Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2037
Views
0
Helpful
3
Replies

IPSec phase 2 setup problem Check Point R55 and 1841 router

mshickell
Level 1
Level 1

‎08-24-2007 06:07 AM - edited ‎02-21-2020 03:14 PM

I'm struggling to get the phase 2 working and the error message seems clear enough

no IPSEC cryptomap exists for local address 217.204.143.226

The only discrepancy that I can fine is that the inbound phase 2 proposal has lifedur= 0s and 0kb which I cannot set on the Cisco as the IOS won't take zero values. To muddy the waters further I've found debug outputs on other websites which also have lifedur= 0s and 0kb early in the phase 2 that complete OK!

Also what does type=1 mean below? The web outputs seem to be mostly type=4

Can anyone shed some light on this ro see anything I can't?

For info the IOS will be upgraded to the (16) version this weekend...

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(1a),

Aug 22 11:45:11: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1

Aug 22 11:45:11: ISAKMP: transform 1, ESP_3DES

Aug 22 11:45:11: ISAKMP: attributes in transform:

Aug 22 11:45:11: ISAKMP: encaps is 1 (Tunnel)

Aug 22 11:45:11: ISAKMP: SA life type in seconds

Aug 22 11:45:11: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

Aug 22 11:45:11: ISAKMP: SA life type in kilobytes

Aug 22 11:45:11: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Aug 22 11:45:11: ISAKMP: authenticator is HMAC-MD5

Aug 22 11:45:11: ISAKMP:(0:2:SW:1):atts are acceptable.

Aug 22 11:45:11: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 217.204.143.226, remote= 194.63.35.25,

local_proxy= 217.204.143.226/255.255.255.255/0/0 (type=1),

remote_proxy= 194.63.35.25/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Aug 22 11:45:11: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 217.204.143.226

Aug 22 11:45:11: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal

Aug 22 11:45:11: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local 217.204.143.226 remote 194.63.35.25)

Crypto Map "VPN" 500 ipsec-isakmp

Description: Tunnel VPN to BAA Heathrow

Peer = 194.63.35.25

Extended IP access list TO-HEATHROW1_acl

access-list TO-HEATHROW1_acl permit ip host 217.204.143.226 host 194.63.35.25

access-list TO-HEATHROW1_acl permit ip 10.208.254.0 0.0.0.127 10.8.25.0 0.0.0.31

Current peer: 194.63.35.25

Security association lifetime: 4608000 kilobytes/86400 seconds

PFS (Y/N): N

Transform sets={

trans-2,

}

Transform set trans-2: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

Labels:
0 Helpful
3 Replies 3

froggy3132000
Level 3
Level 3

‎08-24-2007 09:19 AM

You have both peers in the encryption domain, is there a reason for that?

ARe you able to verify the paramaters on the CKP side?

0 Helpful

mshickell
Level 1
Level 1
In response to froggy3132000

‎08-24-2007 10:18 PM

Testing purposes only. The checkpoint parameters seem fine. even though the phase 2 lifetime is set to 3600 secs (no bytes parameter to be found) the trace on the Cisco still shows lifetime as 0 sec/bytes. Not sure if this is a red herring but the router is requesting the right parameters according to the debugs.

0 Helpful

mark_shickell
Level 1
Level 1
In response to mshickell

‎09-05-2007 11:04 PM

Problem turned out to be some old config within a tunnel interface. This was one tack which was tried before but not properly deleted.

Deleted the tunnel interface and the SA came up straight away!

0 Helpful
Customers Also Viewed These Support Documents