Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
13086
Views
5
Helpful
0
Comments

L2L VPN TroubleShooting :"IPSec policy invalidated proposal with error 8"

mulatif
Cisco Employee
Cisco Employee

on ‎12-12-2010 02:41 PM

Objective:

Configuring IPSec VPN between IOS Router and any Remote VPN Peer

Symptom:

Phase 1 Completes but Phase 2 is failing with the below error

*Dec  9 19:43:49.931: IPSEC(ipsec_process_proposal): invalid local address 172.31.1.3

*Dec  9 19:43:49.931: ISAKMP:(1008): IPSec policy invalidated proposal with error 8

*Dec  9 19:43:49.931: ISAKMP:(1008): phase 2 SA policy not acceptable! (local 172.31.1.3 remote 172.31.1.100)

Topology:

L2L-Error8.PNG

Current Crypto Configuration:

Some parts of Relevant Crypto Config on Router C, which is the HSRP Active Router.

RouterA is configured to peer with the HSRP VIP 172.31.1.3.

Router C:

crypto map outside-map 1 ipsec-isakmp

set peer 172.31.1.100

set transform-set 3des-sha

match address 102


interface Ethernet0/0

ip address 172.31.1.2 255.255.255.0

standby 1 ip 172.31.1.3

crypto map outside-map

Failed Debugs:

Below is snipped output from "debug crypto isakmp" and "debug crypto ipsec" from "Router C".

<SNIP>

*Dec 12 23:27:59.107: IPSEC(ipsec_process_proposal): invalid local address 172.31.1.3

*Dec 12 23:27:59.107: ISAKMP:(1004): IPSec policy invalidated proposal with error 8

*Dec 12 23:27:59.107: ISAKMP:(1004): phase 2 SA policy not acceptable! (local 172.31.1.3 remote 172.31.1.100)

*Dec 12 23:27:59.107: ISAKMP: set new node 87369274 to QM_IDLE     

*Dec 12 23:27:59.107: ISAKMP:(1004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

       

Solution:

There can be more than one reason for this problem. The above configuration is one of the possible cases, where the remote router is configured to peer with HSRP VIP.

The problem with above config is that the Crypto Map is tied to the physical IP Address of the Interface and Not the HSRP VIP, which results in the Phase 2 failure. To fix this issue, you will need to make the below changes

interface Ethernet0/0

ip address 172.31.1.2 255.255.255.0

standby 1 ip 172.31.1.3

standby 1 name crypto-vip

crypto map outside-map redundancy crypto-vip

!

Other Possible Reason:

The below configuration will also result in the same error

Note: "Router A" is configured to peer with 172.31.31.31

Router C:

interface Ethernet0/0

ip address 172.31.1.2 255.255.255.0

crypto map outside-map


interface loopback0

ip address 172.31.31.31 255.255.255.255

In the above case the Crypto Map is applied to Ethernet0/0 but the Remote Router is configured to peer with the Loopback0 Address. This is a common configuration where a Loopback is used for Termination to provide redundancy

E.g. The loopback can be reachable through different WAN Interfaces

This issue can be fixed by adding the below configuration

crypto map outside-map local-address loopback0

References-------

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents