Troubleshooting site to site VPN between 1801 and 3Com 858

rbootsma · ‎09-18-2008

I'm trying to create a site to site IPSec VPN between a Cisco 1801 and a 3Com 858. Phase 1 completes but during Phase 2 I see a message that the peer is not found and consequently no proposal is chosen. How can the peer not be found if it had already negotiated IKE Phase 1 with that peer? It looks like the attributes are negotiated successfully.

Debug attached.

Thanks!

Rob

singhsaju · ‎09-18-2008

There are no debugs here .

Phase 2 attributes should also match and you should see ISAKMP SA(phase 1 SA ) being authenticated i.e Isakmp keys should be same

Match following the phase 2 attributes:

1. Crypto ACL : mirror image of other end.

2. Transform set

3. SA lifetime/ipsec lifetime

4. Check if PFS is not enabled.

HTH

Saju

Pls rate helpful posts

rbootsma · ‎09-18-2008

Hi Saju, thanks for your reply. The other end is SOHO router and it only has basic web configuration, so I can't really mirror the ACL, but I have the equivalent set up. The transform sets and lifetimes do match. What do you make of the this debug?

179561: *Sep 18 10:26:02.249 PCTime: ISAKMP:(2289):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

179562: *Sep 18 10:26:02.477 PCTime: ISAKMP (0:2289): received packet from X.X.X.X dport 500 sport 500 Global (R) QM_IDLE

179563: *Sep 18 10:26:02.477 PCTime: ISAKMP: set new node 265439381 to QM_IDLE

179564: *Sep 18 10:26:02.477 PCTime: crypto_engine: Decrypt IKE packet

179565: *Sep 18 10:26:02.477 PCTime: crypto_engine: Generate IKE hash

179566: *Sep 18 10:26:02.477 PCTime: ISAKMP:(2289): processing HASH payload. message ID = 265439381

179567: *Sep 18 10:26:02.477 PCTime: ISAKMP:(2289): processing SA payload. message ID = 265439381

179568: *Sep 18 10:26:02.477 PCTime: ISAKMP:(2289):Checking IPSec proposal 1

179569: *Sep 18 10:26:02.477 PCTime: ISAKMP: transform 1, ESP_3DES

179570: *Sep 18 10:26:02.481 PCTime: ISAKMP: attributes in transform:

179571: *Sep 18 10:26:02.481 PCTime: ISAKMP: group is 2

179572: *Sep 18 10:26:02.481 PCTime: ISAKMP: encaps is 1 (Tunnel)

179573: *Sep 18 10:26:02.481 PCTime: ISAKMP: SA life type in seconds

179574: *Sep 18 10:26:02.481 PCTime: ISAKMP: SA life duration (basic) of 3600

179575: *Sep 18 10:26:02.481 PCTime: ISAKMP: authenticator is HMAC-MD5

179576: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289):atts are acceptable.

179577: *Sep 18 10:26:02.481 PCTime: IPSEC(crypto_ipsec_process_proposal): peer address X.X.X.X not found

179578: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289): IPSec policy invalidated proposal with error 64

179579: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289): phase 2 SA policy not acceptable! (local Y.Y.Y.Y remote X.X.X.X)

179580: *Sep 18 10:26:02.481 PCTime: ISAKMP: set new node 596285921 to QM_IDLE

179581: *Sep 18 10:26:02.481 PCTime: crypto_engine: Generate IKE hash

179582: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

singhsaju · ‎09-19-2008

Since its says "179576: *Sep 18 10:26:02.481 PCTime: ISAKMP:(2289):atts are acceptable."

I think it has to be Crypto ACL mismatch.Check and match as mirror image the other side.How do you define interesting traffic for VPN on SOHO router? Maybe you can post screenshot of the web interface of SOHO router for us.

One more thing , can you post the config of the router just want to check if the Ipsec traffic is bypassing NAT , same thing has to be done on SOHO router otherside.

rbootsma · ‎09-19-2008

It turns out the crypto maps were applied in the wrong sequence. There was an old one with a higher sequence number that was no longer in use and was using the same ACL. When I removed it the tunnel came up.

Thanks for your help.