Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515 L2L VPN problems after upgrade

After upgrading our pix 515 firewall from 6.3(1) to 7.2(1) I've problems with dynamic l2l vpns. All vpns which are defined with a static peer ip in the crypto map and the vpn client configuration are working fine, but all previous working dynamic map entries will fail because of a phase 2 mismatch:

[IKEv1]: Group = DefaultL2LGroup, IP = 87.227.58.8, IKE Remote Peer configured for crypto map: DYNMAP

[IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 87.227.58.8, processing IPSec SA payload

[IKEv1]: Group = DefaultL2LGroup, IP = 80.227.58.8, All IPSec SA proposals found unacceptable!

It looks like the match adress statement in the dynamic-map configuration doesn't work, but the access-lists are configured correct.

Any ideas?

Thanks,

Marcus

access-list VPN-CLIENT extended permit ip any 10.0.0.0 255.255.255.0

access-list HOMEOFFICE01 extended permit ip 192.168.1.0 255.255.255.0 192.168.203.0 255.255.255.0

access-list vpn-branch01 extended permit ip 192.168.1.0 255.255.255.0 192.168.110.0 255.255.255.0

no sysopt connection permit-vpn

crypto ipsec transform-set DES esp-des esp-md5-hmac

crypto ipsec transform-set 3DES esp-3des esp-md5-hmac

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES256 esp-aes-256 esp-sha-hmac

crypto dynamic-map DYNMAP 1 set transform-set DES

crypto dynamic-map DYNMAP 2 set transform-set 3DES

crypto dynamic-map DYNMAP 4 match address HOMEOFFICE01

crypto dynamic-map DYNMAP 4 set transform-set 3DES

crypto dynamic-map DYNMAP 5 match address VPN-CLIENT

crypto dynamic-map DYNMAP 5 set transform-set 3DES-SHA

crypto dynamic-map DYNMAP 6 match address vpn-branch01

crypto dynamic-map DYNMAP 6 set transform-set 3DES-SHA

crypto map MAP 10 match address AT

crypto map MAP 10 set peer 212.189.71.3

crypto map MAP 10 set transform-set 3DES

crypto map MAP 20 match address IGLS

crypto map MAP 20 set peer 215.121.71.226

crypto map MAP 20 set transform-set 3DES

crypto map MAP 65000 ipsec-isakmp dynamic DYNMAP

crypto map MAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

...

crypto isakmp nat-traversal 20

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 60 retry 5

tunnel-group ...

1 REPLY
Silver

Re: PIX 515 L2L VPN problems after upgrade

" All IPSec SA proposals found unacceptable " the error means that during the negotiation process, it is hunting down the list of available proposals and is unable to find one that matches what the remote end wants to do. This could be anything from mis-matched hash, mis-matched encryption settings, pfs not turned off (sha instead of md-5, des instead of 3des, pfs enabled instead of disabled.....). This could also be the result of the rules defining interesting traffic not mirroring the other end exactly.

369
Views
0
Helpful
1
Replies