09-03-2008 12:29 AM - edited 02-21-2020 03:55 PM
Hi I'm doing a ponint to point pre-shared key VPN and I've got this error on phase 2.
*Sep 3 08:33:50.876: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported
*Sep 3 08:33:50.876: ISAKMP:(5058): IPSec policy invalidated proposal with error 32
*Sep 3 08:33:50.876: ISAKMP:(5058): phase 2 SA policy not acceptable! (local 192.168.3.11 remote 170.252.72.46)
*Sep 3 08:33:50.880: ISAKMP:(5058):deleting node -1434383868 error TRUE reason "QM rejected"
09-03-2008 01:55 AM
I think "proxy identities not supported" usually means your ACLs don't match at both ends. Perhaps a subnet mask is different?
09-03-2008 02:12 AM
that is the case with your ACL
See this http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#proxy
09-03-2008 02:37 AM
I double checked each point and everthing on the ACL's seems to be ok. Do you have any more ideas ?Thanks-
09-03-2008 02:43 AM
double check the phase 2 encryption and hash nat both ends, there is a proposal error.
Also check the no-nat ACL and the interesting traffic acl.
HTH>
09-03-2008 03:34 AM
What you mean with the no-nat acl and the interesting traffic acl ? 've got only 1 acl.
09-03-2008 03:47 AM
You can use 1 acl - I personally choose to use 2, helps with troubleshooting cases....like this. I normally use something like:-
access-list no-nat extended permit ip x.x.x.x y.y.y.y w.w.w.w z.z.z.z
x.x.x.x = src ip sbunet
y.y.y.y = src subnet mask
w.w.w.w = dst ip subnet
z.z.z.z = dst subnet mask
then:-
access-list vpn-remote-branch-1 extended permit ip x.x.x.x y.y.y.y w.w.w.w z.z.z.z
The my nat looks like:-
nat (inside) 0 access-list no-nat
and my crypto looks like:-
crypto map remote-branch 10 match address vpn-remote-branch-1
HTH>
09-03-2008 02:58 AM
I double checked each point and everthing on the ACL's seems to be ok. Do you have any more ideas ?Thanks-
09-03-2008 02:59 AM
OK, post the configs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: