Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7197
Views
1
Helpful
4
Replies

vpn phase 2 error - IPSEC(ipsec_process_proposal): invalid local address

Go to solution
mulhollandm
Level 1
Level 1

‎09-02-2014 04:12 PM - edited ‎02-21-2020 07:48 PM

folks

i have two 1941 routers running 15.2 and i'm trying to set up a site to site vpn with digital signatures

i can get to a phase 2 proposal (phase 1 gets to qm_idle) but the phase 2 proposal is rejected with the above error message

has anyone any good sample configs of a site to site vpn using 15.2

my config is below

its mirrored on the remote end

can a nyone help me out?

!
crypto isakmp policy 10
 encr aes
 group 5
 lifetime 82800
!
!
crypto ipsec transform-set T-TRANSFORM esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile T-PROFILE
 set transform-set T-TRANSFORM
 set pfs group5
!

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7

‎09-02-2014 10:42 PM

Hi,

 

Can you check on your encryption domain..... i mean your local LAN subnet which you have used for site to site.....

 

Here is the same example for site to site

 

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

 

 

Also you can refer the sample config here....

 

hostname RTR1

!

crypto ikev2 proposal AES256-192-128-PROPOSAL

encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha1

group 2

!

crypto ikev2 policy IKEv2-Policy

proposal AES256-192-128-PROPOSAL

!

crypto ikev2 keyring VPN-KEYS

peer ASA1

  address 10.0.0.2

  pre-shared-key local MyKey1

  pre-shared-key remote MyKey1

!

!

!

crypto ikev2 profile ASA1

match identity remote address 10.0.0.2 255.255.255.255

identity local address 10.0.0.1

authentication remote pre-share

authentication local pre-share

keyring local VPN-KEYS

!

!

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode tunnel

!

!

!

crypto map RTR1-ASA1 10 ipsec-isakmp

set peer 10.0.0.2

set transform-set ESP-AES256-SHA

set ikev2-profile ASA1

match address VPN-TRAFFIC

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

speed auto

duplex auto

crypto map RTR1-ASA1

!

interface FastEthernet0/1

ip address 192.168.5.1 255.255.255.0

speed auto

duplex auto

!

ip route 192.168.1.0 255.255.255.0 10.0.0.2

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.5.0 0.0.0.255

Regards

Karthik

View solution in original post

0 Helpful
4 Replies 4

Go to solution
nkarthikeyan
Level 7
Level 7

‎09-02-2014 10:42 PM

Hi,

 

Can you check on your encryption domain..... i mean your local LAN subnet which you have used for site to site.....

 

Here is the same example for site to site

 

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

 

 

Also you can refer the sample config here....

 

hostname RTR1

!

crypto ikev2 proposal AES256-192-128-PROPOSAL

encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha1

group 2

!

crypto ikev2 policy IKEv2-Policy

proposal AES256-192-128-PROPOSAL

!

crypto ikev2 keyring VPN-KEYS

peer ASA1

  address 10.0.0.2

  pre-shared-key local MyKey1

  pre-shared-key remote MyKey1

!

!

!

crypto ikev2 profile ASA1

match identity remote address 10.0.0.2 255.255.255.255

identity local address 10.0.0.1

authentication remote pre-share

authentication local pre-share

keyring local VPN-KEYS

!

!

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode tunnel

!

!

!

crypto map RTR1-ASA1 10 ipsec-isakmp

set peer 10.0.0.2

set transform-set ESP-AES256-SHA

set ikev2-profile ASA1

match address VPN-TRAFFIC

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

speed auto

duplex auto

crypto map RTR1-ASA1

!

interface FastEthernet0/1

ip address 192.168.5.1 255.255.255.0

speed auto

duplex auto

!

ip route 192.168.1.0 255.255.255.0 10.0.0.2

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.5.0 0.0.0.255

Regards

Karthik

0 Helpful

Go to solution
mulhollandm
Level 1
Level 1
In response to nkarthikeyan

‎09-03-2014 03:52 PM

karthik

many thanks for your help

i found the issue, i had misconfigured the tunnel and was using the wrong interface as the source

thanks again

Go to solution
Alex Pfeil
Level 7
Level 7
In response to mulhollandm

‎04-05-2018 01:17 PM

Check the local-address command.

IPSEC(ipsec_process_proposal): invalid local address

wrong interface set on command below.

crypto map myMAP local-address Dialer0

0 Helpful

Go to solution
Ricky Sandhu
Level 3
Level 3
In response to mulhollandm

‎02-29-2024 08:01 PM

My gawd man!  Been having the same issue all day,  as soon as I read this note,  I checked and I was using the wrong interface as the source!  Thanks!!

0 Helpful
Customers Also Viewed These Support Documents