Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

asr1002 - juniper srx80 IPSEC lan-to lan , phase1:ok ..... phase2 not ok.

Hello guys.

While trying to set up my lan to lan ipsec connection, found this error messages:

*Aug 27 01:14:57.314: IPSEC(ipsec_process_proposal): proxy identities not supported
*Aug 27 01:14:57.314: ISAKMP:(22017): IPSec policy invalidated proposal with error 32
*Aug 27 01:14:57.314: ISAKMP:(22017): phase 2 SA policy not acceptable! (local YY.YY.YY.YY remote XX.XX.XX.XX)
*Aug 27 01:14:57.314: crypto_engine: Generate IKE hash
*Aug 27 01:14:57.314: crypto_engine: Encrypt IKE packet
*Aug 27 01:14:57.315: ISAKMP:(22017):deleting node -541658126 error TRUE reason "QM rejected"
*Aug 27 01:15:57.369: crypto_engine: Decrypt IKE packet
*Aug 27 01:15:57.369: crypto_engine: Generate IKE hash
*Aug 27 01:15:57.370: IPSEC(validate_proposal_request): proposal part #1
*Aug 27 01:15:57.370: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local=, remote= XX.XX.XX.XX,
    local_proxy= (type=4),
    remote_proxy= (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

I know I succeded on phase1,

asr1002#show crypto session brief           

Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating

        K - No IKE

ivrf = (none)

           Peer     I/F        Username          Group/Phase1_id   Uptime Status Gi0/1/1                              xx.xx.xx.xx                   UI

Phase 2 fails due to a non matching transform set or access list.

So my question is:, "how to know where is the mistake ? (transformset or access list).

Also, is there any key setting a cisco-juniper ipsec link ?

I will try a little more , if dont succed I will post the hole config for both devices.



CreatePlease to create content