cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1179
Views
0
Helpful
3
Replies

site to site and remote access vpn on same router

Hi ,

I am trying to configure a site to site VPN between a 7200 series router and an ASA.These devices already have one RA VPN configured on them. In IOS router I used ISAKMP profile and gave lower sequence number for site to site crypto map. After the configution ISAKMP tunnel (IKE Phase1 ) is successfully created and Phase 2 netogiations are failed with following error messages.

debug crypto ipsec on 7206.

ISAKMP (0:1): processing HASH payload. message ID = -534111121
ISAKMP (0:1): processing SA payload. message ID = -534111121
ISAKMP (0:1): Checking IPSec proposal 1

ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      SA life type in seconds

ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
ISAKMP:      encaps is 1 (Tunnel)
ISAKMP:      authenticator is HMAC-SHA
ISAKMP (0:1): atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 21.X.X.X, remote= 21.X.X.X,
    local_proxy= 10.11.11.11/255.255.255.255/0/0 (type=1),
    remote_proxy= 172.16.99.18/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
IPSEC(kei_proxy): head = ipcc-map, map->ivrf = , kei->ivrf =
IPSEC(kei_proxy): head = ipcc-map, map->ivrf = , kei->ivrf =
IPSEC(validate_transform_proposal): peer failed identity/profile check

ISAKMP (0:1): IPSec policy invalidated proposal
ISAKMP (0:1): phase 2 SA policy not acceptable

Can anyone tell me what I need to check for this  "peer failed identity/profile check" error.

Thanks

Dileep

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

A couple of things that need to be looked at:

1) Within the profile, check if "match identity address" statement has the correct peer configured.

2) If you are sourcing the IPSec tunnel from a different ip address than the outgoing interface, you have to remember to add the following:

"crypto map local-address "

Finally I found the issue it was due to crypto acl mismatch and debug log was just misleading.

Thanks

Dileep

vincent.monnier
Level 1
Level 1

Hi Dileep,

Since 3 years, I hope you have got a response ;-)... nevertheless I just have got the same issue yesterday and I will post here a possible  answer,  in case of that can help someone else.

I've got the same error "peer failed identity/profile check" because my UC500 is'nt able to match the client VPN certificate with any "cryto identity"  in my configuration.

And it appears that my IOS 15.1(2)T2 has got a bug as follow/

When I enter the following commands in "conft t" mode :

crypto identity myCryptoID

dn ou=1234

The last character of the "dn" line isn't written in the running configuration !?

HOSTNAME#sho run | sec crypto identity

crypto identity myCryptoID

  dn ou=123

And so the router can not match the DN of the certificate of my VPN client that contains "1234"

Hope that can help someone else.

BR.

Monnier Vincent