ipsec not working

elnurh · ‎03-30-2007

Hi all.

I configured site to site vpn between two routers.

On one router show that error:

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 10.10.1.1

debug show this one:

Mar 30 03:11:36.709 GMT: map_db_find_best did not find matching map

Mar 30 03:11:36.709 GMT: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.10.1.254

Mar 30 03:11:36.709 GMT: ISAKMP:(0:44:HW:2): IPSec policy invalidated proposal

Mar 30 03:11:36.709 GMT: ISAKMP:(0:44:HW:2): phase 2 SA policy not acceptable! (local 10.10.1.254 remote 10.10.1.1)

Mar 30 03:11:36.709 GMT: ISAKMP: set new node -812368720 to QM_IDLE

Mar 30 03:11:36.709 GMT: CryptoEngine0: generate hmac context for conn id 44

Mar 30 03:11:36.709 GMT: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)

Mar 30 03:11:36.713 GMT: ISAKMP:(0:44:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 1168611768, message ID = -812368720

this is config:

hostname CRG

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxx address 10.10.1.1 no-xauth

crypto isakmp keepalive 100 3

!

crypto ipsec transform-set atb esp-aes 256 esp-sha-hmac

mode transport

!

crypto map atbmap local-address Loopback0

crypto map atbmap 10 ipsec-isakmp

set peer 10.10.1.1

set transform-set atb

set pfs group5

match address vpn_tunnel

!

interface Loopback0

ip address 10.10.1.254 255.255.255.0

!

interface Tunnel0

ip address 172.10.10.254 255.255.255.0

ip mtu 1400

ip ospf network broadcast

ip ospf priority 5

keepalive 10 3

tunnel source Loopback0

tunnel destination 10.10.1.1

tunnel path-mtu-discovery

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 192.168.240.252 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.100

description main link to backup office

encapsulation dot1Q 100

ip address 10.100.100.254 255.255.255.0

crypto map atbmap

!

interface GigabitEthernet0/1.200

description backup link to backup office

encapsulation dot1Q 200

ip address 10.10.240.254 255.255.255.252

ip ospf cost 150

!

interface Serial0/0/0

no ip address

shutdown

clock rate 2000000

!

interface Serial0/0/1

no ip address

shutdown

clock rate 2000000

!

interface Group-Async0

ip unnumbered GigabitEthernet0/0

encapsulation ppp

no ip mroute-cache

async mode dedicated

peer default ip address pool dialin

ppp authentication ms-chap-v2 ms-chap chap pap

group-range 1/0 1/7

!

router ospf 10

log-adjacency-changes

redistribute static subnets

network 10.0.0.0 0.255.255.255 area 0

!

router ospf 5

log-adjacency-changes

area 240 stub

redistribute static subnets

network 172.0.0.0 0.255.255.255 area 0

network 192.168.240.0 0.0.0.255 area 240

default-information originate always

!

ip local pool dialin 192.168.240.240 192.168.240.248

ip route 0.0.0.0 0.0.0.0 192.168.240.254

!

ip access-list extended lan_out

deny ip 192.168.240.0 0.0.0.255 any

permit ip any any

ip access-list extended vpn_tunnel

permit gre host 10.10.1.254 host 10.10.1.1

permit udp host 10.10.1.254 host 10.10.1.1 eq ntp

help I don't know how to resolve it

thanks before

elnurh · ‎04-01-2007

nobody can help me to resolve this issue ? (:

sundar.palaniappan · ‎04-01-2007

You may have to reconfigure your crypto map access list on one or both peers. See below;

ERROR: This device has recorded the no IPSEC cryptomap exists for local address

x.x.x.x log message.

This error message occurs when the crypto map has an Access control list (ACL) with

multiple entries, and the entry that matches the policy is not the first entry.

TRY THIS: Configure the crypto map such that each crypto statement map has an ACL

with a single entry. You can use the same name for the crypto map, but ensure that

you use a different sequence number. If you have configured a dynamic map, ensure

that it has the least priority (highest sequence number), and is applied to the

crypto map.

ERROR: This device has recorded a IPSec policy invalidated proposal log message.

This message appears in debugs if the access list for IPsec traffic does not match.

TRY THIS: Ensure that the access-lists on each peer are a mirror each other (all

entries need to be reversible).

ERROR: This device has recorded a 'phase 2 SA policy not acceptable' log message.

This message indicates that the IPSEC policy does not match on both sides.

TRY THIS: Check the IPSEC policy on the other side to ensure that they are identical

with this side. The vpn access-list on both sides should be symmetrical. Also note

that IPSEC will work only with primary IP address of an interface and not with

a secondary IP address.

If you are still having problems post the current config from both IPSec peers.

HTH

Sundar

pourvahabi · ‎06-18-2007

r u sure about youre crypto local interface?

Juan Leon · ‎01-30-2019

My ACL was configured in backwards at the router where I received the error " no IPSEC cryptomap exists for local address ".

Many thanks!

bob.bartlett · ‎06-19-2007

1. Check your Peer IP that doesn't look correct.

2. Make sure your Key is identical it is CASE Sensative.

3. Your locations seem to be on the same network subnet is that true?

Please post both configs if these don't help...