Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
3
Replies

IPSEC between PC and router

james_stickland
Level 1
Level 1

‎02-17-2008 07:09 AM - edited ‎02-21-2020 03:33 PM

Hello, I am looking forward to encrypting management traffic between my router and PC. PC is windows XP, and i created an IPSec policy with the secpol.msc utility. I set up a policy, and it works great between two XP pcs.

Everything is pretty much a mirror between the two PCs, and thats why I am able to get ESP encapsulated traffic.

So, I thought I would try creating another transport mode IPSec, this time adding the router. I set up everything the same as on the PC, including the pre-shared key, lifetimes, the transform set, and the access list states the same thing "all tcp traffic between these hosts", along with a mirrored acl. Anyway, I cannot get isakmp to complete, as noted by these debug lines from the router:

(this is not the full output, but lines of interest)

ISAKMP (0:6): deleting node -378831385 error TRUE reason "quick mode rejected"

ISAKMP (0:5): IPSec policy invalidated proposal

ISAKMP (0:5): phase 2 SA policy not acceptable! (local 1.2.3.1 remote 1.2.3.2)

ISAKMP (0:5): deleting node -1511991460 error TRUE reason "quick mode rejected"

ALSO, there was this output:

ISAKMP (0:6): peer matches *none* of the profiles

Which makes no sense. I'm certain i set up everything the same.

Anyone have experience with these errors, and what typically leads to them?

Keep in mind, this IPSec policy is to affect traffic local to and from the router, not passed between its interfaces.

Labels:
0 Helpful
3 Replies 3

james_stickland
Level 1
Level 1

‎02-17-2008 03:14 PM

I made some changes, but I am now receiving this message...

*Mar 1 21:43:37.123: IPSEC(validate_transform_proposal): invalid local address 1.2.3.1

*Mar 1 21:43:37.131: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.2.3.2

I read that this could be caused by the crypto map not being applied to an interface, so i did the command

crypto isakmp map MYMAP local-address ethernet 0/1

but the problem still re-occurs.

0 Helpful

james_stickland
Level 1
Level 1
In response to james_stickland

‎02-17-2008 07:29 PM

For anyone who does this, make sure to not only make your interface level firewall, but also make sure you apply the crypto map to the interface, as so:

crypto map MYMAP local-address Ethernet0/0

interface Ethernet0/0

crypto map MYMAP

0 Helpful

james_stickland
Level 1
Level 1
In response to james_stickland

‎02-19-2008 12:40 PM

http://206.248.189.204/documents/mgmtIPSEC/

Here is a corresponding document I have written for securing traffic between a router and management PC.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents