Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6260
Views
0
Helpful
1
Replies

Problem: Remote VPN client failing at Phase2 (IOS VPN,combined site-site, remote access, NAT)

jure.peternel
Level 1
Level 1

‎01-21-2010 04:45 AM - edited ‎02-21-2020 04:27 PM

Hello all,

I've been busting my head for quite some time now trying to set up simultaneous site-to-site VPNs (with split tunneling over NAT), remote sw Cisco VPN clients and IOS EZVPN client connection (to my workplace) on my home router (C1812).
So far I've managed to set-up and got working site-to-site VPN tunnels using crypto maps and IOS EZVPN client, but I'm having problems trying to connect remotely using IPSEC VPN clients (Cisco VPN client - v3.6 and 5.0 and Nokia mobile VPN client) using dynamic crypto map:
The connection succesfully finishes PHASE1 (includind MODE config - IPs are assigned etc...), but then PHASE2 gets rejected for some reason...
Here is the relevant part of the debug from the server (I can post whole debug log if you think this part is not enough):

*Jan 21 09:34:16: ISAKMP:(2242):IKE_DPD is enabled, initializing timers
*Jan 21 09:34:16: ISAKMP:(2242):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan 21 09:34:16: ISAKMP:(2242):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Jan 21 09:34:16: ISAKMP (2242): received packet from xx.xxx.xxx.xx dport 4500 sport 4500 Global (R) QM_IDLE     
*Jan 21 09:34:16: ISAKMP: set new node 1388603735 to QM_IDLE     
*Jan 21 09:34:16: ISAKMP:(2242): processing HASH payload. message ID = 1388603735
*Jan 21 09:34:16: ISAKMP:(2242): processing SA payload. message ID = 1388603735
*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 1
*Jan 21 09:34:16: ISAKMP: transform 1, ESP_AES
*Jan 21 09:34:16: ISAKMP:   attributes in transform:
*Jan 21 09:34:16: ISAKMP:      authenticator is HMAC-MD5
*Jan 21 09:34:16: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Jan 21 09:34:16: ISAKMP:      key length is 256
*Jan 21 09:34:16: ISAKMP:      SA life type in seconds
*Jan 21 09:34:16: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan 21 09:34:16: ISAKMP:(2242):atts are acceptable.
*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 1
*Jan 21 09:34:16: ISAKMP:(2242):transform 1, IPPCP LZS
*Jan 21 09:34:16: ISAKMP:   attributes in transform:
*Jan 21 09:34:16: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Jan 21 09:34:16: ISAKMP:      SA life type in seconds
*Jan 21 09:34:16: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jan 21 09:34:16: ISAKMP:(2242):atts are acceptable.
*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #1
*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= xx.xxx.59.12, remote= xx.xx.230.37,
    local_proxy= xx.xxx.59.12/255.255.255.255/0/0 (type=1),
    remote_proxy= 192.168.10.47/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #2
*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= xx.xxx.59.12, remote= xx.xxx.230.37,
    local_proxy= xx.xxx3.59.12/255.255.255.255/0/0 (type=1),
    remote_proxy= 192.168.10.47/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= NONE  (Tunnel-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match
*Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match
*Jan 21 09:34:16: map_db_find_best did not find matching map
*Jan 21 09:34:16: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jan 21 09:34:16: ISAKMP:(2242): IPSec policy invalidated proposal with error 32
*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 2
...
more proposals...(each with "ISAKMP:(2242):atts are acceptable." - ?!?
at the end I get this:
...
*Jan 21 09:34:16: ISAKMP:(2242): phase 2 SA policy not acceptable! (local xx.xxx.59.12 remote xx.xxx.230.37)
*Jan 21 09:34:16: ISAKMP: set new node -1062817036 to QM_IDLE     
*Jan 21 09:34:16: ISAKMP:(2242):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
       spi 2233179104, message ID = -1062817036
*Jan 21 09:34:16: ISAKMP:(2242): sending packet to xx.xxx.230.37 my_port 4500 peer_port 4500 (R) QM_IDLE     
*Jan 21 09:34:16: ISAKMP:(2242):Sending an IKE IPv4 Packet.
*Jan 21 09:34:16: ISAKMP:(2242):purging node -1062817036
*Jan 21 09:34:16: ISAKMP:(2242):deleting node 1388603735 error TRUE reason "QM rejected"
*Jan 21 09:34:16: ISAKMP:(2242):Node 1388603735, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 21 09:34:16: ISAKMP:(2242):Old State = IKE_QM_READY  New State = IKE_QM_READY
*Jan 21 09:34:16: ISAKMP:(2210):purging node -579202533
*Jan 21 09:34:20: ISAKMP:(2241):purging node 1499311114

The thing that sticks out (at least to me) is: "remote_proxy= 192.168.10.47/255.255.255.255" - is this ok - is the remote proxy supposed to be a locally (internal) assigned address?
The complete config is attached...
I would be grateful for any hint....

Thanks a lot!!
Jure

Labels:
60200-c1812_confg.txt.zip
0 Helpful
1 Reply 1

Ivan Martinon
Level 7
Level 7

‎01-27-2010 02:30 PM

The problem here seems to be with NAT-T see if you can force the client to use plain IPSEC by disabling transparent tunneling under the connection profile, if you are behind NAT then you most likely need to upgrade your IOS as it seems to be a bug, what is the version of IOS that you have running in there?

0 Helpful
Customers Also Viewed These Support Documents