Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1651
Views
0
Helpful
0
Replies

Site to Site Ipsec VPN Phase 2 fails error 32

ragulsiva15
Level 1
Level 1

‎02-02-2012 08:34 AM - edited ‎02-21-2020 05:51 PM

I am trying to create a site to site IPSec VPN with Cisco 861W and Cisco RV120W, looks Phase 2 negotiation fails as bellow, please help me to resolve this. looks like issues with ACL but couldn't find it. cisco 861 config is attached, RV120W config was done via web interface.  Thanks in advance 

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

62.133.24.x    89.25.24.x    QM_IDLE           2005 ACTIVE

ISKAMP debug

Feb  2 16:25:49.283: ISAKMP:   attributes in transform:

Feb  2 16:25:49.283: ISAKMP:      SA life type in seconds

Feb  2 16:25:49.283: ISAKMP:      SA life duration (basic) of 3600

Feb  2 16:25:49.287: ISAKMP:      encaps is 1 (Tunnel)

Feb  2 16:25:49.287: ISAKMP:      key length is 128

Feb  2 16:25:49.287: ISAKMP:      authenticator is HMAC-MD5

Feb  2 16:25:49.287: ISAKMP:      group is 2

Feb  2 16:25:49.287: ISAKMP:(2005):atts are acceptable.

Feb  2 16:25:49.287: ISAKMP:(2005): IPSec policy invalidated proposal with error 32

Feb  2 16:25:49.287: ISAKMP:(2005): phase 2 SA policy not acceptable! (local 62.133.24.x remote 89.25.24.x)

Feb  2 16:25:49.287: ISAKMP: set new node -963071206 to QM_IDLE

Feb  2 16:25:49.287: ISAKMP:(2005):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 2229587080, message ID = 3331896090

Feb  2 16:25:49.287: ISAKMP:(2005): sending packet to 89.25.24.x my_port 500 peer_port 500 (R) QM_IDLE

Feb  2 16:25:49.287: ISAKMP:(2005):Sending an IKE IPv4 Packet.

Feb  2 16:25:49.287: ISAKMP:(2005):purging node -963071206

Feb  2 16:25:49.287: ISAKMP:(2005):deleting node -1938770933 error TRUE reason "QM rejected"

Feb  2 16:25:49.287: ISAKMP:(2005):Node 2356196363, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Feb  2 16:25:49.287: ISAKMP:(2005):Old State = IKE_QM_READY  New State = IKE_QM_READY

IPsec debug

Feb  2 15:48:34.417: map_db_find_best did not find matching map

Feb  2 15:48:34.417: IPSEC(ipsec_process_proposal): proxy identities not supported

Feb  2 15:49:24.510: IPSEC(validate_proposal_request): proposal part #1

Feb  2 15:49:24.510: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 62.133.24.x:0, remote= 89.25.24.x:0,

    local_proxy= 192.168.15.0/255.255.255.0/256/0,

    remote_proxy= 192.168.63.0/255.255.255.0/256/0,

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Feb  2 15:49:24.510: Crypto mapdb : proxy_match

        src addr     : 192.168.15.0

        dst addr     : 192.168.63.0

        protocol     : 0

        src port     : 0

        dst port     : 0

Feb  2 15:49:24.510: Crypto mapdb : proxy_match

        src addr     : 192.168.15.0

        dst addr     : 192.168.63.0

        protocol     : 0

        src port     : 0

        dst port     : 0

Labels:
121746-861 config.txt.zip
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents