03-30-2007 02:02 AM - edited 02-21-2020 02:57 PM
Hi all.
I configured site to site vpn between two routers.
On one router show that error:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 10.10.1.1
debug show this one:
Mar 30 03:11:36.709 GMT: map_db_find_best did not find matching map
Mar 30 03:11:36.709 GMT: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.10.1.254
Mar 30 03:11:36.709 GMT: ISAKMP:(0:44:HW:2): IPSec policy invalidated proposal
Mar 30 03:11:36.709 GMT: ISAKMP:(0:44:HW:2): phase 2 SA policy not acceptable! (local 10.10.1.254 remote 10.10.1.1)
Mar 30 03:11:36.709 GMT: ISAKMP: set new node -812368720 to QM_IDLE
Mar 30 03:11:36.709 GMT: CryptoEngine0: generate hmac context for conn id 44
Mar 30 03:11:36.709 GMT: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
Mar 30 03:11:36.713 GMT: ISAKMP:(0:44:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1168611768, message ID = -812368720
this is config:
hostname CRG
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxx address 10.10.1.1 no-xauth
crypto isakmp keepalive 100 3
!
!
crypto ipsec transform-set atb esp-aes 256 esp-sha-hmac
mode transport
!
crypto map atbmap local-address Loopback0
crypto map atbmap 10 ipsec-isakmp
set peer 10.10.1.1
set transform-set atb
set pfs group5
match address vpn_tunnel
!
!
!
!
interface Loopback0
ip address 10.10.1.254 255.255.255.0
!
interface Tunnel0
ip address 172.10.10.254 255.255.255.0
ip mtu 1400
ip ospf network broadcast
ip ospf priority 5
keepalive 10 3
tunnel source Loopback0
tunnel destination 10.10.1.1
tunnel path-mtu-discovery
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.240.252 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.100
description main link to backup office
encapsulation dot1Q 100
ip address 10.100.100.254 255.255.255.0
crypto map atbmap
!
interface GigabitEthernet0/1.200
description backup link to backup office
encapsulation dot1Q 200
ip address 10.10.240.254 255.255.255.252
ip ospf cost 150
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
interface Group-Async0
ip unnumbered GigabitEthernet0/0
encapsulation ppp
no ip mroute-cache
async mode dedicated
peer default ip address pool dialin
ppp authentication ms-chap-v2 ms-chap chap pap
group-range 1/0 1/7
!
router ospf 10
log-adjacency-changes
redistribute static subnets
network 10.0.0.0 0.255.255.255 area 0
!
router ospf 5
log-adjacency-changes
area 240 stub
redistribute static subnets
network 172.0.0.0 0.255.255.255 area 0
network 192.168.240.0 0.0.0.255 area 240
default-information originate always
!
ip local pool dialin 192.168.240.240 192.168.240.248
ip route 0.0.0.0 0.0.0.0 192.168.240.254
!
ip access-list extended lan_out
deny ip 192.168.240.0 0.0.0.255 any
permit ip any any
ip access-list extended vpn_tunnel
permit gre host 10.10.1.254 host 10.10.1.1
permit udp host 10.10.1.254 host 10.10.1.1 eq ntp
help I don't know how to resolve it
thanks before
04-01-2007 01:13 PM
nobody can help me to resolve this issue ? (:
04-01-2007 05:24 PM
You may have to reconfigure your crypto map access list on one or both peers. See below;
ERROR: This device has recorded the no IPSEC cryptomap exists for local address
x.x.x.x log message.
This error message occurs when the crypto map has an Access control list (ACL) with
multiple entries, and the entry that matches the policy is not the first entry.
TRY THIS: Configure the crypto map such that each crypto statement map has an ACL
with a single entry. You can use the same name for the crypto map, but ensure that
you use a different sequence number. If you have configured a dynamic map, ensure
that it has the least priority (highest sequence number), and is applied to the
crypto map.
ERROR: This device has recorded a IPSec policy invalidated proposal log message.
This message appears in debugs if the access list for IPsec traffic does not match.
TRY THIS: Ensure that the access-lists on each peer are a mirror each other (all
entries need to be reversible).
ERROR: This device has recorded a 'phase 2 SA policy not acceptable' log message.
This message indicates that the IPSEC policy does not match on both sides.
TRY THIS: Check the IPSEC policy on the other side to ensure that they are identical
with this side. The vpn access-list on both sides should be symmetrical. Also note
that IPSEC will work only with primary IP address of an interface and not with
a secondary IP address.
If you are still having problems post the current config from both IPSec peers.
HTH
Sundar
06-18-2007 07:39 AM
r u sure about youre crypto local interface?
01-30-2019 07:41 PM
My ACL was configured in backwards at the router where I received the error " no IPSEC cryptomap exists for local address ".
Many thanks!
06-19-2007 10:44 AM
1. Check your Peer IP that doesn't look correct.
2. Make sure your Key is identical it is CASE Sensative.
3. Your locations seem to be on the same network subnet is that true?
Please post both configs if these don't help...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: