cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
912
Views
0
Helpful
0
Replies
Highlighted
Beginner

Need some assistance IPSEC and NAT

Hello,


Thank in advance for any advice you can provide.

Network Structure:

    I have 2 x 877 with Adv Ip Services ios  and need to build a VPN between them.

           - Router 1 has a direct DSL connection with public Static IP

           - Router 2 located at client site. They have provided me with a NAT's public IP with a private IP address.

Issue:

- Phase 1 is up, but I get phase 2 errors.

sh debugging
Cryptographic Subsystem:
  Crypto ISAKMP Error debugging is on
  Crypto IPSEC Error debugging is on

Rtr1: debug

.Mar 28 18:48:59.000: IPSEC(ipsec_process_proposal): proxy identities not supported
.Mar 28 18:48:59.000: ISAKMP:(2014): IPSec policy invalidated proposal with error 32
.Mar 28 18:48:59.000: ISAKMP:(2014): phase 2 SA policy not acceptable! (local rtr.1.x.x remote rtr.2.x.x)
.Mar 28 18:48:59.004: ISAKMP:(2014):deleting node 1068591146 error TRUE reason "QM rejected"

R1#sh crypt isakmp sa

IPv4 Crypto ISAKMP SA

dst               src                      state                    conn-id slot status

rtr.2.x.x        rtr.1.x.x               QM_IDLE           2010    0 ACTIVE

R2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
rtr 192.168.64.254  QM_IDLE           2007    0 ACTIVE

I can see the routes have been entered into the route table and when I try to ping the other side I get the following error

.Mar 28 19:28:13.253: ISAKMP:(2017):deleting node 1839855969 error TRUE reason "Delete Larval"....

Router configs

Rtr1:

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key inacsnp! address rtr.2.x.x
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset

interface Tunnel0
description VPN link to R2
ip address 10.15.1.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer2
tunnel destination rtr.2.x.x tunnel path-mtu-discovery
tunnel protection ipsec profile encrypt-tunnel

Rtr2:

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key inacsnp! address rtr.1.x.x

!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
!
crypto ipsec profile encrypt-tunnel
set transform-set vpnset
!
interface Tunnel0
description VPN link to R1

ip address 10.15.1.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source BVI1
tunnel destination rtr.1.x.x tunnel path-mtu-discovery
tunnel protection ipsec profile encrypt-tunnel

------------update---------------

Also, Found that when running debug crypto ipsec Rtr 2 has transform set = esp-aes etc... but Rtr 1 has none? 

Rtr 2

*Mar 28 19:44:22.907: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 192.168.64.254, remote= Rtr .1.x.x,
    local_proxy= 192.168.64.254/255.255.255.255/47/0 (type=1),
    remote_proxy=  Rtr .1.x.x/255.255.255.255/47/0 (type=1)
*Mar 28 19:44:22.907: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.64.254, remote=  Rtr .1.x.x,
    local_proxy= 192.168.64.254/255.255.255.255/47/0 (type=1),
    remote_proxy=  Rtr .1.x.x/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Rtr 1

.Mar 28 19:44:22.907: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= rtr.1.x.x, remote= 212.39.7.64,
    local_proxy= rtr.1.x.x/255.255.255.255/47/0 (type=1),
    remote_proxy= 192.168.64.254/255.255.255.255/47/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Any advice would be appreciated.

Regards

David

0 REPLIES 0
Content for Community-Ad