09-06-2005 11:03 AM - edited 02-21-2020 01:56 PM
Pretty simple config Contivity <-> 7200.
Phase 1 completes with no issue, all contivity connections fail in the same fashion (see attachment).
Traffic Initiated by Contivity - no ACL matches - proper remote and local proxies identified --> end result is the error "IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address c.c.c.c" which looks like an ACL issue.
Traffic initiated by 7200 - ACL matches with no issue
***********config below*************
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 4
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address b.b.b.b
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set encrypt-traffic-des esp-des esp-md5-hmac
crypto ipsec transform-set encrypt-traffic-3des esp-3des esp-md5-hmac
crypto ipsec transform-set encrypt-traffic-3des-sha esp-3des esp-sha-hmac
!
crypto map test local-address FastEthernet2/0
********multiple other sequence numbers for other connections***************
crypto map test 70 ipsec-isakmp
description ----------- test -----------
set peer b.b.b.b
set security-association lifetime seconds 28800 (set to match Contivity default of 8 hours)
set transform-set encrypt-traffic-3des-sha
match address test_acl
!
!
interface FastEthernet2/0
description Internet Facing Interface
ip address c.c.c.c 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex full
crypto map test
!
!
ip route a.a.a.a 255.255.255.255 c.c.c.65
ip route b.b.b.b 255.255.255.255 c.c.c.65
!
ip nat inside source route-map nonat interface FastEthernet2/0 overload
!
!
ip access-list extended test_acl
permit icmp host d.d.d.d host a.a.a.a
!
access-list 150 remark identifies which traffic NOT to NAT
access-list 150 deny icmp host d.d.d.d host a.a.a.a
!
route-map nonat permit 10
match ip address 150
!
WHERE:
a.a.a.a = host address on far side of Contivity
b.b.b.b = Contivity IPSec Tunnel end point
c.c.c.c = 7200 IPsec Tunnel end point
d.d.d.d = host address on far side of 7200
Any suggestions/help would be greatly appreciated. Thank you.
09-11-2005 11:29 PM
hi
AFAIU from ur post ur going wrong in mentioning the interesting traffic using the ACL.
u have mentioned d.d.d.d as your remote side 7200 lan but in the named acl test_acl you are making it as source address.
can u revert whts your local lan address configured in this router ?
if u taken that as z.z.z.z then chang the ACL (test_acl) to permit icmp host z.z.z.z host d.d.d.d .
if u still need more info on this do revert...
regds
09-12-2005 03:19 AM
spremkumar, thank you for your suggestion. I have actually figured out what the problem was. It was a rookie mistake, in one of the previous sequence numbers (with a different transform set) I unfortunately matched traffic on the ACL associated with it. As soon as it was removed things worked as they should.
Thank you for your response.
09-19-2005 03:26 PM
Hi,
I have what appears to have been a similar problem as you did. I have an IOS based ISR router in a LAN to LAN tunnel with a Nortel Contivity switch. When I initiate traffic from a host on the private side of the IOS router, the tunnel comes up fine but when idle, the tunnel will not become active when a host on the private side of the Contivity switch generates ping traffic.
Notice that I have several VPN groups configured also and that the ACL mapped to the LAN to LAN tunnel is ACL 199.
TIA,
Amir
09-19-2005 04:15 PM
I took a quick look at your config and I noticed you don't match icmp traffic in your ACLs. You indicate that the private side client generates ping traffic which does not bring up the tunnel. Try sending some IP traffic and watch the ACL counters.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: