Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

VPN OK on 1812 - not on 2811 !!!

Hi,

I'm loosing my mind... I configured a remote IPSec VPN client access on 2 routers 1812. It works like  charm.

I take the same config and apply it on a 2811, it doesn't work...Error during IPsec phase 2.

I re-re-re-re-rechecked the config, it's perfectly matching the config done on the 1812. (and I use same template for 876, 1841,....)

I tried 4 different IOS 12.2.24T3 Adventerprise, 12.2.15T13 adventerprise and Advipservices, and also 12.2.25c adventerprise. Nothing changes.... still the same error...

I've apply this config on another 2811, same issue. Is there anything wrong with this model concerning IPsec VPN client config ???? Or should I use a specific IOS ?

Thanks for sharing your experience,

Regards,

Olivier

Config is:

aaa new-model

!

!

aaa authentication login default local

aaa authentication login userauth local

aaa authentication ppp default local

aaa authorization exec default local

aaa authorization network groupauth local

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

!
crypto isakmp client configuration group mmrouter008
key xxxxxxxxxxxxxxxx
domain xxxxxxx.com
pool POOL_VPN
acl 134
!
crypto isakmp profile mmrouter008
   match identity group mmrouter008
   client authentication list userauth
   isakmp authorization list groupauth
   client configuration address respond
!
crypto ipsec transform-set vpnuser_trans esp-3des esp-md5-hmac
!
crypto dynamic-map mydynamicmap 10
set transform-set vpnuser_trans
set isakmp-profile mmrouter008
reverse-route
!
crypto map MAPPP 100 ipsec-isakmp dynamic mydynamicmap
!
int fa0/0
crypto map MAPPP
!
ip local pool POOL_VPN 10.50.10.1 10.50.10.254
!
access-list 134 permit ip 192.168.71.0 0.0.0.255 10.50.10.0 0.0.0.255

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN OK on 1812 - not on 2811 !!!

Oliver,

Should work as you said.

What is the error specifically that you get regarding phase 2?

Federico.

4 REPLIES

Re: VPN OK on 1812 - not on 2811 !!!

Oliver,

Should work as you said.

What is the error specifically that you get regarding phase 2?

Federico.

New Member

Re: VPN OK on 1812 - not on 2811 !!!

Hi Frederico,

Here is the log of the VPN connection. (debug cryp isakmp)

The error I can see is:

ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 195.243.171.112 remote 195.243.171.97)
ISAKMP: set new node -1712530148 to QM_IDLE
ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

I precise that 195.243.171.112 is the VPN router.

It's just strange. I use this config many times and it's the first time I have such problem.

Olivier

New Member

Re: VPN OK on 1812 - not on 2811 !!!

wwooooo OK I found out the issue.

I have HSRP on the interface where the crypto map is applied.

The router replies with the physical IP address and not with the virtual IP address. Then IPSec phase 2 fails !

Does anyone knows how to make both working together ???

Thanks in advance

Olivier

New Member

Re: VPN OK on 1812 - not on 2811 !!!

OK, I finally fix this HSRP+IPsec dynamic map config.

Now it works. I'm gonna test all of this when I will cofigure the second HSRP router.

Thanks again for your help ;-)

++

Olivier

243
Views
0
Helpful
4
Replies
CreatePlease to create content