03-13-2011 01:13 PM - edited 02-21-2020 05:13 PM
Hi ,
I am trying to configure a site to site VPN between a 7200 series router and an ASA.These devices already have one RA VPN configured on them. In IOS router I used ISAKMP profile and gave lower sequence number for site to site crypto map. After the configution ISAKMP tunnel (IKE Phase1 ) is successfully created and Phase 2 netogiations are failed with following error messages.
debug crypto ipsec on 7206.
ISAKMP (0:1): processing HASH payload. message ID = -534111121
ISAKMP (0:1): processing SA payload. message ID = -534111121
ISAKMP (0:1): Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: authenticator is HMAC-SHA
ISAKMP (0:1): atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 21.X.X.X, remote= 21.X.X.X,
local_proxy= 10.11.11.11/255.255.255.255/0/0 (type=1),
remote_proxy= 172.16.99.18/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
IPSEC(kei_proxy): head = ipcc-map, map->ivrf = , kei->ivrf =
IPSEC(kei_proxy): head = ipcc-map, map->ivrf = , kei->ivrf =
IPSEC(validate_transform_proposal): peer failed identity/profile check
ISAKMP (0:1): IPSec policy invalidated proposal
ISAKMP (0:1): phase 2 SA policy not acceptable
Can anyone tell me what I need to check for this "peer failed identity/profile check" error.
Thanks
Dileep
03-13-2011 02:47 PM
A couple of things that need to be looked at:
1) Within the profile, check if "match identity address" statement has the correct peer configured.
2) If you are sourcing the IPSec tunnel from a different ip address than the outgoing interface, you have to remember to add the following:
"crypto map
03-14-2011 12:14 AM
Finally I found the issue it was due to crypto acl mismatch and debug log was just misleading.
Thanks
Dileep
06-28-2011 12:37 AM
Hi Dileep,
Since 3 years, I hope you have got a response ;-)... nevertheless I just have got the same issue yesterday and I will post here a possible answer, in case of that can help someone else.
I've got the same error "peer failed identity/profile check" because my UC500 is'nt able to match the client VPN certificate with any "cryto identity" in my configuration.
And it appears that my IOS 15.1(2)T2 has got a bug as follow/
When I enter the following commands in "conft t" mode :
crypto identity myCryptoID
dn ou=1234
The last character of the "dn" line isn't written in the running configuration !?
HOSTNAME#sho run | sec crypto identity
crypto identity myCryptoID
dn ou=123
And so the router can not match the DN of the certificate of my VPN client that contains "1234"
Hope that can help someone else.
BR.
Monnier Vincent
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide