Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
2
Replies

Terminating and IPSec/L2TP on a Cisco 1721 with ADSL

philip_allnone
Level 1
Level 1

‎05-26-2006 04:25 AM - edited ‎02-21-2020 02:26 PM

Hi guys,

Thanks for taking the time to read this.

***********************************

A bit of history

***********************************

A mobile network provider in Ireland, allows XDA 2's to connect via their GPRS network to a server. The provider exits their network and terminates on a secure tunnel in our building. The server the XDAs are trying to get to, is in our building. In order for the provider to get into us, they require a secure tunnel. This tunnel is terminated on a Cisco 1721 with ADSL. There is a 4 mb up and down pipe in it. The network provider has provided a template as to the configuration of the router however, as they've never terminated on a an ADSL router before they can't offer setup / support advice on it. We got the network provider to confirm with Cisco directly that the tunnel should be 100% compatible and work on this equipment and setup. Failing getting the config right, I'm here hoping to get some help.

Before the inevitable RTFM comments arrive, please let me know which FM's to read. I've been through all the setup, sample configs and general net resources on this subject, so we're up to over 90 manuals already read.

Standard things like copying and pasting key words and failure lines into Google is not returning useful results, despite reading just about every link they generate.

***********************************

So what happens

***********************************

Tunnel establishes

Tunnel terminates.

***********************************

Problem

***********************************

Why is it not terminating properly and how do I get it to work?

What is and why are we getting reason "quick mode rejected"??

***********************************

Cisco 1721 Major Config

***********************************

System image file is "flash:c1700-k9o3sy7-mz[1].123-17b.bin"

cisco 1721 (MPC860P) processor (revision 0x200) with 57447K/8089K bytes of memory.

Processor board ID FOC07380G84 (1951967244), with hardware revision 0000

MPC860P processor: part number 5, mask 2

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 ATM network interface(s)

32K bytes of non-volatile configuration memory.

32768K bytes of processor board System flash (Read/Write)

***********************************

Debug logs

***********************************

X.X.X.X = Our static IP

Y.Y.Y.Y = Static IP of Network Provider

Z.Z.Z.Z = Backup Static IP of Network Provider

***********************************

Attached

***********************************

Cisco 1721 + ADSL Config

***********************************

Attached

Thank you in advance for any help you can give.

Best regards

Phil

Labels:
Preview file
6 KB
Preview file
4 KB
0 Helpful
2 Replies 2

Vikas Saxena
Cisco Employee
Cisco Employee

‎05-28-2006 12:57 AM

Hello Phil,

I hope you will not mind if I tell you a bit about the debug which you have attached.

>>>ISAKMP (0:1): received packet from Y.Y.Y.Y dport 500 sport 500 Global (R) QM_IDLE

Signifies we are the responder and they are the initiator. Impact, they will propose and we will accept or reject the proposals (we can not propose if we are the responder).

>>>ISAKMP (0:1): atts are acceptable. >>>> ike OK-phase 1 done (Main Mode) going on to the Quik Mode (IPSEC negotiation)

>>> "IMPORTANT"

5d13h: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= X.X.X.X, remote= Y.Y.Y.Y,

local_proxy= X.X.X.X/255.255.255.255/17/1701 (type=1),

remote_proxy= Y.Y.Y.Y/255.255.255.255/17/1701 (type=1),

===Local_proxy is our subnet and Remote_proxy is their's. They are sending UDP/1701

protocol= ESP, transform= esp-des esp-md5-hmac (Transport), ====TRANSFORM SET

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4

5d13h: IPSEC(validate_transform_proposal): proxy identities not supported >>>>>>>>>>HERE IS THE ERROR

5d13h: ISAKMP (0:1): IPSec policy invalidated proposal >>>>>>>Our IPSEC policy rejected the proposal. Hence quick mode failed with the peer.

Remedial actions:

Please ask the other party if they can share there crypto acl. The crypto acl should be a mirror image otherwise we will keep failling QM.

I hope this will give some directions.

Also, I do not think you require a crypto map on dialer 0 int.

Vikas

0 Helpful

philip_allnone
Level 1
Level 1
In response to Vikas Saxena

‎05-28-2006 09:24 AM

Thanks Vikas,

Going to try that, and that thank you for taking the time to expain exactly what was happening. I think I have a much better grasp of what needs fixing.

I'm going to give their initiator a prod and see if I can get a look at their crypto setup.

Thanks again.

Phil

0 Helpful
Customers Also Viewed These Support Documents