Solved: Re: VPN

vanochachanidze · ‎07-15-2022

hello, i have one issue about site-to-site VPN

phase 1 works fine, x.x.x.x x.x.x.x QM_IDLE 1006 ACTIVE

there is problem in phase 2, everything matches, include ACL, phase1 and 2 proposals

every tunnel with ipsec works fine, the problem is with crypto maps

here is "debug crypto ipsec" output

(key eng. msg.) OUTBOUND local= x.x.x.x:500, remote= x.x.x.x:500,
local_proxy= x.x.x.x/255.255.255.0/256/0,
remote_proxy= x.x.x.x/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 15 12:46:32.988: IPSEC(validate_proposal_request): proposal part #1
*Jul 15 12:46:32.988: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= x.x.x.x:0, remote= x.x.x.x:0,
local_proxy= x.x.x.x/255.255.255.0/256/0,
remote_proxy= x.x.x.x/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jul 15 12:46:32.988: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }

here is "show crypto ipsec sa" output

local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 40, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

any idea?

MHM Cisco World · ‎07-17-2022

add easy VPN make issue clear,
the router receive IPSec and can not classify it is S2S or Easy VPN,
cisco have doc. for this case, please see below link.
you need to config ISAKMP profile for Easy VPN
https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd80267995.html

View solution in original post

frknl · ‎07-15-2022

Hi, please send running configs to make sure everyone is knowing what are they try to troubleshoot.

Thanks.

vanochachanidze · ‎07-15-2022

crypto isakmp policy 18
encr aes
authentication pre-share
lifetime 3600
group 2
crypto isakmp key x.x.x.x address x.x.x.x no-xauth

crypto ipsec transform-set cloud9 esp-aes esp-sha-hmac
mode tunnel

crypto map CRYPTO 17 ipsec-isakmp
set peer x.x.x.x
set transform-set cloud9
match address cloud

ip access-list extended cloud
permit ip (local subnet) host (remote host)

vanochachanidze · ‎07-15-2022

on the other site is the same config

MHM Cisco World · ‎07-15-2022

Same config here the issue,

Acl must mirror in other side not same.

vanochachanidze · ‎07-15-2022

in other side Acl is mirrored

MHM Cisco World · ‎07-16-2022

Phase2 failed if

1- id is wrong,

Id is what you config in set peer, if the ctypto map config under interface that not use as set peer then phase2 failed

If you config cyrpto map under interface but there is NAT to publci ip that is reachable via peer then misconfig let to phase2 failed.

2-the sa proposal is different in both side or one side not support some proposal, usually this can be bug,

Debug crypto share here to check second point.

vanochachanidze · ‎07-17-2022

also i have EZ-vpn on router and works fine, maybe something wrong with that?

MHM Cisco World · ‎07-17-2022

EZ-VPN with S2S VPN ?
you use one interface for both VPN,
ok
config one crypto-map
Seq 1 for dynamic VPN of EZ
Seq 2 for S2S VPN

vanochachanidze · ‎07-17-2022

Crypto Map IPv4 "CRYPTO" 1 ipsec-isakmp
Dynamic map template tag: d-map

Crypto Map IPv4 "CRYPTO" 2 ipsec-isakmp
Peer = x.x.x.x
Extended IP access list cloud
access-list cloud permit ip 192.168.0.0 0.0.0.255 host x.x.x.x
Current peer: x.x.x.x
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
cloud9: { esp-aes esp-sha-hmac } ,
}

MHM Cisco World · ‎07-17-2022

add easy VPN make issue clear,
the router receive IPSec and can not classify it is S2S or Easy VPN,
cisco have doc. for this case, please see below link.
you need to config ISAKMP profile for Easy VPN
https://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd80267995.html

vanochachanidze · ‎07-20-2022

Thanks, i did it, everything works fine now

MHM Cisco World · ‎07-20-2022

You are so so welcome

Aref Alsouqi · ‎07-16-2022

It looks like you did not configure the NAT exemption for this flow?, if that is the case, please configure the NAT exemption and hopefully that will fix the issue.