Site-to-Site VPN, Phase2, ISAKMP Problem

Answered Question
Sep 6th, 2010
User Badges:


Hi All,

I have a problem configuring site-to-site vpn on two Cisco1841 ((C1841-ADVSECURITYK9-M), Version 12.4(3i)) routers.

I could see several discussions with similar problems, but no help, and I could not find any solved problem too .

Please see two attached documents, the first one, with config samples from both local and remote routes, and the second one with the output from debugging.

I double checked configs on both routers and it seems like both are fine.

The strange is that tunnel is all the time up, but I have only 50% from the pings from the local networks. Pings from local and remote peers goes with 100%.

Please see errors on the debug document.

Second thing, Please pay attention on the subnet mask of the local interface of the local router (255.255.255.224). Is it maybe the root of a problem, it is not consistent with the access list which is with wild card 0.0.0.255?

I think that this is the only thing I forget to check today.

Is it maybe some ios bug or something?

I appreciate any help to solve this problem.

Thank you in advance,

Correct Answer by Diego Armando C... about 6 years 8 months ago

If your network is 255.255.255.224 so 255.255.255.224 must be in the ACL SO change that in both ACL of the interesting trafic.


Check this out




*Sep  6 12:59:15.362: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address y.y.y.y (local peer)

*Sep  6 12:59:15.366: ISAKMP:(0:36:SW:1): IPSec policy invalidated proposal

*Sep  6 12:59:15.366: ISAKMP:(0:36:SW:1): phase 2 SA policy not acceptable! (local y.y.y.y (local peer) remote x.x.x.x (remote peer))


THis is not an issue related with phase I but with phase 2. The ACL must be changed



LOCAL

access-list 100 permit ip 192.168.0.0 0.0.0.31 192.168.2.0 0.0.0.255


REMOTE

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.31


Change that firs and then clear the SA and try again. Im not sure why you are receiving only a 50 % of the replies from the remote site

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Diego Armando C... Mon, 09/06/2010 - 15:18
User Badges:
  • Bronze, 100 points or more

If your network is 255.255.255.224 so 255.255.255.224 must be in the ACL SO change that in both ACL of the interesting trafic.


Check this out




*Sep  6 12:59:15.362: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address y.y.y.y (local peer)

*Sep  6 12:59:15.366: ISAKMP:(0:36:SW:1): IPSec policy invalidated proposal

*Sep  6 12:59:15.366: ISAKMP:(0:36:SW:1): phase 2 SA policy not acceptable! (local y.y.y.y (local peer) remote x.x.x.x (remote peer))


THis is not an issue related with phase I but with phase 2. The ACL must be changed



LOCAL

access-list 100 permit ip 192.168.0.0 0.0.0.31 192.168.2.0 0.0.0.255


REMOTE

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.31


Change that firs and then clear the SA and try again. Im not sure why you are receiving only a 50 % of the replies from the remote site

Diego Armando C... Mon, 09/06/2010 - 15:21
User Badges:
  • Bronze, 100 points or more

Clear the SAs and the counters as well . to a test with 100 pings for example and then send us the show crypto ipsec sa to check who is not encap or decaps the replies.

milevski_m Mon, 10/04/2010 - 01:13
User Badges:

Hi Diego,

Sorry for late reply, I was on some trip and have no internet. However thank you very much for your help. The solution you suggested solved my problem.

Thank you once again.

Actions

This Discussion

Related Content