Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
791
Views
0
Helpful
4
Replies

VPN OK on 1812 - not on 2811 !!!

Go to solution
Olivier Jessel
Level 1
Level 1

‎06-09-2010 02:59 PM

Hi,

I'm loosing my mind... I configured a remote IPSec VPN client access on 2 routers 1812. It works like  charm.

I take the same config and apply it on a 2811, it doesn't work...Error during IPsec phase 2.

I re-re-re-re-rechecked the config, it's perfectly matching the config done on the 1812. (and I use same template for 876, 1841,....)

I tried 4 different IOS 12.2.24T3 Adventerprise, 12.2.15T13 adventerprise and Advipservices, and also 12.2.25c adventerprise. Nothing changes.... still the same error...

I've apply this config on another 2811, same issue. Is there anything wrong with this model concerning IPsec VPN client config ???? Or should I use a specific IOS ?

Thanks for sharing your experience,

Regards,

Olivier

Config is:

aaa new-model

!

!

aaa authentication login default local

aaa authentication login userauth local

aaa authentication ppp default local

aaa authorization exec default local

aaa authorization network groupauth local

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!
crypto isakmp client configuration group mmrouter008
key xxxxxxxxxxxxxxxx
domain xxxxxxx.com
pool POOL_VPN
acl 134
!
crypto isakmp profile mmrouter008
   match identity group mmrouter008
   client authentication list userauth
   isakmp authorization list groupauth
   client configuration address respond
!
crypto ipsec transform-set vpnuser_trans esp-3des esp-md5-hmac
!
crypto dynamic-map mydynamicmap 10
set transform-set vpnuser_trans
set isakmp-profile mmrouter008
reverse-route
!
crypto map MAPPP 100 ipsec-isakmp dynamic mydynamicmap
!
int fa0/0
crypto map MAPPP
!
ip local pool POOL_VPN 10.50.10.1 10.50.10.254
!
access-list 134 permit ip 192.168.71.0 0.0.0.255 10.50.10.0 0.0.0.255

CCIE #44658
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-09-2010 03:02 PM

Oliver,

Should work as you said.

What is the error specifically that you get regarding phase 2?

Federico.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-09-2010 03:02 PM

Oliver,

Should work as you said.

What is the error specifically that you get regarding phase 2?

Federico.

0 Helpful

Go to solution
Olivier Jessel
Level 1
Level 1

‎06-10-2010 12:08 AM

Hi Frederico,

Here is the log of the VPN connection. (debug cryp isakmp)

The error I can see is:

ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 195.243.171.112 remote 195.243.171.97)
ISAKMP: set new node -1712530148 to QM_IDLE
ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

I precise that 195.243.171.112 is the VPN router.

It's just strange. I use this config many times and it's the first time I have such problem.

Olivier

CCIE #44658
67620-vpn_issue_2811.log.zip
0 Helpful

Go to solution
Olivier Jessel
Level 1
Level 1

‎06-10-2010 12:39 AM

wwooooo OK I found out the issue.

I have HSRP on the interface where the crypto map is applied.

The router replies with the physical IP address and not with the virtual IP address. Then IPSec phase 2 fails !

Does anyone knows how to make both working together ???

Thanks in advance

Olivier

CCIE #44658
0 Helpful

Go to solution
Olivier Jessel
Level 1
Level 1
In response to Olivier Jessel

‎06-10-2010 02:15 AM

OK, I finally fix this HSRP+IPsec dynamic map config.

Now it works. I'm gonna test all of this when I will cofigure the second HSRP router.

Thanks again for your help ;-)

++

Olivier

CCIE #44658
0 Helpful
Customers Also Viewed These Support Documents