01-17-2008 12:00 PM - edited 02-21-2020 03:29 PM
Phase 1 is complete since I see this message in the debug output:
*Jan 17 19:41:04.618: ISAKMP:(2029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
The checking of the IPSec proposal fails because of "proxy identities not supported":
=[ BEGIN debug output ]====================================================================
*Jan 17 19:41:04.634: ISAKMP:(2029):Checking IPSec proposal 4
*Jan 17 19:41:04.634: ISAKMP: transform 1, ESP_AES
*Jan 17 19:41:04.634: ISAKMP: attributes in transform:
*Jan 17 19:41:04.634: ISAKMP: authenticator is HMAC-SHA
*Jan 17 19:41:04.634: ISAKMP: key length is 128
*Jan 17 19:41:04.634: ISAKMP: encaps is 1 (Tunnel)
*Jan 17 19:41:04.634: ISAKMP: SA life type in seconds
*Jan 17 19:41:04.634: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jan 17 19:41:04.634: ISAKMP:(2029):atts are acceptable.
*Jan 17 19:41:04.634: ISAKMP:(2029):Checking IPSec proposal 4
*Jan 17 19:41:04.634: ISAKMP:(2029):transform 1, IPPCP LZS
*Jan 17 19:41:04.634: ISAKMP: attributes in transform:
*Jan 17 19:41:04.634: ISAKMP: encaps is 1 (Tunnel)
*Jan 17 19:41:04.634: ISAKMP: SA life type in seconds
*Jan 17 19:41:04.634: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B
*Jan 17 19:41:04.634: ISAKMP:(2029):atts are acceptable.
*Jan 17 19:41:04.634: IPSEC(validate_proposal_request): proposal part #1
*Jan 17 19:41:04.634: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 200.40.164.178, remote= 200.40.164.177,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.101.22/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jan 17 19:41:04.634: IPSEC(validate_proposal_request): proposal part #2
*Jan 17 19:41:04.638: IPSEC(validate_proposal_request): proposal part #2,
(key eng. msg.) INBOUND local= 200.40.164.178, remote= 200.40.164.177,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 192.168.101.22/255.255.255.255/0/0 (type=1),
protocol= PCP, transform= comp-lzs (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan 17 19:41:04.638: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported
*Jan 17 19:41:04.638: ISAKMP:(2029): IPSec policy invalidated proposal with error 32
=[ END debug output ]======================================================================
I see that "local_proxy= 0.0.0.0/0.0.0.0/0/0", but it should have the IP address of the router internal interface.
01-18-2008 11:59 AM
Well, finally a coleague found the cause of the problem: I had added a "match address" command to the "crypto dynamic-map" for the RemoteAccess VPN.
The "match address" command must be used only with VPN L2L.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide