Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC between PC and router

Hello, I am looking forward to encrypting management traffic between my router and PC. PC is windows XP, and i created an IPSec policy with the secpol.msc utility. I set up a policy, and it works great between two XP pcs.

Everything is pretty much a mirror between the two PCs, and thats why I am able to get ESP encapsulated traffic.

So, I thought I would try creating another transport mode IPSec, this time adding the router. I set up everything the same as on the PC, including the pre-shared key, lifetimes, the transform set, and the access list states the same thing "all tcp traffic between these hosts", along with a mirrored acl. Anyway, I cannot get isakmp to complete, as noted by these debug lines from the router:

(this is not the full output, but lines of interest)

ISAKMP (0:6): deleting node -378831385 error TRUE reason "quick mode rejected"

ISAKMP (0:5): IPSec policy invalidated proposal

ISAKMP (0:5): phase 2 SA policy not acceptable! (local 1.2.3.1 remote 1.2.3.2)

ISAKMP (0:5): deleting node -1511991460 error TRUE reason "quick mode rejected"

ALSO, there was this output:

ISAKMP (0:6): peer matches *none* of the profiles

Which makes no sense. I'm certain i set up everything the same.

Anyone have experience with these errors, and what typically leads to them?

Keep in mind, this IPSec policy is to affect traffic local to and from the router, not passed between its interfaces.

3 REPLIES
New Member

Re: IPSEC between PC and router

I made some changes, but I am now receiving this message...

*Mar 1 21:43:37.123: IPSEC(validate_transform_proposal): invalid local address 1.2.3.1

*Mar 1 21:43:37.131: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.2.3.2

I read that this could be caused by the crypto map not being applied to an interface, so i did the command

crypto isakmp map MYMAP local-address ethernet 0/1

but the problem still re-occurs.

New Member

Re: IPSEC between PC and router

For anyone who does this, make sure to not only make your interface level firewall, but also make sure you apply the crypto map to the interface, as so:

crypto map MYMAP local-address Ethernet0/0

interface Ethernet0/0

crypto map MYMAP

New Member

Re: IPSEC between PC and router

http://206.248.189.204/documents/mgmtIPSEC/

Here is a corresponding document I have written for securing traffic between a router and management PC.

225
Views
0
Helpful
3
Replies