Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Lan to Lan

I am trying to set up a Lan to LAn between me and a vendor. He has a 3640 with IPSEC ios and I have a 3015 concentrator. We have set our setting with agreed Ike proposal. Looks like we are getting the tunnel up but gets disconnected after that. Below is the logs. Any ideas where I should look for?

here is ther filterable log

logs>>

37 10/01/2003 15:09:42.610 SEV=3 IKE/134 RPT=4 xxx.46.135.193

Group [xxx.46.135.193]

Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal.

Verify local and remote LAN-to-LAN connection lists.

40 10/01/2003 15:09:42.610 SEV=4 IKE/119 RPT=1557 xx.46.135.193

Group [xxx.46.135.193]

PHASE 1 COMPLETED

41 10/01/2003 15:09:42.610 SEV=4 AUTH/22 RPT=1033

User [xxx.46.135.193], Group [xxx.46.135.193] connected

42 10/01/2003 15:09:42.610 SEV=4 AUTH/84 RPT=4

LAN-to-LAN tunnel to headend device xxx.46.135.193 connected

43 10/01/2003 15:09:42.970 SEV=5 IKE/35 RPT=491 xxx.46.135.193

Group [xxx.46.135.193]

Received remote IP Proxy Subnet data in ID Payload:

Address xxx.73.116.88, Mask 255.255.255.248, Protocol 0, Port 0

46 10/01/2003 15:09:42.970 SEV=5 IKE/34 RPT=3268 xxx.46.135.193

Group [xxx.46.135.193]

Received local IP Proxy Subnet data in ID Payload:

Address 10.12.0.0, Mask 255.255.0.0, Protocol 0, Port 0

49 10/01/2003 15:09:42.970 SEV=5 IKE/66 RPT=7223 xxx.46.135.193

Group [xxx.46.135.193]

IKE Remote Peer configured for SA: L2L: xxxens2xxx

50 10/01/2003 15:09:42.970 SEV=4 IKE/0 RPT=163 xxx.46.135.193

Group [xx.46.135.193]

All IPSec SA proposals found unacceptable!

51 10/01/2003 15:09:42.970 SEV=4 IKEDBG/0 RPT=10

QM FSM error (P2 struct &0xb7f5114, mess id 0x4ca56d31)!

52 10/01/2003 15:09:42.980 SEV=4 AUTH/23 RPT=5 xxx.46.135.193

User [xxx.46.135.193], Group [xxx.46.135.193] disconnected: duration: 0:00:00

53 10/01/2003 15:09:42.980 SEV=4 AUTH/85 RPT=4

LAN-to-LAN tunnel to headend device xx.46.135.193 disconnected: duration: 0:00:0

3 REPLIES
Cisco Employee

Re: Lan to Lan

This is your problem:

50 10/01/2003 15:09:42.970 SEV=4 IKE/0 RPT=163 xxx.46.135.193

Group [xx.46.135.193]

All IPSec SA proposals found unacceptable!

Looks like Phase 1 (IKE) is working, but your Phase 2 policies don't match up. On the router you'll have something like:

crypto ipsec transrom-set esp-3des esp-sha-hamc

This means you're doing 3DES encryption and SHA authentication, your L2L policy on the 3000 needs to be set the same.

Also I see this error:

37 10/01/2003 15:09:42.610 SEV=3 IKE/134 RPT=4 xxx.46.135.193

Group [xxx.46.135.193]

Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal.

Verify local and remote LAN-to-LAN connection lists.

which means the Local and Remote network lists defined in the L2L policy on the 3000 aren't the exact opposite of the crypto access-list defined on the router, so fix that up too.

Community Member

Re: Lan to Lan

I had a similiar issue when I configured a vpn concentrator with DH Group 2. The Pix that was my peer only supported DH Group 1.

When I looked at the logs I saw Phase 1 connect but Phase 2 would not.

Community Member

Re: Lan to Lan

We found out the I had PFS on DH 2 and he had it disabled on his end. Once we got this right we have connection. Thanks for all your reply!

407
Views
0
Helpful
3
Replies
CreatePlease to create content