VPN tunnel created, but logging indicates peer as another tunnel endpoint

matt.austin · ‎07-02-2004

I have a number of L2L tunnels on my Concentrator. Some of them use the same IKE proposal, and others don't. When setting one up today, I received:

Tunnel Rejected: IKE peer does not match remote peer as defined in L2L policy

IKE peer address: *.*.*.*, Remote peer address: *.*.*.*

41517 07/02/2004 14:02:41.870 SEV=4 IKEDBG/0 RPT=1655

QM FSM error (P2 struct &0x6bae390, mess id 0xdf98d8f7)!

The tunnel is looking at another already established tunnel endpoint. The SA's are different and the IKE proposals are different as well, in addition to everything else! Anyone know what is happening here? I was unable to find anything on the Cisco website, or on google, except other people receiving similar errors. Any help is appreciated.

In addition, there is traffic being passed through the tunnel successfully.

Thanks,

M.A.

forsudhaji · ‎07-05-2004

Can you pls post your config for us to check. Also pls ensure that you have given the correct peer IP address for this IPSec tunnel.

Pls let me know

Sudha.

ullmann · ‎09-24-2004

Hello,

is there a solution or an explanation for this issue. I think I am running into a similar problem, I have a working L2L connection but whenever I add a second one I get the error message "Tunnel Rejected...." and my first L2L connection seems to use the other tunnel endpoint.

Pls let me know

Stefan

matt.austin · ‎09-24-2004

Stefan,

What type of IP addressing are you using? Also, do your network lists overlap, or include their tunnel endpoint address?

I think it was a combination of revising my Network Lists. Some of my peers use the same addresses, such as 10. private, but when I became more specific on what actual addresses were allowed, the problem seemed to disappear. Let me know if looking into this helps. I also spent a considerable amount of time looking at the IKE Proposal and what DH we were using with some peers. Look for anything that seems to be identical between the 2 sites, starting with Network Lists...

~Matt

ullmann · ‎09-24-2004

Hello Matt,

thanks for your reply. My remote networks use different networks: one public 80.x.x.x address as peer (also used for NAT of the remote network) and one 62.x.x.x address as peer (with just a 200.200.200.1 loopback address for test purposes as remote network). So there is no overlap at the peer addresses and the remote networks. Locally I use the same network. According to your explanation it seems to me that I have a different problem. Regards Stefan

matt.austin · ‎09-24-2004

Try altering your Network List to exclude the tunnel peer address on the other side. This can be cumbersome, but it may be what I did to make it work...

ullmann · ‎09-26-2004

Hello Matt, with your information I could solve my problem. I had a deeper look into my config and found an overlap in two network lists (I used for the L2L connections). After removing the overlap it works. Thanks for your help.