Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
523
Views
1
Helpful
1
Replies

LAN-to-LAN NAT-T fails with Rejected Received Phase-2 Exchanges

addylamlappun
Level 1
Level 1

‎08-01-2005 10:42 AM

Hi there,

I have already successfully setup a plain LAN-to-LAN connection without any problem on a couple of 3005 connected via a 2611XM. Now, I have modified the 2611 to do NAT on the LAN-to-LAN originator side. I have modified both 3005 to support IPSec over NAT-T under the LAN-to-LAN Connection and NAT-Transparency, and modified the called 3005 to peer with the new NAT address. However, the tunnel always fails at the Phase-2 exchange and for some reason the old IP address of the calling interface is still referenced in Phase 2. I have pasted the error for your reference, and appreciate your time and this learning experience in helping me out.

Old calling IP 192.168.2.5

New calling IP 192.168.1.55

Called IP 192.168.1.5

Called side log (192.168.1.5)

-----------------------------

6597 08/01/2005 11:37:39.840 SEV=5 IKEDBG/64 RPT=299 192.168.1.55

IKE Peer included IKE fragmentation capability flags:

Main Mode: True

Aggressive Mode: True

6599 08/01/2005 11:37:40.290 SEV=5 IKE/172 RPT=299 192.168.1.55

Group [192.168.1.55]

Automatic NAT Detection Status:

Remote end IS behind a NAT device

This end is NOT behind a NAT device

6603 08/01/2005 11:37:40.390 SEV=4 IKE/119 RPT=299 192.168.1.55

Group [192.168.1.55]

PHASE 1 COMPLETED

6604 08/01/2005 11:37:40.390 SEV=4 AUTH/22 RPT=299

User [192.168.1.55] Group [192.168.1.55] connected, Session Type: IPSec/LAN-to-L

AN

6606 08/01/2005 11:37:40.390 SEV=4 AUTH/84 RPT=299

LAN-to-LAN tunnel to headend device 192.168.1.55 connected

6607 08/01/2005 11:37:40.500 SEV=5 IKE/25 RPT=299 192.168.1.55

Group [192.168.1.55]

Received remote Proxy Host data in ID Payload:

Address 192.168.2.5, Protocol 0, Port 0

6610 08/01/2005 11:37:40.500 SEV=5 IKE/24 RPT=299 192.168.1.55

Group [192.168.1.55]

Received local Proxy Host data in ID Payload:

Address 192.168.1.5, Protocol 0, Port 0

6613 08/01/2005 11:37:40.500 SEV=4 IKE/61 RPT=299 192.168.1.55

Group [192.168.1.55]

Tunnel rejected: Policy not found for Src:192.168.2.5, Dst: 192.168.1.5!

6615 08/01/2005 11:37:40.500 SEV=4 IKEDBG/97 RPT=299 192.168.1.55

Group [192.168.1.55]

QM FSM error (P2 struct &0x370e02c, mess id 0xe926d11e)!

6616 08/01/2005 11:37:40.510 SEV=5 IKE/194 RPT=299 192.168.1.55

Group [192.168.1.55]

Sending IKE Delete With Reason message: No Reason Provided.

6617 08/01/2005 11:37:40.510 SEV=4 AUTH/23 RPT=299 192.168.1.55

User [192.168.1.55] Group [192.168.1.55] disconnected: duration: 0:00:00

6618 08/01/2005 11:37:40.510 SEV=4 AUTH/85 RPT=299

LAN-to-LAN tunnel to headend device 192.168.1.55 disconnected: duration: 0:00:00

Labels:
0 Helpful
1 Reply 1

umedryk
Level 5
Level 5

‎08-08-2005 06:27 AM

You need to check the phase two parameters at both ends.

Customers Also Viewed These Support Documents