09-10-2012 03:26 PM
hi
I'm trying to set up Site to Site VPN between ciso 3925 to PFsense firewall, phase one is up but when it tries to initiate phase 2 I get an error at the PFsense firewall that said networks in SA is not configured correctly
as far as i know on the CISCO router that configured with VTI I'm not supposed to set up a local network and remote network is simply encrypts everything that goes in tunnel
how am I supposed to configured the second FW ? I tried all the options including the establishment tunnel on the far side, without encryption everything works fine with genric tunnel.
this is my configuration on the cisco :
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key XXXXXXXXX address PEER-IP-ADDRESS
crypto ipsec transform-set YYYYY esp-aes 256 esp-sha-hmac
crypto ipsec profile ABCD
set transform-set YYYYY
interface tunnel201
description *******************
ip address 1.1.1.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip tcp adjust-mss 1360
load-interval 30
tunnel source MY IP ADDRESS
tunnel destination PEER IP ADDRESS
tunnel protection ipsec profile ABCD
ip route REMOTE-LAN REMOTE-SUBNET tunnel 201
Solved! Go to Solution.
09-14-2012 04:44 AM
It depends of the implementation of this 3rd party device. I had the impression where protecting a tunnel interface.
It seems your box places the crypto map on the public interface.
Possibly you can reach the management interface via the tunnel interface. If not you should revert the config.
It seems the crypto map config seems the only way.
09-10-2012 03:40 PM
Hi,
VTI is not supported with 3rd party devices.
I would suggest a LAN-to-LAN with a crypto map instead.
Thanks.
Please rate any post you found helpful.
09-10-2012 10:05 PM
Hey Izik,
According the configuration of tunnel201, you are doing ipsec over gre.
The other side proxy-id should be
Peer IP address to My IP address for IP Protocol 47 [ GRE ]
Cheers,
09-11-2012 12:59 AM
thanks for replay
i try configured that proxy-id , and stil it doesnt work.
should i configured a GRE tunnel in the other side ? can you write all the steps that you think i shoukd configured in the other side
javier are you sure it will not work with any configuration ?
if i have hub and spok topology , how can i configured lan to lan with crypto map for each site to site ?
thanks
izik
09-11-2012 01:32 AM
Yes, you need a gre tunnel on the other side. Is the third party device able to do so?
09-11-2012 02:03 AM
yes, i configured the GRE tunnel and it's works fine , but when i add the ipsec it stop work , and in the logs it's says that there is a problem with the proxy-id (phase 1 is up , phase 2 is down)
thanks
izik
09-11-2012 02:14 AM
Can you provide the output of debug crypto ipsec?
09-11-2012 02:35 AM
this is the output for relevent ipsec
Sep 10 20:58:29.698: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 1.1.1.1:0, remote=2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1)
Sep 10 20:58:29.698: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,
local_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 10 20:58:29.698: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 1.1.1.1:0, remote= 2.2.2.2:0,
local_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1)
Sep 10 20:58:29.698: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 1.1.1.1:500, remote= 2.2.2.2:500,
local_proxy= 1.1.1.1/255.255.255.255/47/0 (type=1),
remote_proxy= 2.2.2.2/255.255.255.255/47/0 (type=1),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
maybe i should configured tunnel mode ipsec on the cisco ?
i didnt understand how the GRE tunnel is combined with the ipsec on the other firewall.
09-11-2012 04:21 AM
So it seems the other side does not reply.
Can I get debug crypto isakmp + debug crypto ipsec?
thanks
09-11-2012 07:52 AM
my lan - 10.200.0.0/16
my wan - 2.2.2.2
remote lan - 10.203.79.128/25
remote wan - 1.1.1.1
Sep 11 14:44:42.335: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (N) NEW SA
Sep 11 14:44:42.335: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
Sep 11 14:44:42.335: ISAKMP: New peer created peer = 0x1F902F7C peer_handle = 0x8004040C
Sep 11 14:44:42.335: ISAKMP: Locking peer struct 0x1F902F7C, refcount 1 for crypto_isakmp_process_block
Sep 11 14:44:42.335: ISAKMP: local port 500, remote port 500
Sep 11 14:44:42.335: ISAKMP:(0):insert sa successfully sa = 1F9A0E5C
Sep 11 14:44:42.335: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 11 14:44:42.335: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Sep 11 14:44:42.335: ISAKMP:(0): processing SA payload. message ID = 0
Sep 11 14:44:42.335: ISAKMP:(0): processing vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0): processing IKE frag vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0):Support for IKE Fragmentation not enabled
Sep 11 14:44:42.335: ISAKMP:(0): processing vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0): vendor ID is DPD
Sep 11 14:44:42.335: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
Sep 11 14:44:42.335: ISAKMP:(0): local preshared key found
Sep 11 14:44:42.335: ISAKMP : Scanning profiles for xauth ...
Sep 11 14:44:42.335: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Sep 11 14:44:42.335: ISAKMP: life type in seconds
Sep 11 14:44:42.335: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Sep 11 14:44:42.335: ISAKMP: encryption AES-CBC
Sep 11 14:44:42.335: ISAKMP: keylength of 256
Sep 11 14:44:42.335: ISAKMP: auth pre-share
Sep 11 14:44:42.335: ISAKMP: hash SHA
Sep 11 14:44:42.335: ISAKMP: default group 5
Sep 11 14:44:42.335: ISAKMP:(0):atts are acceptable. Next payload is 0
Sep 11 14:44:42.335: ISAKMP:(0):Acceptable atts:actual life: 0
Sep 11 14:44:42.335: ISAKMP:(0):Acceptable atts:life: 0
Sep 11 14:44:42.335: ISAKMP:(0):Fill atts in sa vpi_length:4
Sep 11 14:44:42.335: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Sep 11 14:44:42.335: ISAKMP:(0):Returning Actual lifetime: 86400
Sep 11 14:44:42.335: ISAKMP:(0)::Started lifetime timer: 86400.
Sep 11 14:44:42.335: ISAKMP:(0): processing vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0): processing IKE frag vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0):Support for IKE Fragmentation not enabled
RTR3925-Core-VPN-B#
Sep 11 14:44:42.335: ISAKMP:(0): processing vendor id payload
Sep 11 14:44:42.335: ISAKMP:(0): vendor ID is DPD
Sep 11 14:44:42.335: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 11 14:44:42.335: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Sep 11 14:44:42.335: ISAKMP:(0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
Sep 11 14:44:42.335: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 11 14:44:42.335: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 11 14:44:42.335: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Sep 11 14:44:42.345: ISAKMP (0): received packet from 1.1.1.1 dport 500 sport 500 Global (R) MM_SA_SETUP
Sep 11 14:44:42.345: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 11 14:44:42.345: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
Sep 11 14:44:42.345: ISAKMP:(0): processing KE payload. message ID = 0
Sep 11 14:44:42.355: ISAKMP:(0): processing NONCE payload. message ID = 0
Sep 11 14:44:42.355: ISAKMP:(0):found peer pre-shared key matching 1.1.1.1
Sep 11 14:44:42.355: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 11 14:44:42.355: ISAKMP:(11197):Old State = IKE_R_MM3 New State = IKE_R_MM3
Sep 11 14:44:42.355: ISAKMP:(11197): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Sep 11 14:44:42.355: ISAKMP:(11197):Sending an IKE IPv4 Packet.
Sep 11 14:44:42.355: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 11 14:44:42.355: ISAKMP:(11197):Old State = IKE_R_MM3 New State = IKE_R_MM4
Sep 11 14:44:42.365: ISAKMP (11197): received packet from 1.1.1.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
Sep 11 14:44:42.365: ISAKMP:(11197):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Sep 11 14:44:42.365: ISAKMP:(11197):Old State = IKE_R_MM4 New State = IKE_R_MM5
Sep 11 14:44:42.365: ISAKMP:(11197): processing ID payload. message ID = 0
Sep 11 14:44:42.365: ISAKMP (11197): ID payload
next-payload : 8
type : 1
address : 1.1.1.1
protocol : 17
port : 500
length : 12
Sep 11 14:44:42.365: ISAKMP:(0):: peer matches *none* of the profiles
Sep 11 14:44:42.365: ISAKMP:(11197): processing HASH payload. message ID = 0
Sep 11 14:44:42.365: ISAKMP:(11197):SA authentication status:
authenticated
Sep 11 14:44:42.365: ISAKMP:(11197):SA has been authenticated with 1.1.1.1
Sep 11 14:44:42.365: ISAKMP: Trying to insert a peer 2.2.2.2/1.1.1.1/500/, and inserted successfully 1F902F7C.
