Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1611
Views
5
Helpful
3
Replies

Site-to-Site VPN, Phase2, ISAKMP Problem

Go to solution
milevski_m
Level 1
Level 1

‎09-06-2010 12:26 PM

Hi All,

I have a problem configuring site-to-site vpn on two Cisco1841 ((C1841-ADVSECURITYK9-M), Version 12.4(3i)) routers.

I could see several discussions with similar problems, but no help, and I could not find any solved problem too .

Please see two attached documents, the first one, with config samples from both local and remote routes, and the second one with the output from debugging.

I double checked configs on both routers and it seems like both are fine.

The strange is that tunnel is all the time up, but I have only 50% from the pings from the local networks. Pings from local and remote peers goes with 100%.

Please see errors on the debug document.

Second thing, Please pay attention on the subnet mask of the local interface of the local router (255.255.255.224). Is it maybe the root of a problem, it is not consistent with the access list which is with wild card 0.0.0.255?

I think that this is the only thing I forget to check today.

Is it maybe some ios bug or something?

I appreciate any help to solve this problem.

Thank you in advance,

Labels:
71639-debug.txt.zip
71643-config_local_remote_routers.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Diego Armando Cambronero Arias
Level 3
Level 3

‎09-06-2010 03:18 PM

If your network is 255.255.255.224 so 255.255.255.224 must be in the ACL SO change that in both ACL of the interesting trafic.

Check this out

*Sep  6 12:59:15.362: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address y.y.y.y (local peer)

*Sep  6 12:59:15.366: ISAKMP:(0:36:SW:1): IPSec policy invalidated proposal

*Sep  6 12:59:15.366: ISAKMP:(0:36:SW:1): phase 2 SA policy not acceptable! (local y.y.y.y (local peer) remote x.x.x.x (remote peer))

THis is not an issue related with phase I but with phase 2. The ACL must be changed

LOCAL

access-list 100 permit ip 192.168.0.0 0.0.0.31 192.168.2.0 0.0.0.255

REMOTE

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.31

Change that firs and then clear the SA and try again. Im not sure why you are receiving only a 50 % of the replies from the remote site

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Diego Armando Cambronero Arias
Level 3
Level 3

‎09-06-2010 03:18 PM

If your network is 255.255.255.224 so 255.255.255.224 must be in the ACL SO change that in both ACL of the interesting trafic.

Check this out

*Sep  6 12:59:15.362: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address y.y.y.y (local peer)

*Sep  6 12:59:15.366: ISAKMP:(0:36:SW:1): IPSec policy invalidated proposal

*Sep  6 12:59:15.366: ISAKMP:(0:36:SW:1): phase 2 SA policy not acceptable! (local y.y.y.y (local peer) remote x.x.x.x (remote peer))

THis is not an issue related with phase I but with phase 2. The ACL must be changed

LOCAL

access-list 100 permit ip 192.168.0.0 0.0.0.31 192.168.2.0 0.0.0.255

REMOTE

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.31

Change that firs and then clear the SA and try again. Im not sure why you are receiving only a 50 % of the replies from the remote site

0 Helpful

Go to solution
Diego Armando Cambronero Arias
Level 3
Level 3
In response to Diego Armando Cambronero Arias

‎09-06-2010 03:21 PM

Clear the SAs and the counters as well . to a test with 100 pings for example and then send us the show crypto ipsec sa to check who is not encap or decaps the replies.

Go to solution
milevski_m
Level 1
Level 1
In response to Diego Armando Cambronero Arias

‎10-04-2010 01:13 AM

Hi Diego,

Sorry for late reply, I was on some trip and have no internet. However thank you very much for your help. The solution you suggested solved my problem.

Thank you once again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents