Simple VPN lab not working

Unanswered Question
Feb 16th, 2010

Hi,

I have a Pix and a Cisco router.  I am trying to create a simlple VPN between the 2.  The outside interfaces of both simply go into a vlan on a 3650.  I'm using a loopback on the router for the LAN and my laptop is plugged into the inside of the firewall,

If I ping 172.16.1.1 from my laptop I can see the VPN come up, but on for a few seconds and have noticed these errors on both devices, can you see from the configs and errors what I am missing:

errors from pix:

Feb 16 21:06:14 [IKEv1]: Group = 10.10.10.2, IP = 10.10.10.2, Removing peer from
correlator table failed, no match!
Feb 16 21:08:17 [IKEv1]: Group = 10.10.10.2, IP = 10.10.10.2, QM FSM error (P2 s
truct &0x3626740, mess id 0xc5d75b17)!
Feb 16 21:08:17 [IKEv1]: Group = 10.10.10.2, IP = 10.10.10.2, construct_ipsec_de
lete(): No SPI to identify Phase 2 SA!
Feb 16 21:08:17 [IKEv1]: Group = 10.10.10.2, IP = 10.10.10.2, Removing peer from
correlator table failed, no match!

From VPN router:

C2621MX#debug crypto ipsec err
C2621MX#debug crypto ipsec error
Crypto IPSEC Error debugging is on
C2621MX#
Feb 16 21:10:50.791: ISAKMP (0:1): Encryption algorithm offered does not match policy!
Feb 16 21:10:50.791: ISAKMP (0:1): atts are not acceptable. Next payload is 3
Feb 16 21:10:50.791: ISAKMP (0:1): Encryption algorithm offered does not match policy!
Feb 16 21:10:50.795: ISAKMP (0:1): atts are not acceptable. Next payload is 3
C2621MX#
Feb 16 21:10:52.835: IPSEC(validate_transform_proposal): invalid local address 10.10.10.2
Feb 16 21:10:52.835: ISAKMP (0:1): IPSec policy invalidated proposal
Feb 16 21:10:52.835: ISAKMP (0:1): phase 2 SA policy not acceptable! (local 10.10.10.2 remote 10.10.10.1)
Feb 16 21:10:52.839: ISAKMP (0:1): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -637052705: state = IKE_QM_READY
C2621MX#
Feb 16 21:10:52.839: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 10.10.10.1
C2621MX#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Tue, 02/16/2010 - 21:48

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!
crypto map andymap 1 ipsec-isakmp
set peer 10.10.10.1
set security-association lifetime seconds 86400
set pfs group5
match address 123
!
In crypto map, I did not see "set transform-set myset"

Actions

This Discussion