Sep 11 14:44:42.365: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Sep 11 14:44:42.365: ISAKMP:(11197):Old State = IKE_R_MM5 New State = IKE_R_MM5
Sep 11 14:44:42.365: ISAKMP:(11197):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Sep 11 14:44:42.365: ISAKMP (11197): ID payload
next-payload : 8
type : 1
address : 2.2.2.2
protocol : 17
port : 500
length : 12
Sep 11 14:44:42.365: ISAKMP:(11197):Total payload length: 12
Sep 11 14:44:42.365: ISAKMP:(11197): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Sep 11 14:44:42.365: ISAKMP:(11197):Sending an IKE IPv4 Packet.
Sep 11 14:44:42.365: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Sep 11 14:44:42.365: ISAKMP:(11197):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
Sep 11 14:44:42.365: ISAKMP:(11197):IKE_DPD is enabled, initializing timers
Sep 11 14:44:42.365: ISAKMP:(11197):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Sep 11 14:44:42.365: ISAKMP:(11197):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Sep 11 14:44:43.347: ISAKMP (11197): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Sep 11 14:44:43.347: ISAKMP: set new node -2008173544 to QM_IDLE
Sep 11 14:44:43.347: ISAKMP:(11197): processing HASH payload. message ID = -2008173544
Sep 11 14:44:43.347: ISAKMP:(11197): processing SA payload. message ID = -2008173544
Sep 11 14:44:43.347: ISAKMP:(11197):Checking IPSec proposal 1
Sep 11 14:44:43.347: ISAKMP: transform 1, ESP_AES
Sep 11 14:44:43.347: ISAKMP: attributes in transform:
Sep 11 14:44:43.347: ISAKMP: SA life type in seconds
Sep 11 14:44:43.347: ISAKMP: SA life duration (basic) of 3600
Sep 11 14:44:43.347: ISAKMP: encaps is 1 (Tunnel)
Sep 11 14:44:43.347: ISAKMP: key length is 256
Sep 11 14:44:43.347: ISAKMP: authenticator is HMAC-SHA
Sep 11 14:44:43.347: ISAKMP:(11197):atts are acceptable.
Sep 11 14:44:43.347: IPSEC(validate_proposal_request): proposal part #1
Sep 11 14:44:43.347: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.203.79.128/255.255.255.128/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: map_db_find_best did not find matching map
Sep 11 14:44:43.347: IPSEC(ipsec_process_proposal): proxy identities not supported
Sep 11 14:44:43.347: ISAKMP:(11197): IPSec policy invalidated proposal with error 32
Sep 11 14:44:43.347: ISAKMP:(11197): phase 2 SA policy not acceptable! (local 2.2.2.2 remote 1.1.1.1)
Sep 11 14:44:43.347: ISAKMP: set new node -2097135378 to QM_IDLE
Sep 11 14:44:43.347: ISAKMP:(11197):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 503509244, message ID = -2097135378
Sep 11 14:44:43.347: ISAKMP:(11197): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
Sep 11 14:44:43.347: ISAKMP:(11197):Sending an IKE IPv4 Packet.
RTR3925-Core-VPN-B#
Sep 11 14:44:43.347: ISAKMP:(11197):purging node -2097135378
Sep 11 14:44:43.347: ISAKMP:(11197):deleting node -2008173544 error TRUE reason "QM rejected"
Sep 11 14:44:43.347: ISAKMP:(11197):Node -2008173544, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Sep 11 14:44:43.347: ISAKMP:(11197):Old State = IKE_QM_READY New State = IKE_QM_READY
RTR3925-Core-VPN-B#
Sep 11 14:44:48.480: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 11 14:44:48.480: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Sep 11 14:44:48.480: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
09-11-2012 08:32 AM
That's expected.
U've configured the Cisco router in order to protect GRE over IPSEC
The other side sends
local_proxy= 10.200.0.0/255.255.0.0/0/0 (type=4),
remote_proxy= 10.203.79.128/255.255.255.128/0/0 (type=4),
U should send
local_proxy= 2.2.2.2 protocol 47
remote_proxy= 1.1.1.1 protocol 47
09-12-2012 12:41 AM
ok, i change it , now i in the logs i get (this is logs from remote firewall)
[]: [2.2.2.2] ERROR: notification NO-PROPOSAL-CHOSEN received in informational exchange.
and this is the debug from the cisco
Sep 12 07:30:19.375: ISAKMP (11220): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Sep 12 07:30:19.375: ISAKMP: set new node -1972890756 to QM_IDLE
Sep 12 07:30:19.375: ISAKMP:(11220): processing HASH payload. message ID = -1972890756
Sep 12 07:30:19.375: ISAKMP:(11220): processing SA payload. message ID = -1972890756
Sep 12 07:30:19.375: ISAKMP:(11220):Checking IPSec proposal 1
Sep 12 07:30:19.375: ISAKMP: transform 1, ESP_AES
Sep 12 07:30:19.375: ISAKMP: attributes in transform:
Sep 12 07:30:19.375: ISAKMP: SA life type in seconds
Sep 12 07:30:19.375: ISAKMP: SA life duration (basic) of 3600
Sep 12 07:30:19.375: ISAKMP: encaps is 1 (Tunnel)
Sep 12 07:30:19.375: ISAKMP: key length is 256
Sep 12 07:30:19.377: ISAKMP: authenticator is HMAC-SHA
Sep 12 07:30:19.377: ISAKMP:(11220):atts are acceptable.
Sep 12 07:30:19.377: IPSEC(validate_proposal_request): proposal part #1
Sep 12 07:30:19.377: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 2.2.2.2:0, remote= 1.1.1.1:0,
local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: map_db_find_best did not find matching map
Sep 12 07:30:19.377: IPSEC(ipsec_process_proposal): proxy identities not supported
Sep 12 07:30:19.377: ISAKMP:(11220): IPSec policy invalidated proposal with error 32
Sep 12 07:30:19.377: ISAKMP:(11220): phase 2 SA policy not acceptable! (local 2.2.2.2 remote 1.1.1.1)
Sep 12 07:30:19.377: ISAKMP: set new node 25645188 to QM_IDLE
Sep 12 07:30:19.377: ISAKMP:(11220):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 503509244, message ID = 25645188
Sep 12 07:30:19.377: ISAKMP:(11220): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
Sep 12 07:30:19.377: ISAKMP:(11220):Sending an IKE IPv4 Packet.
Sep 12 07:30:19.377: ISAKMP:(11220):purging node 25645188
Sep 12 07:30:19.377: ISAKMP:(11220):deleting node -1972890756 error TRUE reason "QM rejected"
Sep 12 07:30:19.377: ISAKMP:(11220):Node -1972890756, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Sep 12 07:30:19.377: ISAKMP:(11220):Old State = IKE_QM_READY New State = IKE_QM_READY
Sep 12 07:30:23.752: ISAKMP:(11220):purging node -1979040987
Sep 12 07:30:29.386: ISAKMP (11220): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Sep 12 07:30:29.386: ISAKMP:(11220): phase 2 packet is a duplicate of a previous packet.
Sep 12 07:30:29.386: ISAKMP:(11220): retransmitting due to retransmit phase 2
Sep 12 07:30:29.386: ISAKMP:(11220): ignoring retransmission,because phase2 node marked dead -1972890756
Sep 12 07:30:29.598: ISAKMP (11188): received packet from 2.54.248.7 dport 4500 sport 35330 Global (R) QM_IDLE
Sep 12 07:30:29.598: ISAKMP: set new node 1382525766 to QM_IDLE
Sep 12 07:30:35.860: ISAKMP:(11220):purging node -1796200400
RTR3925-Core-VPN-B#
Sep 12 07:30:39.399: ISAKMP (11220): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Sep 12 07:30:39.399: ISAKMP:(11220): phase 2 packet is a duplicate of a previous packet.
Sep 12 07:30:39.399: ISAKMP:(11220): retransmitting due to retransmit phase 2
Sep 12 07:30:39.399: ISAKMP:(11220): ignoring retransmission,because phase2 node marked dead -1972890756
09-12-2012 07:04 AM
local_proxy= 2.2.2.2/255.255.255.255/0/0 (type=1),
remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
You are proposing IP between 2.2.2.2 and 1.1.1.1 while U need to negotiate GRE [ IP protocol 47].
Can you modify the remote config?
09-12-2012 07:41 AM
yes i can , but how i configure it ? there is only ip address options in the other FW
this is the phase2 configuration page on the other FW
09-14-2012 12:51 AM
Then 2 choices are possible
1- U configure your tunnel in tunnel mode ipsec ipv4. then the proxy id on the remote device will be 0.0.0.0/0 0.0.0.0/0 . That would work only if the remote device allows it.
2- Use a crypto map
crypto map mymap 10 ipsec-isakmp
set peer
set transform-set YYYYY
match address
ip access-list extended
permit ip
On the egress interface apply
interface <....>
crypto map mymap
no int tu201
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide