I have a problem configuring site-to-site vpn on two Cisco1841 ((C1841-ADVSECURITYK9-M), Version 12.4(3i)) routers.
I could see several discussions with similar problems, but no help, and I could not find any solved problem too .
Please see two attached documents, the first one, with config samples from both local and remote routes, and the second one with the output from debugging.
I double checked configs on both routers and it seems like both are fine.
The strange is that tunnel is all the time up, but I have only 50% from the pings from the local networks. Pings from local and remote peers goes with 100%.
Please see errors on the debug document.
Second thing, Please pay attention on the subnet mask of the local interface of the local router (255.255.255.224). Is it maybe the root of a problem, it is not consistent with the access list which is with wild card 0.0.0.255?
I think that this is the only thing I forget to check today.
Is it maybe some ios bug or something?
I appreciate any help to solve this problem.
Thank you in advance,
If your network is 255.255.255.224 so 255.255.255.224 must be in the ACL SO change that in both ACL of the interesting trafic.
Check this out
*Sep 6 12:59:15.362: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address y.y.y.y (local peer)
*Sep 6 12:59:15.366: ISAKMP:(0:36:SW:1): IPSec policy invalidated proposal
*Sep 6 12:59:15.366: ISAKMP:(0:36:SW:1): phase 2 SA policy not acceptable! (local y.y.y.y (local peer) remote x.x.x.x (remote peer))
THis is not an issue related with phase I but with phase 2. The ACL must be changed
access-list 100 permit ip 192.168.0.0 0.0.0.31 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.31
Change that firs and then clear the SA and try again. Im not sure why you are receiving only a 50 % of the replies from the remote site