09-20-2011 03:25 AM
HI,
Can some one help ..............
Topology
10.10.10.5-----VPN Router-------VPN--------ASA5540-----DMZ-------Real ip 192.168.202.2---- NAT ip 10.66.101.10
Requriment:-
ipsec vpn between vpn router (192.168.10.2) and ASA5540(192.168.160.2), 192.168.202.2, natted to 10.66.101.10 should connect to 10.10.10.5 over port 80
Problem :--- IPsec vpn is established both Phase1 and phase2 without nat, but as we do a source nat on ASA5540 phase-1 comes up but phase-2 doesnt come up.
Below is the debug output from cisco router.
Sep 19 13:33:32.639 UAE: ISAKMP: transform 1, ESP_3DES
Sep 19 13:33:32.639 UAE: ISAKMP: attributes in transform:
Sep 19 13:33:32.639 UAE: ISAKMP: SA life type in seconds
Sep 19 13:33:32.639 UAE: ISAKMP: SA life duration (basic) of 3600
Sep 19 13:33:32.639 UAE: ISAKMP: encaps is 1 (Tunnel)
Sep 19 13:33:32.639 UAE: ISAKMP: authenticator is HMAC-SHA
Sep 19 13:33:32.639 UAE: ISAKMP: group is 2
Sep 19 13:33:32.639 UAE: ISAKMP:(7055):atts are acceptable.
Sep 19 13:33:32.639 UAE: IPSEC(ipsec_process_proposal): proxy identities not supported
Sep 19 13:33:32.639 UAE: ISAKMP:(7055): IPSec policy invalidated proposal with error 32
Sep 19 13:33:32.639 UAE: ISAKMP:(7055): phase 2 SA policy not acceptable!
VPN router config
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set TEST-VPN esp-3des esp-sha-hmac
crypto map TEST-map 10 ipsec-isakmp
set peer 192.168.160.2
set transform-set TEST-VPN
match address REMOTE_VPN
Extended IP access list REMOTE_VPN
20 permit ip host 10.10.10.5 host 10.66.101.10
Site B ASA5540 configuration
object network Local_DMZ2
host 192.168.202.2
object network remotehost
host 10.10.10.5
object network Localnat
host 10.66.101.10
access-list Outside_1_cryptomap extended permit ip object Localnat object remotehost
nat (DMZ-2,Outside) source static Local_DMZ2 Localnat destination static remotehost remotehost
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 192.168.10.2
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.168.10.2 type ipsec-l2l
tunnel-group 192.168.10.2 ipsec-attributes
pre-shared-key *****
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 192.168.10.2
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.168.10.2 type ipsec-l2l
tunnel-group 192.168.10.2 ipsec-attributes
pre-shared-key *****
09-20-2011 03:50 AM
Hi,
Check what the prposals recived on IOS device are:
- 3DES
- SHA
- Tunnel mode
- PFS group 2
I would start there ;-)
M.
09-21-2011 02:57 AM
HI,
The issue has been solved. It was the overlapping access-list on the router. after the access-list was removed the issue is resolved.
Thanks for help..........
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide