Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN problem

Hi I'm doing a ponint to point pre-shared key VPN and I've got this error on phase 2.

*Sep 3 08:33:50.876: IPSEC(crypto_ipsec_process_proposal): proxy identities not supported

*Sep 3 08:33:50.876: ISAKMP:(5058): IPSec policy invalidated proposal with error 32

*Sep 3 08:33:50.876: ISAKMP:(5058): phase 2 SA policy not acceptable! (local 192.168.3.11 remote 170.252.72.46)

*Sep 3 08:33:50.880: ISAKMP:(5058):deleting node -1434383868 error TRUE reason "QM rejected"

8 REPLIES

Re: VPN problem

I think "proxy identities not supported" usually means your ACLs don't match at both ends. Perhaps a subnet mask is different?

Re: VPN problem

New Member

Re: VPN problem

I double checked each point and everthing on the ACL's seems to be ok. Do you have any more ideas ?Thanks-

Re: VPN problem

double check the phase 2 encryption and hash nat both ends, there is a proposal error.

Also check the no-nat ACL and the interesting traffic acl.

HTH>

New Member

Re: VPN problem

What you mean with the no-nat acl and the interesting traffic acl ? 've got only 1 acl.

Re: VPN problem

You can use 1 acl - I personally choose to use 2, helps with troubleshooting cases....like this. I normally use something like:-

access-list no-nat extended permit ip x.x.x.x y.y.y.y w.w.w.w z.z.z.z

x.x.x.x = src ip sbunet

y.y.y.y = src subnet mask

w.w.w.w = dst ip subnet

z.z.z.z = dst subnet mask

then:-

access-list vpn-remote-branch-1 extended permit ip x.x.x.x y.y.y.y w.w.w.w z.z.z.z

The my nat looks like:-

nat (inside) 0 access-list no-nat

and my crypto looks like:-

crypto map remote-branch 10 match address vpn-remote-branch-1

HTH>

New Member

Re: VPN problem

I double checked each point and everthing on the ACL's seems to be ok. Do you have any more ideas ?Thanks-

Re: VPN problem

OK, post the configs.

400
Views
0
Helpful
8
Replies
CreatePlease to create content