VPN problem

godzilla0 · ‎09-03-2008

Hi I'm doing a ponint to point pre-shared key VPN and I've got this error on phase 2.

*Sep 3 08:33:50.876: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported

*Sep 3 08:33:50.876: ISAKMP:(5058): IPSec policy invalidated proposal with error 32

*Sep 3 08:33:50.876: ISAKMP:(5058): phase 2 SA policy not acceptable! (local 192.168.3.11 remote 170.252.72.46)

*Sep 3 08:33:50.880: ISAKMP:(5058):deleting node -1434383868 error TRUE reason "QM rejected"

grant.maynard · ‎09-03-2008

I think "proxy identities not supported" usually means your ACLs don't match at both ends. Perhaps a subnet mask is different?

francisco_1 · ‎09-03-2008

that is the case with your ACL

godzilla0 · ‎09-03-2008

I double checked each point and everthing on the ACL's seems to be ok. Do you have any more ideas ?Thanks-

andrew.prince · ‎09-03-2008

double check the phase 2 encryption and hash nat both ends, there is a proposal error.

Also check the no-nat ACL and the interesting traffic acl.

HTH>

godzilla0 · ‎09-03-2008

What you mean with the no-nat acl and the interesting traffic acl ? 've got only 1 acl.

andrew.prince · ‎09-03-2008

You can use 1 acl - I personally choose to use 2, helps with troubleshooting cases....like this. I normally use something like:-

access-list no-nat extended permit ip x.x.x.x y.y.y.y w.w.w.w z.z.z.z

x.x.x.x = src ip sbunet

y.y.y.y = src subnet mask

w.w.w.w = dst ip subnet

z.z.z.z = dst subnet mask

then:-

access-list vpn-remote-branch-1 extended permit ip x.x.x.x y.y.y.y w.w.w.w z.z.z.z

The my nat looks like:-

nat (inside) 0 access-list no-nat

and my crypto looks like:-

crypto map remote-branch 10 match address vpn-remote-branch-1

HTH>

godzilla0 · ‎09-03-2008

I double checked each point and everthing on the ACL's seems to be ok. Do you have any more ideas ?Thanks-

grant.maynard · ‎09-03-2008

OK, post the configs.