08-24-2007 06:07 AM - edited 02-21-2020 03:14 PM
I'm struggling to get the phase 2 working and the error message seems clear enough
no IPSEC cryptomap exists for local address 217.204.143.226
The only discrepancy that I can fine is that the inbound phase 2 proposal has lifedur= 0s and 0kb which I cannot set on the Cisco as the IOS won't take zero values. To muddy the waters further I've found debug outputs on other websites which also have lifedur= 0s and 0kb early in the phase 2 that complete OK!
Also what does type=1 mean below? The web outputs seem to be mostly type=4
Can anyone shed some light on this ro see anything I can't?
For info the IOS will be upgraded to the (16) version this weekend...
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(1a),
Aug 22 11:45:11: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1
Aug 22 11:45:11: ISAKMP: transform 1, ESP_3DES
Aug 22 11:45:11: ISAKMP: attributes in transform:
Aug 22 11:45:11: ISAKMP: encaps is 1 (Tunnel)
Aug 22 11:45:11: ISAKMP: SA life type in seconds
Aug 22 11:45:11: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
Aug 22 11:45:11: ISAKMP: SA life type in kilobytes
Aug 22 11:45:11: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Aug 22 11:45:11: ISAKMP: authenticator is HMAC-MD5
Aug 22 11:45:11: ISAKMP:(0:2:SW:1):atts are acceptable.
Aug 22 11:45:11: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 217.204.143.226, remote= 194.63.35.25,
local_proxy= 217.204.143.226/255.255.255.255/0/0 (type=1),
remote_proxy= 194.63.35.25/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Aug 22 11:45:11: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 217.204.143.226
Aug 22 11:45:11: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
Aug 22 11:45:11: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local 217.204.143.226 remote 194.63.35.25)
Crypto Map "VPN" 500 ipsec-isakmp
Description: Tunnel VPN to BAA Heathrow
Peer = 194.63.35.25
Extended IP access list TO-HEATHROW1_acl
access-list TO-HEATHROW1_acl permit ip host 217.204.143.226 host 194.63.35.25
access-list TO-HEATHROW1_acl permit ip 10.208.254.0 0.0.0.127 10.8.25.0 0.0.0.31
Current peer: 194.63.35.25
Security association lifetime: 4608000 kilobytes/86400 seconds
PFS (Y/N): N
Transform sets={
trans-2,
}
Transform set trans-2: { esp-3des esp-md5-hmac }
will negotiate = { Tunnel, },
08-24-2007 09:19 AM
You have both peers in the encryption domain, is there a reason for that?
ARe you able to verify the paramaters on the CKP side?
08-24-2007 10:18 PM
Testing purposes only. The checkpoint parameters seem fine. even though the phase 2 lifetime is set to 3600 secs (no bytes parameter to be found) the trace on the Cisco still shows lifetime as 0 sec/bytes. Not sure if this is a red herring but the router is requesting the right parameters according to the debugs.
09-05-2007 11:04 PM
Problem turned out to be some old config within a tunnel interface. This was one tack which was tried before but not properly deleted.
Deleted the tunnel interface and the SA came up straight away!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: