Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC tunnel issues - Phase two

Hi All!

I'm trying to attached an ipsec tunnel on my 2811.

I have p1 up

173.X.0.X   24.X.237.X  QM_IDLE           6237 ACTIVE

but p2 failes with the following when i do debug crypto ipsec

Nov 25 15:46:29.597: map_db_find_best did not find matching map

Nov 25 15:46:29.597: IPSEC(ipsec_process_proposal): proxy identities not supported

Nov 25 15:46:29.689: IPSEC(validate_proposal_request): proposal part #1

Nov 25 15:46:29.689: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 173.X.0.X:0, remote= 24.X.237.X:0,

    local_proxy= 10.0.1.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 10.0.2.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

the config part...  let me know if u need anything else from the running config...

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

lifetime 3600

crypto isakmp key <password> hostname <DNSNAME> no-xauth

crypto isakmp keepalive 10 periodic

crypto map ParrentsVPn 1 ipsec-isakmp

set peer 70.X.119.X

set peer 24.X.237.X

set transform-set ParrentsVPn

match address 101

crypto ipsec profile VTI

set transform-set ParrentsVPn

crypto map ParrentsVPn 1 ipsec-isakmp

set peer 24.102.237.206

set transform-set ParrentsVPn

match address 101

crypto ipsec transform-set ParrentsVPn esp-aes 256 esp-sha-hmac

mode transport

Extended IP access list 101

    10 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255 (445190 matches)

    20 permit ip 10.0.200.0 0.0.0.255 10.0.2.0 0.0.0.255

    30 permit ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255 (93289 matches)

    40 permit ip host 173.163.0.213 host 24.102.237.206

    50 permit ip host 24.102.237.206 host 173.163.0.213

    60 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

interface Tunnel90

ip address 10.0.2.254 255.255.255.0

ip mtu 1400

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1412

keepalive 60 3

tunnel source FastEthernet0/0

tunnel destination 24.X.237.X

tunnel protection ipsec profile VTI

  • Other Security Subjects
3 REPLIES
VIP Purple

Re: IPSEC tunnel issues - Phase two

There is very much quite strange with your config:

1) you are mixing crypto-map and VTI-config in a way that doesn't seem to make any sense. What exactly do you want to achieve?
2) in this scenario you probably can't use transport-mode
3) the crypto-ACL only needs the local view of the traffic that has to be protected.
4) the value used by ip tcp adjust-mss is too large for ipsec


Sent from Cisco Technical Support iPad App

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: IPSEC tunnel issues - Phase two

Hey,

Thanks for the response.  Im am really new at this which may help to explain why the config looks so odd.

THe current (working) setup is an ipsec tunnel but i have no way to monitor the tunnel except for pings. My end goal would be to move the ipsec traffic to a tunnel interface so i can monitor up / down's and traffic usage.

both ends are cable modems with one being a static ip address (the 70.x.119.x address).  I would idealy only want that system to be accepting connections, and not trying to reachout to the other system.

The remote system is a edgemax (ubnt) system.  Like i said...  currently i have this working but its all tied to fa0/0 via the following.

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

lifetime 3600

crypto isakmp key address 24.X.237.X no-xauth

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set ParrentsVPn esp-aes 256 esp-sha-hmac

mode transport

crypto map ParrentsVPn 1 ipsec-isakmp

set peer 24.x.237.x

set transform-set ParrentsVPn

match address 101

interface FastEthernet0/0

ip address 173.x.0.x 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map ParrentsVPn

ip nat inside source list 175 interface FastEthernet0/0 overload

access-list 101 permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 101 permit ip 10.0.200.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 101 permit ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 175 deny   ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 175 deny   ip 10.0.3.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 175 deny   ip 10.0.200.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 175 permit ip 10.0.1.0 0.0.0.255 any

access-list 175 permit ip 192.168.80.0 0.0.0.255 any

access-list 175 permit ip 10.0.200.0 0.0.0.255 any

access-list 175 permit ip 10.0.3.0 0.0.0.255 any

access-list 175 permit ip 10.0.4.0 0.0.0.255 any

access-list 175 deny   ip 10.0.10.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 175 permit ip 10.0.10.0 0.0.0.255 any

access-list 175 permit ip 192.168.81.0 0.0.0.255 any

access-list 175 permit ip 192.168.13.0 0.0.0.255 any

route-map nonat permit 10

match ip address 175

New Member

Re: IPSEC tunnel issues - Phase two

any idea how i can bring this traffic to a tun interface?

1058
Views
0
Helpful
3
Replies
This widget could not be displayed.