cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1516
Views
0
Helpful
10
Replies

site2site tunnel issue

epasqualotto
Level 1
Level 1

Hi all, I have a problem with a VPN between a 857 router and ASA 5510. From log I can't understand what's the issue.

Debug:

*Jul 22 10:58:14.895: IPSEC(ipsec_process_proposal): invalid local address 1.1.1.1

*Jul 22 10:58:14.895: ISAKMP:(2003): IPSec policy invalidated proposal with error 8

*Jul 22 10:58:14.895: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

857 conf:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxx address 2.2.2.2

crypto isakmp fragmentation

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel 2.2.2.2

set peer 2.2.2.2

set transform-set ESP-3DES-SHA

set pfs group2

match address 100

!

ASA conf:

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map TELEFIN_LAN_map 1 match address OUTSIDE_1_cryptomap

crypto map TELEFIN_LAN_map 1 set pfs

crypto map TELEFIN_LAN_map 1 set peer 1.1.1.1

crypto map TELEFIN_LAN_map 1 set transform-set ESP-3DES-SHA

crypto map TELEFIN_LAN_map 1 set security-association lifetime seconds 28800

crypto map TELEFIN_LAN_map 1 set security-association lifetime kilobytes 4608000

crypto map TELEFIN_LAN_map interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

Anyone have idea of the possible problem?

TIA Enrico.

10 Replies 10

andrew.prince
Level 10
Level 10

Check the IP address of the peers and the physcial interfaces.

The ip address of two peers are correct, for physical interface what do you mean? Which check?

Thanks Enrico.

If one device has the VPN peer address of 1.1.1.1 - then it's local IP address must be 2.2.2.2

So the other device must have a VPN peer address of 2.2.2.2 so it's local IP address must be 1.1.1.1

Yes, IP are correct.

hsbcsydney
Level 1
Level 1

Try setting the crypto map pfs on the ASA to group2 so that it matches the router.

crypto map TELEFIN_LAN_map 1 set pfs group2

group2 of pfs is the default value

jwalker
Level 3
Level 3

What do the crypto ACLs look like?

On the 857 router:

access-list 100 permit ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 permit ip 172.17.0.0 0.0.255.255 any

ip nat inside source route-map SDM_RMAP_1 pool net-ibs overload

route-map SDM_RMAP_1 permit 1

match ip address 101

On ASA

access-list DEV_Plant_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list DEV_Plant_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0

I hope this is all the necessary...

fmjiang1966
Level 1
Level 1

Hi,

You missed the following on ASA:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp

####

phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

########

The dedug message essentially says: phase 2 SA policy not matching, and was not acceptable. After making changes, remove and re-apply crypto map.

Have it a try.

Fuming

If I add the line:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ERROR: Unable to initialized crypto map entry

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: