Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Simple VPN lab not working

Hi,

I have a Pix and a Cisco router.  I am trying to create a simlple VPN between the 2.  The outside interfaces of both simply go into a vlan on a 3650.  I'm using a loopback on the router for the LAN and my laptop is plugged into the inside of the firewall,

If I ping 172.16.1.1 from my laptop I can see the VPN come up, but on for a few seconds and have noticed these errors on both devices, can you see from the configs and errors what I am missing:

errors from pix:

Feb 16 21:06:14 [IKEv1]: Group = 10.10.10.2, IP = 10.10.10.2, Removing peer from
correlator table failed, no match!
Feb 16 21:08:17 [IKEv1]: Group = 10.10.10.2, IP = 10.10.10.2, QM FSM error (P2 s
truct &0x3626740, mess id 0xc5d75b17)!
Feb 16 21:08:17 [IKEv1]: Group = 10.10.10.2, IP = 10.10.10.2, construct_ipsec_de
lete(): No SPI to identify Phase 2 SA!
Feb 16 21:08:17 [IKEv1]: Group = 10.10.10.2, IP = 10.10.10.2, Removing peer from
correlator table failed, no match!

From VPN router:

C2621MX#debug crypto ipsec err
C2621MX#debug crypto ipsec error
Crypto IPSEC Error debugging is on
C2621MX#
Feb 16 21:10:50.791: ISAKMP (0:1): Encryption algorithm offered does not match policy!
Feb 16 21:10:50.791: ISAKMP (0:1): atts are not acceptable. Next payload is 3
Feb 16 21:10:50.791: ISAKMP (0:1): Encryption algorithm offered does not match policy!
Feb 16 21:10:50.795: ISAKMP (0:1): atts are not acceptable. Next payload is 3
C2621MX#
Feb 16 21:10:52.835: IPSEC(validate_transform_proposal): invalid local address 10.10.10.2
Feb 16 21:10:52.835: ISAKMP (0:1): IPSec policy invalidated proposal
Feb 16 21:10:52.835: ISAKMP (0:1): phase 2 SA policy not acceptable! (local 10.10.10.2 remote 10.10.10.1)
Feb 16 21:10:52.839: ISAKMP (0:1): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -637052705: state = IKE_QM_READY
C2621MX#
Feb 16 21:10:52.839: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 10.10.10.1
C2621MX#

1 REPLY

Re: Simple VPN lab not working

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
!
crypto map andymap 1 ipsec-isakmp
set peer 10.10.10.1
set security-association lifetime seconds 86400
set pfs group5
match address 123
!
In crypto map, I did not see "set transform-set myset"

465
Views
0
Helpful
1
Replies