IPSEC between PC and router

Unanswered Question
Feb 17th, 2008
User Badges:

Hello, I am looking forward to encrypting management traffic between my router and PC. PC is windows XP, and i created an IPSec policy with the secpol.msc utility. I set up a policy, and it works great between two XP pcs.


Everything is pretty much a mirror between the two PCs, and thats why I am able to get ESP encapsulated traffic.


So, I thought I would try creating another transport mode IPSec, this time adding the router. I set up everything the same as on the PC, including the pre-shared key, lifetimes, the transform set, and the access list states the same thing "all tcp traffic between these hosts", along with a mirrored acl. Anyway, I cannot get isakmp to complete, as noted by these debug lines from the router:


(this is not the full output, but lines of interest)


ISAKMP (0:6): deleting node -378831385 error TRUE reason "quick mode rejected"


ISAKMP (0:5): IPSec policy invalidated proposal


ISAKMP (0:5): phase 2 SA policy not acceptable! (local 1.2.3.1 remote 1.2.3.2)


ISAKMP (0:5): deleting node -1511991460 error TRUE reason "quick mode rejected"


ALSO, there was this output:


ISAKMP (0:6): peer matches *none* of the profiles


Which makes no sense. I'm certain i set up everything the same.


Anyone have experience with these errors, and what typically leads to them?


Keep in mind, this IPSec policy is to affect traffic local to and from the router, not passed between its interfaces.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
james_stickland Sun, 02/17/2008 - 15:14
User Badges:

I made some changes, but I am now receiving this message...


*Mar 1 21:43:37.123: IPSEC(validate_transform_proposal): invalid local address 1.2.3.1

*Mar 1 21:43:37.131: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.2.3.2



I read that this could be caused by the crypto map not being applied to an interface, so i did the command


crypto isakmp map MYMAP local-address ethernet 0/1


but the problem still re-occurs.

james_stickland Sun, 02/17/2008 - 19:29
User Badges:

For anyone who does this, make sure to not only make your interface level firewall, but also make sure you apply the crypto map to the interface, as so:


crypto map MYMAP local-address Ethernet0/0


interface Ethernet0/0

crypto map MYMAP


Actions

This Discussion