09-18-2008 02:15 PM
I'm trying to create a site to site IPSec VPN between a Cisco 1801 and a 3Com 858. Phase 1 completes but during Phase 2 I see a message that the peer is not found and consequently no proposal is chosen. How can the peer not be found if it had already negotiated IKE Phase 1 with that peer? It looks like the attributes are negotiated successfully.
Debug attached.
Thanks!
Rob
09-18-2008 06:09 PM
There are no debugs here .
Phase 2 attributes should also match and you should see ISAKMP SA(phase 1 SA ) being authenticated i.e Isakmp keys should be same
Match following the phase 2 attributes:
1. Crypto ACL : mirror image of other end.
2. Transform set
3. SA lifetime/ipsec lifetime
4. Check if PFS is not enabled.
HTH
Saju
Pls rate helpful posts
09-18-2008 06:27 PM
Hi Saju, thanks for your reply. The other end is SOHO router and it only has basic web configuration, so I can't really mirror the ACL, but I have the equivalent set up. The transform sets and lifetimes do match. What do you make of the this debug?
179561: *Sep 18 10:26:02.249 PCTime: ISAKMP:(2289):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
179562: *Sep 18 10:26:02.477 PCTime: ISAKMP (0:2289): received packet from X.X.X.X dport 500 sport 500 Global (R) QM_IDLE
179563: *Sep 18 10:26:02.477 PCTime: ISAKMP: set new node 265439381 to QM_IDLE
179564: *Sep 18 10:26:02.477 PCTime: crypto_engine: Decrypt IKE packet
179565: *Sep 18 10:26:02.477 PCTime: crypto_engine: Generate IKE hash
179566: *Sep 18 10:26:02.477 PCTime: ISAKMP:(2289): processing HASH payload. message ID = 265439381
179567: *Sep 18 10:26:02.477 PCTime: ISAKMP:(2289): processing SA payload. message ID = 265439381
179568: *Sep 18 10:26:02.477 PCTime: ISAKMP:(2289):Checking IPSec proposal 1
179569: *Sep 18 10:26:02.477 PCTime: ISAKMP: transform 1, ESP_3DES
179570: *Sep 18 10:26:02.481 PCTime: ISAKMP: attributes in transform:
179571: *Sep 18 10:26:02.481 PCTime: ISAKMP: group is 2
179572: *Sep 18 10:26:02.481 PCTime: ISAKMP: encaps is 1 (Tunnel)
179573: *Sep 18 10:26:02.481 PCTime: ISAKMP: SA life type in seconds
179574: *Sep 18 10:26:02.481 PCTime: ISAKMP: SA life duration (basic) of 3600
179575: *Sep 18 10:26:02.481 PCTime: ISAKMP: authenticator is HMAC-MD5
179576: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289):atts are acceptable.
179577: *Sep 18 10:26:02.481 PCTime: IPSEC(crypto_ipsec_process_proposal): peer address X.X.X.X not found
179578: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289): IPSec policy invalidated proposal with error 64
179579: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289): phase 2 SA policy not acceptable! (local Y.Y.Y.Y remote X.X.X.X)
179580: *Sep 18 10:26:02.481 PCTime: ISAKMP: set new node 596285921 to QM_IDLE
179581: *Sep 18 10:26:02.481 PCTime: crypto_engine: Generate IKE hash
179582: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
09-19-2008 06:04 AM
Since its says "179576: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289):atts are acceptable."
I think it has to be Crypto ACL mismatch.Check and match as mirror image the other side.How do you define interesting traffic for VPN on SOHO router? Maybe you can post screenshot of the web interface of SOHO router for us.
One more thing , can you post the config of the router just want to check if the Ipsec traffic is bypassing NAT , same thing has to be done on SOHO router otherside.
09-19-2008 01:59 PM
It turns out the crypto maps were applied in the wrong sequence. There was an old one with a higher sequence number that was no longer in use and was using the same ACL. When I removed it the tunnel came up.
Thanks for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: