) QM_IDLE (peer 192.168.10.3)
*May 19 09:28:36.275: ISAKMP:(1636):deleting SA reason "Recevied fatal informational" state (R) QM_IDLE (peer 192.168.10.3)
*May 19 09:28:38.991: ISAKMP:(0):Encryption algorithm offered does not match policy!
*May 19 09:28:38.991: ISAKMP:(0):atts are not acceptable. Next payload is 0
*May 19 09:28:39.983: IPSEC(ipsec_process_proposal): proxy identities not supported
*May 19 09:28:39.983: ISAKMP:(1637): IPSec policy invalidated proposal with error 32
*May 19 09:28:39.983: ISAKMP:(1637): phase 2 SA policy not acceptable! (local 192.168.10.1 remote 192.168.10.3)

usg system message

2016-05-20 09:14:15 UG %%01IKE/4/WARNING(l): phase2: security acl mismatch.
2016-05-20 09:14:34 UG %%01IKE/4/WARNING(l): phase2: proposal or pfs dh-group mismatch, please check ipsec proposal and pfs dh-group configuration.

Michael Muenz · ‎05-27-2016

Please remove the Tunnel Interface and change the ACL for the crypto map to IP and not GRE.

If that doesn't work, add set pfs group2 to your crypto-map.

Michael Please rate all helpful posts

View solution in original post

Michael Muenz · ‎05-26-2016

On USG you have 3DES and on the Cisco you force AES, this won't work

Michael Please rate all helpful posts

Gizbrekht Andrey · ‎05-26-2016

thank you for reply!
you wrong, the phase 2 on both router is identical see below

on cisco router

crypto isakmp policy 20
encr 3des
authentication pre-share
group 2

crypto isakmp key TESTKEY address 192.168.10.3 no-xauth

Michael Muenz · ‎05-27-2016

isakmp is Phase1, transform-set is Phase2. You haven't linked it in the crypto-map.

Michael Please rate all helpful posts

Gizbrekht Andrey · ‎05-27-2016

sorry.
actual config is below:

cisco

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key TESTKEY address 172.16.0.2 no-xauth
!
crypto isakmp peer address 172.16.0.2
set aggressive-mode password TESTKEY
set aggressive-mode client-endpoint ipv4-address 10.1.1.2
!
!
crypto ipsec transform-set c2900-HYA esp-aes 256 esp-sha-hmac
!
crypto map tunnelmap 20 ipsec-isakmp
set peer 172.16.0.2
set transform-set c2900-HYA
match address 102
!
!
!
!
!
interface Tunnel2
description HUAwei
ip unnumbered GigabitEthernet0/0
ip mtu 1420
tunnel source GigabitEthernet0/0
tunnel destination 172.16.0.2
tunnel path-mtu-discovery
!
interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.252
duplex auto
speed auto
crypto map tunnelmap

huawei

acl number 3000
rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
acl number 3001
#
ike proposal 1
encryption-algorithm aes-256
dh group2
#
ike peer ike255115311617
exchange-mode aggressive
pre-shared-key %$%$$lDmEU7HgA5wB91hG*M8djaX%$%$
ike-proposal 1
undo version 2
remote-address 10.1.1.2
undo nat traversal
#
ipsec proposal prop25511531161
encapsulation-mode auto
esp authentication-algorithm sha1
esp encryption-algorithm aes-256
#
ipsec policy ipsec2551153117 1 isakmp
security acl 3000
ike-peer ike255115311617
alias test
undo policy enable
proposal prop25511531161
local-address applied-interface
sa duration traffic-based 0
sa duration time-based 3600

Michael Muenz · ‎05-27-2016

Why have you switched to aggressive mode und changed the ip addresses?

I'd rather first test with main mode, no GRE, no tunnel if's and only the ipset as it was before.

Michael Please rate all helpful posts

Gizbrekht Andrey · ‎05-27-2016

i change connection scheme.

now it's look like thise

192.168.40.0/24

|

(2901)

10.1.1.2

|

.1

(1921)

.1

|

172.168.0.2

(HW USG)

|

192.168.20.0/24

Michael Muenz · ‎05-27-2016

Please post both current configurations and debugs

Michael Please rate all helpful posts

Gizbrekht Andrey · ‎05-27-2016

Current configuration : 1907 bytes
!
! Last configuration change at 08:15:33 UTC Fri May 27 2016
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2900
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2901/K9 sn FCZ1723C5SP
license accept end user agreement
license boot module c2900 technology-package securityk9
!
!
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key TESTKEY address 172.16.0.2 no-xauth
!
!
crypto ipsec transform-set c2900-HYA esp-aes 256 esp-sha-hmac
!
crypto map tunnelmap 20 ipsec-isakmp
set peer 172.16.0.2
set transform-set c2900-HYA
match address 102
!
!
!
!
!
interface Tunnel2
description HUAwei
ip unnumbered GigabitEthernet0/0
ip mtu 1420
tunnel source GigabitEthernet0/0
tunnel destination 172.16.0.2
tunnel path-mtu-discovery
!
interface GigabitEthernet0/0
ip address 10.1.1.2 255.255.255.252
duplex auto
speed auto
crypto map tunnelmap
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
!
interface GigabitEthernet0/0/1
!
interface GigabitEthernet0/0/2
!
interface GigabitEthernet0/0/3
!
interface Vlan1
ip address 192.168.20.1 255.255.255.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 172.16.0.0 255.255.255.252 10.1.1.1
ip route 192.168.40.0 255.255.255.0 Tunnel2
!
access-list 101 permit gre host 192.168.10.1 host 192.168.10.2
access-list 102 permit gre host 10.1.1.2 host 172.16.0.2
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Huawai

sysname UG
#
l2tp domain suffix-separator @
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
firewall packet-filter basic-protocol enable
#
ip df-unreachables enable
#
firewall ipv6 session link-state check
firewall ipv6 statistic system enable
#
dns resolve
dns server 8.8.8.8
#
vlan batch 1
#
stp mode stp
#
firewall statistic system enable
#
pki certificate access-control-policy default permit
#
dns proxy enable
#
license-server domain lic.huawei.com
#
runmode firewall
#
update schedule ips daily 5:58
update schedule av daily 5:58
security server domain sec.huawei.com
#
web-manager enable
web-manager security enable port 8443
web-manager timeout 40
undo web-manager config-guide enable
#
user-manage web-authentication security port 8888
#
l2fwdfast enable
#
acl number 3000
rule 5 permit ip source 192.168.40.0 0.0.0.255 destination 192.168.20.0 0.0.0.255
#
acl number 3001
#
ike proposal 1
encryption-algorithm aes-256
dh group2
#
ike peer ike255115311617
exchange-mode auto
pre-shared-key %$%$$lDmEU7HgA5wB91hG*M8djaX%$%$
ike-proposal 1
undo version 2
remote-address 10.1.1.2
undo nat traversal
#
ipsec proposal prop25511531161
encapsulation-mode auto
esp authentication-algorithm sha1
esp encryption-algorithm aes-256
#
ipsec policy ipsec2551153117 1 isakmp
security acl 3000
ike-peer ike255115311617
alias test
undo policy enable
proposal prop25511531161
local-address applied-interface
sa duration traffic-based 0
sa duration time-based 3600
#
interface Vlanif1
ip address 192.168.40.1 255.255.255.0
dhcp select interface
dhcp server gateway-list 192.168.40.1
dhcp server dns-list 192.168.40.1
#
interface Cellular5/0/0
link-protocol ppp
#
interface Cellular5/0/1
link-protocol ppp
#
interface Ethernet0/0/0
alias WAN
ip address 172.16.0.2 255.255.255.252
nat enable
detect ftp
#
interface Ethernet1/0/0
portswitch
port link-type access
#
interface Ethernet1/0/1
portswitch
port link-type access
#
interface Ethernet1/0/2
portswitch
port link-type access
#
interface Ethernet1/0/3
portswitch
port link-type access
#
interface Ethernet1/0/4
portswitch
port link-type access
#
interface Ethernet1/0/5
portswitch
port link-type access
#
interface Ethernet1/0/6
portswitch
port link-type access
#
interface Ethernet1/0/7
portswitch
port link-type access
#
interface Atm2/0/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
detect ftp
detect rtsp
detect pptp
add interface Ethernet1/0/0
add interface Ethernet1/0/1
add interface Ethernet1/0/2
add interface Ethernet1/0/3
add interface Ethernet1/0/4
add interface Ethernet1/0/5
add interface Ethernet1/0/6
add interface Ethernet1/0/7
add interface Vlanif1
add interface Wlan-Bss1
#
firewall zone untrust
set priority 5
detect ftp
detect rtsp
detect pptp
add interface Ethernet0/0/0
#
firewall zone dmz
set priority 50
detect ftp
detect rtsp
detect pptp
#
firewall interzone local trust
detect ftp
detect pptp
detect rtsp
#
firewall interzone local untrust
detect ftp
detect pptp
detect rtsp
#
firewall interzone local dmz
detect ftp
detect pptp
detect rtsp
#
firewall interzone trust untrust
detect ftp
detect pptp
detect rtsp
#
firewall interzone trust dmz
detect ftp
detect pptp
detect rtsp
#
firewall interzone dmz untrust
detect ftp
detect pptp
detect rtsp
#
#
aaa
local-user admin password irreversible-cipher %@%@E=(d~G3]fXa$P/D*Hb_XbMD;uq]s#bDyALXU,(ZV~VX#MSJE%@%@
local-user admin service-type web terminal telnet
local-user admin level 15
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
domain dot1x
#
#
nqa-jitter tag-version 1

#
ip route-static 0.0.0.0 0.0.0.0 172.168.0.1
ip route-static 10.1.1.0 255.255.255.252 172.16.0.1
ip route-static 192.168.20.0 255.255.255.0 10.1.1.2
#
stelnet server enable
#
banner enable
#
user-interface con 0
idle-timeout 100 0
user-interface tty 2 3
modem both
user-interface vty 0 4
authentication-mode aaa
protocol inbound all
#
ip address-set c2900 type object
description cisco 2900
address 0 10.1.1.2 mask 32
#
sa
#
slb
#
cwmp
#
right-manager server-group
#
wlan srm
dot11a mandatory-rate 6 9 12 24
dot11a supported-rate 18 36 48 54
dot11b mandatory-rate 1 2
dot11b supported-rate 5.5 11
dot11g mandatory-rate 1 2 5.5 11
dot11g supported-rate 6 9 12 18 24 36 48 54
#
wlan service-class 0 plain
ssid gateway
station max-number 124
service-class enable
#
wlan service-class 1 plain
ssid gateway1
station max-number 124
#
interface Wlan-Bss0
#
interface Wlan-Bss1
#
interface Wlan-rf4/0/0
radio-type dot11gn
channel auto
bind service-class 0 interface wlan-bss 0
bind service-class 1 interface wlan-bss 1
#
#
sim 1
sim 2
#
policy interzone local untrust inbound
policy 0
action permit
policy source address-set c2900

policy 1
action permit
policy source 10.1.1.0 0.0.0.3
policy destination 172.168.0.0 0.0.0.3
#
policy interzone local untrust outbound
policy 1
action permit
policy source 172.16.0.0 0.0.0.3
policy destination 10.1.1.0 0.0.0.3
#
policy interzone trust untrust inbound
policy 1
action permit
policy source 192.168.20.0 0.0.0.255
policy destination 192.168.40.0 0.0.0.255
#
policy interzone trust untrust outbound
policy 1
action permit
policy source 192.168.40.0 0.0.0.255
policy destination 192.168.20.0 0.0.0.255
#
return

Gizbrekht Andrey · ‎05-27-2016

*May 27 09:09:26.712: ISAKMP:(0): processing SA payload. message ID = 0
*May 27 09:09:26.712: ISAKMP:(0):found peer pre-shared key matching 172.16.0.2
*May 27 09:09:26.712: ISAKMP:(0): local preshared key found
*May 27 09:09:26.712: ISAKMP : Scanning profiles for xauth ...
*May 27 09:09:26.712: ISAKMP:(0):Checking ISAKMP transform 0 against priority 10 policy
*May 27 09:09:26.712: ISAKMP:      encryption AES-CBC
*May 27 09:09:26.712: ISAKMP:      keylength of 256
*May 27 09:09:26.712: ISAKMP:      hash SHA
*May 27 09:09:26.712: ISAKMP:      auth pre-share
*May 27 09:09:26.712: ISAKMP:      default group 2
*May 27 09:09:26.712: ISAKMP:      life type in seconds
*May 27 09:09:26.712: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*May 27 09:09:26.712: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 27 09:09:26.712: ISAKMP:(0):Acceptable atts:actual life: 0
*May 27 09:09:26.712: ISAKMP:(0):Acceptable atts:life: 0
*May 27 09:09:26.712: ISAKMP:(0):Fill atts in sa vpi_length:4
*May 27 09:09:26.712: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*May 27 09:09:26.712: ISAKMP:(0):Returning Actual lifetime: 86400
*May 27 09:09:26.712: ISAKMP:(0)::Started lifetime timer: 86400.

*May 27 09:09:26.712: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 09:09:26.712: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

*May 27 09:09:26.712: ISAKMP:(0): sending packet to 172.16.0.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
*May 27 09:09:26.712: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 27 09:09:26.712: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 09:09:26.712: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

*May 27 09:09:27.248: ISAKMP (0): received packet from 172.16.0.2 dport 500 sport 500 Global (R) MM_SA_SETUP
*May 27 09:09:27.248: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 09:09:27.248: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

*May 27 09:09:27.248: ISAKMP:(0): processing KE payload. message ID = 0
*May 27 09:09:27.276: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 27 09:09:27.276: ISAKMP:(0):found peer pre-shared key matching 172.16.0.2
*May 27 09:09:27.276: ISAKMP:(6361):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 09:09:27.276: ISAKMP:(6361):Old State = IKE_R_MM3 New State = IKE_R_MM3

*May 27 09:09:27.276: ISAKMP:(6361): sending packet to 172.16.0.2 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*May 27 09:09:27.276: ISAKMP:(6361):Sending an IKE IPv4 Packet.
*May 27 09:09:27.276: ISAKMP:(6361):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 09:09:27.276: ISAKMP:(6361):Old State = IKE_R_MM3 New State = IKE_R_MM4

*May 27 09:09:27.520: ISAKMP (6361): received packet from 172.16.0.2 dport 500 sport 500 Global (R) MM_KEY_EXCH
*May 27 09:09:27.520: ISAKMP:(6361):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 09:09:27.520: ISAKMP:(6361):Oldun State = IKE_R_MM4 New State = IKE_R_MM5

Gizbrekht Andrey · ‎05-27-2016

huawei debug

2016-05-27 15:52:12 UG %%01IKE/4/WARNING(l): phase2: security acl mismatch.
2016-05-27 15:52:17 UG %%01IKE/4/WARNING(l): phase2: proposal or pfs dh-group mismatch, please check ipsec proposal and pfs dh-group configuration.

Gizbrekht Andrey · ‎05-27-2016

2900#sh crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: UP-IDLE
Peer: 172.16.0.2 port 500
IKEv1 SA: local 10.1.1.2/500 remote 172.16.0.2/500 Active
IKEv1 SA: local 10.1.1.2/500 remote 172.16.0.2/500 Inactive
IKEv1 SA: local 10.1.1.2/500 remote 172.16.0.2/500 Inactive
IPSEC FLOW: permit 47 host 10.1.1.2 host 172.16.0.2
        Active SAs: 0, origin: crypto map

2900#sh crypto isa
2900#sh crypto isakmp sa
2900#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.1.2        172.16.0.2      QM_IDLE           6420 ACTIVE
10.1.1.2        172.16.0.2      MM_NO_STATE       6419 ACTIVE (deleted)
10.1.1.2        172.16.0.2      MM_NO_STATE       6418 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

2900#sh ipse
2900#sh ipsec
2900#sh cr
2900#sh cry
2900#sh crypto ipse
2900#sh crypto ipsec sa
2900#sh crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: tunnelmap, local addr 10.1.1.2

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.16.0.2/255.255.255.255/47/0)
   current_peer 172.16.0.2 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1167, #recv errors 0

     local crypto endpt.: 10.1.1.2, remote crypto endpt.: 172.16.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Michael Muenz · ‎05-27-2016

Please remove the Tunnel Interface and change the ACL for the crypto map to IP and not GRE.

If that doesn't work, add set pfs group2 to your crypto-map.

Michael Please rate all helpful posts

Gizbrekht Andrey · ‎05-27-2016

ou!!! thank you!!! i killed 2 week for do this!!!
thank you for you helped to me!!

now, ping from PC 2901 site go to site Huawei, but from HW not coming.

Michael Muenz · ‎05-27-2016

Your welcome, please mark this answer as correct for other guys with the same problem.

Michael Please rate all helpful posts