Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
240
Views
0
Helpful
1
Replies

Site to Site VPN

rgrefalda
Level 1
Level 1

‎09-20-2006 11:18 AM - edited ‎02-21-2020 02:37 PM

Hello,

We are trying to configure a site-to-site VPN tunnel between our Cisco 3825 and our customer's Cisco 2621. Per our customer, their router is limited to transform set des/3des and sha/md5. We have configured all possible combinations but are still unable to get a successful connection. Phase 1 negotiates successfully but Phase 2 fails. Our router shows the following log:

614629: .Sep 20 14:09:53.578 CDT: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-3des esp-md5-hmac }

614630: .Sep 20 14:09:53.578 CDT: ISAKMP:(0:1531:SW:1): IPSec policy invalidated proposal

614631: .Sep 20 14:09:53.578 CDT: ISAKMP:(0:1531:SW:1): phase 2 SA policy not acceptable! (local x.x.x.x remote y.y.y.y)

Thanks for the help!

Labels:
0 Helpful
1 Reply 1

ajagadee
Cisco Employee
Cisco Employee

‎09-20-2006 01:20 PM

Rowena,

Based upon the logs, It looks like the transform set received from 2621 are not supported in the defined crypto map for the interface where the 2621 is trying to establish a crypto session.

Could you check the below configuration and make sure that it matches on both the 2621 and 3825 for the specific crypto map:

crypto ipsec transform-set XXXXXX esp-3des esp-md5-hmac

BTW, what version of code are you running on these routers.

I hope it helps.

Regards,

Arul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents