09-02-2014 04:12 PM - edited 02-21-2020 07:48 PM
folks
i have two 1941 routers running 15.2 and i'm trying to set up a site to site vpn with digital signatures
i can get to a phase 2 proposal (phase 1 gets to qm_idle) but the phase 2 proposal is rejected with the above error message
has anyone any good sample configs of a site to site vpn using 15.2
my config is below
its mirrored on the remote end
can a nyone help me out?
!
crypto isakmp policy 10
encr aes
group 5
lifetime 82800
!
!
crypto ipsec transform-set T-TRANSFORM esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile T-PROFILE
set transform-set T-TRANSFORM
set pfs group5
!
Solved! Go to Solution.
09-02-2014 10:42 PM
Hi,
Can you check on your encryption domain..... i mean your local LAN subnet which you have used for site to site.....
Here is the same example for site to site
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
Also you can refer the sample config here....
hostname RTR1
!
crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL
!
crypto ikev2 keyring VPN-KEYS
peer ASA1
address 10.0.0.2
pre-shared-key local MyKey1
pre-shared-key remote MyKey1
!
!
!
crypto ikev2 profile ASA1
match identity remote address 10.0.0.2 255.255.255.255
identity local address 10.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local VPN-KEYS
!
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map RTR1-ASA1 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set ESP-AES256-SHA
set ikev2-profile ASA1
match address VPN-TRAFFIC
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
speed auto
duplex auto
crypto map RTR1-ASA1
!
interface FastEthernet0/1
ip address 192.168.5.1 255.255.255.0
speed auto
duplex auto
!
ip route 192.168.1.0 255.255.255.0 10.0.0.2
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.5.0 0.0.0.255
Regards
Karthik
09-02-2014 10:42 PM
Hi,
Can you check on your encryption domain..... i mean your local LAN subnet which you have used for site to site.....
Here is the same example for site to site
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
Also you can refer the sample config here....
hostname RTR1
!
crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL
!
crypto ikev2 keyring VPN-KEYS
peer ASA1
address 10.0.0.2
pre-shared-key local MyKey1
pre-shared-key remote MyKey1
!
!
!
crypto ikev2 profile ASA1
match identity remote address 10.0.0.2 255.255.255.255
identity local address 10.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local VPN-KEYS
!
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map RTR1-ASA1 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set ESP-AES256-SHA
set ikev2-profile ASA1
match address VPN-TRAFFIC
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
speed auto
duplex auto
crypto map RTR1-ASA1
!
interface FastEthernet0/1
ip address 192.168.5.1 255.255.255.0
speed auto
duplex auto
!
ip route 192.168.1.0 255.255.255.0 10.0.0.2
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.5.0 0.0.0.255
Regards
Karthik
09-03-2014 03:52 PM
karthik
many thanks for your help
i found the issue, i had misconfigured the tunnel and was using the wrong interface as the source
thanks again
04-05-2018 01:17 PM
Check the local-address command.
IPSEC(ipsec_process_proposal): invalid local address
wrong interface set on command below.
crypto map myMAP local-address Dialer0
02-29-2024 08:01 PM
My gawd man! Been having the same issue all day, as soon as I read this note, I checked and I was using the wrong interface as the source! Thanks!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide