Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site2site tunnel issue

Hi all, I have a problem with a VPN between a 857 router and ASA 5510. From log I can't understand what's the issue.

Debug:

*Jul 22 10:58:14.895: IPSEC(ipsec_process_proposal): invalid local address 1.1.1.1

*Jul 22 10:58:14.895: ISAKMP:(2003): IPSec policy invalidated proposal with error 8

*Jul 22 10:58:14.895: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

857 conf:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxx address 2.2.2.2

crypto isakmp fragmentation

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel 2.2.2.2

set peer 2.2.2.2

set transform-set ESP-3DES-SHA

set pfs group2

match address 100

!

ASA conf:

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map TELEFIN_LAN_map 1 match address OUTSIDE_1_cryptomap

crypto map TELEFIN_LAN_map 1 set pfs

crypto map TELEFIN_LAN_map 1 set peer 1.1.1.1

crypto map TELEFIN_LAN_map 1 set transform-set ESP-3DES-SHA

crypto map TELEFIN_LAN_map 1 set security-association lifetime seconds 28800

crypto map TELEFIN_LAN_map 1 set security-association lifetime kilobytes 4608000

crypto map TELEFIN_LAN_map interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

Anyone have idea of the possible problem?

TIA Enrico.

10 REPLIES

Re: site2site tunnel issue

Check the IP address of the peers and the physcial interfaces.

New Member

Re: site2site tunnel issue

The ip address of two peers are correct, for physical interface what do you mean? Which check?

Thanks Enrico.

Re: site2site tunnel issue

If one device has the VPN peer address of 1.1.1.1 - then it's local IP address must be 2.2.2.2

So the other device must have a VPN peer address of 2.2.2.2 so it's local IP address must be 1.1.1.1

New Member

Re: site2site tunnel issue

Yes, IP are correct.

New Member

Re: site2site tunnel issue

Try setting the crypto map pfs on the ASA to group2 so that it matches the router.

crypto map TELEFIN_LAN_map 1 set pfs group2

New Member

Re: site2site tunnel issue

group2 of pfs is the default value

Silver

Re: site2site tunnel issue

What do the crypto ACLs look like?

New Member

Re: site2site tunnel issue

On the 857 router:

access-list 100 permit ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 100 permit ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.31.0.0 0.0.255.255

access-list 101 deny ip 172.17.0.0 0.0.255.255 172.30.0.0 0.0.255.255

access-list 101 permit ip 172.17.0.0 0.0.255.255 any

ip nat inside source route-map SDM_RMAP_1 pool net-ibs overload

route-map SDM_RMAP_1 permit 1

match ip address 101

On ASA

access-list DEV_Plant_nat0_outbound extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list DEV_Plant_nat0_outbound extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.31.0.0 255.255.0.0 172.17.0.0 255.255.0.0

access-list OUTSIDE_1_cryptomap extended permit ip 172.30.0.0 255.255.0.0 172.17.0.0 255.255.0.0

I hope this is all the necessary...

New Member

Re: site2site tunnel issue

Hi,

You missed the following on ASA:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp

####

phase 2 SA policy not acceptable! (local 1.1.1.1 remote 2.2.2.2)

########

The dedug message essentially says: phase 2 SA policy not matching, and was not acceptable. After making changes, remove and re-apply crypto map.

Have it a try.

Fuming

New Member

Re: site2site tunnel issue

If I add the line:

crypto map TELEFIN_LAN_map 1 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ERROR: Unable to initialized crypto map entry

690
Views
0
Helpful
10
Replies
CreatePlease login to create content