07-22-2009 02:57 AM - edited 03-11-2019 08:57 AM
Hi all, I have a problem with a VPN between a 857 router and ASA 5510. From log I can't understand what's the issue.
Debug:
*Jul 22 10:58:14.895: IPSEC(ipsec_process_proposal): invalid local address 1.1.1.1
*Jul 22 10:58:14.895: ISAKMP:(2003): IPSec policy invalidated proposal with error 8
*Jul 22 10:58:14.895: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)
857 conf:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address 2.2.2.2
crypto isakmp fragmentation
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel 2.2.2.2
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
set pfs group2
match address 100
!
ASA conf:
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map TELEFIN_LAN_map 1 match address OUTSIDE_1_cryptomap
crypto map TELEFIN_LAN_map 1 set pfs
crypto map TELEFIN_LAN_map 1 set peer 1.1.1.1
crypto map TELEFIN_LAN_map 1 set transform-set ESP-3DES-SHA
crypto map TELEFIN_LAN_map 1 set security-association lifetime seconds 28800
crypto map TELEFIN_LAN_map 1 set security-association lifetime kilobytes 4608000
crypto map TELEFIN_LAN_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
Anyone have idea of the possible problem?
TIA Enrico.
07-22-2009 04:20 AM
Check the IP address of the peers and the physcial interfaces.
07-22-2009 04:57 AM
The ip address of two peers are correct, for physical interface what do you mean? Which check?
Thanks Enrico.
07-22-2009 05:04 AM
If one device has the VPN peer address of 1.1.1.1 - then it's local IP address must be 2.2.2.2
So the other device must have a VPN peer address of 2.2.2.2 so it's local IP address must be 1.1.1.1
07-22-2009 05:15 AM
Yes, IP are correct.
07-22-2009 05:16 AM
Try setting the crypto map pfs on the ASA to group2 so that it matches the router.
crypto map TELEFIN_LAN_map 1 set pfs group2
07-22-2009 05:55 AM
group2 of pfs is the default value
07-23-2009 06:32 AM
What do the crypto ACLs look like?
07-23-2009 11:16 PM
On the 857 router:
access-list 100 permit ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255
access-list 100 permit ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255
access-list 101 deny ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255
access-list 101 deny ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255
access-list 101 permit ip 172.17.0.0 0.0.255.255 any
ip nat inside source route-map SDM_RMAP_1 pool net-ibs overload
route-map SDM_RMAP_1 permit 1
match ip address 101
On ASA
access-list DEV_Plant_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list DEV_Plant_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list OUTSIDE_1_cryptomap extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0
access-list OUTSIDE_1_cryptomap extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0
I hope this is all the necessary...
07-24-2009 07:57 AM
Hi,
You missed the following on ASA:
crypto map TELEFIN_LAN_map 1 ipsec-isakmp
####
phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)
########
The dedug message essentially says: phase 2 SA policy not matching, and was not acceptable. After making changes, remove and re-apply crypto map.
Have it a try.
Fuming
08-02-2009 11:41 PM
If I add the line:
crypto map TELEFIN_LAN_map 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
ERROR: Unable to initialized crypto map entry
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: