Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN

Hello,

We are trying to configure a site-to-site VPN tunnel between our Cisco 3825 and our customer's Cisco 2621. Per our customer, their router is limited to transform set des/3des and sha/md5. We have configured all possible combinations but are still unable to get a successful connection. Phase 1 negotiates successfully but Phase 2 fails. Our router shows the following log:

614629: .Sep 20 14:09:53.578 CDT: IPSEC(validate_transform_proposal): transform proposal not supported for identity:

{esp-3des esp-md5-hmac }

614630: .Sep 20 14:09:53.578 CDT: ISAKMP:(0:1531:SW:1): IPSec policy invalidated proposal

614631: .Sep 20 14:09:53.578 CDT: ISAKMP:(0:1531:SW:1): phase 2 SA policy not acceptable! (local x.x.x.x remote y.y.y.y)

Thanks for the help!

1 REPLY
Cisco Employee

Re: Site to Site VPN

Rowena,

Based upon the logs, It looks like the transform set received from 2621 are not supported in the defined crypto map for the interface where the 2621 is trying to establish a crypto session.

Could you check the below configuration and make sure that it matches on both the 2621 and 3825 for the specific crypto map:

crypto ipsec transform-set XXXXXX esp-3des esp-md5-hmac

BTW, what version of code are you running on these routers.

I hope it helps.

Regards,

Arul

122
Views
0
Helpful
1
Replies