VPN OK on 1812 - not on 2811 !!!

Answered Question
Jun 9th, 2010
User Badges:

Hi,


I'm loosing my mind... I configured a remote IPSec VPN client access on 2 routers 1812. It works like  charm.

I take the same config and apply it on a 2811, it doesn't work...Error during IPsec phase 2.


I re-re-re-re-rechecked the config, it's perfectly matching the config done on the 1812. (and I use same template for 876, 1841,....)

I tried 4 different IOS 12.2.24T3 Adventerprise, 12.2.15T13 adventerprise and Advipservices, and also 12.2.25c adventerprise. Nothing changes.... still the same error...


I've apply this config on another 2811, same issue. Is there anything wrong with this model concerning IPsec VPN client config ???? Or should I use a specific IOS ?



Thanks for sharing your experience,


Regards,

Olivier


Config is:



aaa new-model

!

!

aaa authentication login default local

aaa authentication login userauth local

aaa authentication ppp default local

aaa authorization exec default local

aaa authorization network groupauth local

!


crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!
crypto isakmp client configuration group mmrouter008
key xxxxxxxxxxxxxxxx
domain xxxxxxx.com
pool POOL_VPN
acl 134
!
crypto isakmp profile mmrouter008
   match identity group mmrouter008
   client authentication list userauth
   isakmp authorization list groupauth
   client configuration address respond
!
crypto ipsec transform-set vpnuser_trans esp-3des esp-md5-hmac
!
crypto dynamic-map mydynamicmap 10
set transform-set vpnuser_trans
set isakmp-profile mmrouter008
reverse-route
!
crypto map MAPPP 100 ipsec-isakmp dynamic mydynamicmap
!
int fa0/0
crypto map MAPPP
!
ip local pool POOL_VPN 10.50.10.1 10.50.10.254
!
access-list 134 permit ip 192.168.71.0 0.0.0.255 10.50.10.0 0.0.0.255
Correct Answer by Federico Coto F... about 7 years 1 month ago

Oliver,


Should work as you said.

What is the error specifically that you get regarding phase 2?


Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Wed, 06/09/2010 - 15:02
User Badges:
  • Green, 3000 points or more

Oliver,


Should work as you said.

What is the error specifically that you get regarding phase 2?


Federico.

olivier.jessel Thu, 06/10/2010 - 00:08
User Badges:

Hi Frederico,


Here is the log of the VPN connection. (debug cryp isakmp)


The error I can see is:

ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 195.243.171.112 remote 195.243.171.97)
ISAKMP: set new node -1712530148 to QM_IDLE
ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3


I precise that 195.243.171.112 is the VPN router.


It's just strange. I use this config many times and it's the first time I have such problem.


Olivier

olivier.jessel Thu, 06/10/2010 - 00:39
User Badges:

wwooooo OK I found out the issue.

I have HSRP on the interface where the crypto map is applied.

The router replies with the physical IP address and not with the virtual IP address. Then IPSec phase 2 fails !


Does anyone knows how to make both working together ???


Thanks in advance


Olivier

olivier.jessel Thu, 06/10/2010 - 02:15
User Badges:

OK, I finally fix this HSRP+IPsec dynamic map config.

Now it works. I'm gonna test all of this when I will cofigure the second HSRP router.


Thanks again for your help ;-)


++

Olivier

Actions

This Discussion