There was vpn set up recently using Cisco Router to connect Check Point firewall. It seems quite simple task but “IPSec policy invalidated proposal with error 32” made me go through all troubleshooting steps which shows below.
Other examples to troubleshoot IPSec VPN issue:
- Troubleshooting Cisco IPSec Site to Site VPN – “reason: Unknown delete reason!” after Phase 1 Completed
- Troubleshooting Cisco IPSec Site to Site VPN – “IPSec policy invalidated proposal with error 32”
Topology is quite simple:
Remote Site is using Check Point Firewall do to vpn gateway, and it has been used to all kinds of vpn connection.
Here is my original vpn configuration.
interface GigabitEthernet0/0
ip address 19.24.11.142 255.255.255.0
duplex auto
speed auto
crypto map vpn
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco123 address 19.9.17.1
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set VPN-Set ah-sha-hmac esp-3des
!
crypto map vpn 10 ipsec-isakmp
description VPN VPN
set peer 198.96.178.1
set transform-set VPN-Set
set pfs group2
match address VPN-VPN
ip access-list extended VPN-VPN
permit ip host 19.24.11.53 host 19.9.17.41
permit ip host 19.24.11.245 host 19.9.17.41
Check Point Firewall is at remote and I am not managing. From the collected information, here is Check Point configuration looks like:
- Center gateways: the object representing the Check Point enforcement point
- Satellite gateways: the object representing the Cisco router – CiscoVPN
- Encryption:
- Encryption Method: IKEv1 Only
- Encryption Suite: Custom with the following properties
- IKE (Phase 1) Properties
- Perform key exchange encryption with: 3Des
- Perform data integrity with: SHA-1
- IPSec (Phase 2) Properties
- Perform IPSec data encryption with: 3Des
- Perform data integrity with: SHA-1
- Tunnel Management: VPN Tunnel sharing: One VPN tunnel per subnet pair
- Advanced settings
- VPN Routing: To center only
- Shared Secret: Use only Shared Secret for all external members, then add the shared secret to CiscoVPN
- Advanced VPN Properties:IKE (Phase 1): Use Diffie-Helman Group: Group 2
Looks like quite straighforward and it should not has any surprise.
Unfortunately the tunnel did not come up as expected. I got following debugging messages:
000421: Apr 26 21:40:20.568 EDT: ISAKMP (0): received packet from 19.9.17.1 dport 500 sport 500 Global (N) NEW SA
000422: Apr 26 21:40:20.568 EDT: ISAKMP: Created a peer struct for 19.9.17.1, peer port 500
000423: Apr 26 21:40:20.568 EDT: ISAKMP: New peer created peer = 0x2B149B28 peer_handle = 0x8000000D
000424: Apr 26 21:40:20.568 EDT: ISAKMP: Locking peer struct 0x2B149B28, refcount 1 for crypto_isakmp_process_block
000425: Apr 26 21:40:20.568 EDT: ISAKMP: local port 500, remote port 500
000426: Apr 26 21:40:20.568 EDT: ISAKMP:(0):insert sa successfully sa = 2A25BEAC
000427: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000428: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
000429: Apr 26 21:40:20.568 EDT: ISAKMP:(0): processing SA payload. message ID = 0
000430: Apr 26 21:40:20.568 EDT: ISAKMP:(0): processing vendor id payload
000431: Apr 26 21:40:20.568 EDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
000432: Apr 26 21:40:20.568 EDT: ISAKMP:(0): processing vendor id payload
000433: Apr 26 21:40:20.568 EDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
000434: Apr 26 21:40:20.568 EDT: ISAKMP:(0):found peer pre-shared key matching 19.9.17.1
000435: Apr 26 21:40:20.568 EDT: ISAKMP:(0): local preshared key found
000436: Apr 26 21:40:20.568 EDT: ISAKMP : Scanning profiles for xauth …
000437: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
000438: Apr 26 21:40:20.568 EDT: ISAKMP: encryption 3DES-CBC
000439: Apr 26 21:40:20.568 EDT: ISAKMP: hash SHA
000440: Apr 26 21:40:20.568 EDT: ISAKMP: auth pre-share
000441: Apr 26 21:40:20.568 EDT: ISAKMP: default group 2
000442: Apr 26 21:40:20.568 EDT: ISAKMP: life type in seconds
000443: Apr 26 21:40:20.568 EDT: ISAKMP: life duration (VPI) of 0x0 0x0 0xE 0x10
000444: Apr 26 21:40:20.568 EDT: ISAKMP:(0):atts are acceptable. Next payload is 0
000445: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Acceptable atts:actual life: 0
000446: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Acceptable atts:life: 0
000447: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Fill atts in sa vpi_length:4
000448: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Fill atts in sa life_in_seconds:3600
000449: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Returning Actual lifetime: 3600
000450: Apr 26 21:40:20.568 EDT: ISAKMP:(0)::Started lifetime timer: 3600.
000451: Apr 26 21:40:20.588 EDT: ISAKMP:(0): processing vendor id payload
000452: Apr 26 21:40:20.588 EDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch
000453: Apr 26 21:40:20.588 EDT: ISAKMP:(0): processing vendor id payload
000454: Apr 26 21:40:20.588 EDT: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
000455: Apr 26 21:40:20.588 EDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000456: Apr 26 21:40:20.588 EDT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
000457: Apr 26 21:40:20.588 EDT: ISAKMP:(0): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
000458: Apr 26 21:40:20.588 EDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
000459: Apr 26 21:40:20.588 EDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000460: Apr 26 21:40:20.588 EDT: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
000461: Apr 26 21:40:20.616 EDT: ISAKMP (0): received packet from 19.9.17.1 dport 500 sport 500 Global (R) MM_SA_SETUP
000462: Apr 26 21:40:20.616 EDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000463: Apr 26 21:40:20.616 EDT: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
000464: Apr 26 21:40:20.620 EDT: ISAKMP:(0): processing KE payload. message ID = 0
000465: Apr 26 21:40:20.644 EDT: ISAKMP:(0): processing NONCE payload. message ID = 0
000466: Apr 26 21:40:20.644 EDT: ISAKMP:(0):found peer pre-shared key matching 19.9.17.1
000467: Apr 26 21:40:20.644 EDT: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000468: Apr 26 21:40:20.644 EDT: ISAKMP:(1006):Old State = IKE_R_MM3 New State = IKE_R_MM3
000469: Apr 26 21:40:20.644 EDT: ISAKMP:(1006): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000470: Apr 26 21:40:20.644 EDT: ISAKMP:(1006):Sending an IKE IPv4 Packet.
000471: Apr 26 21:40:20.648 EDT: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000472: Apr 26 21:40:20.648 EDT: ISAKMP:(1006):Old State = IKE_R_MM3 New State = IKE_R_MM4
000473: Apr 26 21:40:20.676 EDT: ISAKMP (1006): received packet from 19.9.17.1 dport 500 sport 500 Global (R) MM_KEY_EXCH
000474: Apr 26 21:40:20.676 EDT: ISAKMP:(1006):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000475: Apr 26 21:40:20.676 EDT: ISAKMP:(1006):Old State = IKE_R_MM4 New State = IKE_R_MM5
000476: Apr 26 21:40:20.680 EDT: ISAKMP:(1006): processing ID payload. message ID = 0
000477: Apr 26 21:40:20.680 EDT: ISAKMP (1006): ID payload
next-payload : 8
type : 1
address : 19.9.17.1
protocol : 0
port : 0
length : 12
000478: Apr 26 21:40:20.680 EDT: ISAKMP:(0):: peer matches *none* of the profiles
000479: Apr 26 21:40:20.680 EDT: ISAKMP:(1006): processing HASH payload. message ID = 0
000480: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):SA authentication status:
authenticated
000481: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):SA has been authenticated with 19.9.17.1
000482: Apr 26 21:40:20.680 EDT: ISAKMP: Trying to insert a peer 19.24.11.142/19.9.17.1/500/, and inserted successfully 2B149B28.
000483: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000484: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):Old State = IKE_R_MM5 New State = IKE_R_MM5
000485: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
000486: Apr 26 21:40:20.680 EDT: ISAKMP (1006): ID payload
next-payload : 8
type : 1
address : 19.24.11.142
protocol : 17
port : 500
length : 12
000487: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):Total payload length: 12
000488: Apr 26 21:40:20.680 EDT: ISAKMP:(1006): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
000489: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):Sending an IKE IPv4 Packet.
000490: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000491: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
000492: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
000493: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
000494: Apr 26 21:40:20.708 EDT: ISAKMP (1006): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE
000495: Apr 26 21:40:20.708 EDT: ISAKMP: set new node 565784744 to QM_IDLE
000496: Apr 26 21:40:20.708 EDT: ISAKMP:(1006): processing HASH payload. message ID = 565784744
000497: Apr 26 21:40:20.708 EDT: ISAKMP:(1006): processing SA payload. message ID = 565784744
000498: Apr 26 21:40:20.708 EDT: ISAKMP:(1006):Checking IPSec proposal 1
000499: Apr 26 21:40:20.708 EDT: ISAKMP: transform 1, ESP_3DES
000500: Apr 26 21:40:20.708 EDT: ISAKMP: attributes in transform:
000501: Apr 26 21:40:20.708 EDT: ISAKMP: group is 2
000502: Apr 26 21:40:20.708 EDT: ISAKMP: SA life type in seconds
000503: Apr 26 21:40:20.708 EDT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
000504: Apr 26 21:40:20.708 EDT: ISAKMP: authenticator is HMAC-SHA
000505: Apr 26 21:40:20.708 EDT: ISAKMP: encaps is 1 (Tunnel)
000506: Apr 26 21:40:20.708 EDT: ISAKMP:(1006):atts are acceptable.
000507: Apr 26 21:40:20.708 EDT: ISAKMP:(1006): IPSec policy invalidated proposal with error 32
000508: Apr 26 21:40:20.708 EDT: ISAKMP:(1006): phase 2 SA policy not acceptable! (local 19.24.11.142 remote 19.9.17.1)
000509: Apr 26 21:40:20.708 EDT: ISAKMP: set new node -1495049782 to QM_IDLE
000510: Apr 26 21:40:20.708 EDT: ISAKMP:(1006):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 820964128, message ID = 2799917514
000511: Apr 26 21:40:20.708 EDT: ISAKMP:(1006): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) QM_IDLE
000512: Apr 26 21:40:20.708 EDT: ISAKMP:(1006):Sending an IKE IPv4 Packet.
000513: Apr 26 21:40:20.708 EDT: ISAKMP:(1006):purging node -1495049782
000514: Apr 26 21:40:20.708 EDT: ISAKMP:(1006):deleting node 565784744 error TRUE reason “QM rejected”
000515: Apr 26 21:40:20.708 EDT: ISAKMP:(1006):Node 565784744, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
000516: Apr 26 21:40:20.708 EDT: ISAKMP:(1006):Old State = IKE_QM_READY New State = IKE_QM_READY
R-IPSEC1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
19.24.11.142 19.9.17.1 QM_IDLE 1006 ACTIVE
There is “IPSec policy invalidated proposal with error 32”. It is not having enough details for me to conclude the cause. L2L VPN TroubleShooting :”IPSec policy invalidated proposal with error 32″ situation is not applying to me.
After second thought, I am thinking it may relates to access-list mis-mirrored on both end since that was common issue happened between Check Point and Cisco. Remote site vpn may use wider vpn encryption domain such as /24 network. But I am using /32 instead. So I changed my access-list to following:
R-IPSEC1(config-ext-nacl)#do sh access-list VPN-VPN
Extended IP access list VPN-VPN
50 permit ip host 19.24.11.245 19.9.17.0 0.0.0.255
60 permit ip host 19.24.11.53 19.9.17.0 0.0.0.255
Got a little better result but still similar messages.
001319: Apr 26 22:26:41.310 EDT: ISAKMP:(1010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
001320: Apr 26 22:26:41.310 EDT: ISAKMP:(1010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
001321: Apr 26 22:26:41.362 EDT: ISAKMP (1010): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE
001322: Apr 26 22:26:41.362 EDT: ISAKMP: set new node 1351243089 to QM_IDLE
001323: Apr 26 22:26:41.362 EDT: ISAKMP:(1010): processing HASH payload. message ID = 1351243089
001324: Apr 26 22:26:41.362 EDT: ISAKMP:(1010): processing SA payload. message ID = 1351243089
001325: Apr 26 22:26:41.362 EDT: ISAKMP:(1010):Checking IPSec proposal 1
001326: Apr 26 22:26:41.362 EDT: ISAKMP: transform 1, ESP_3DES
001327: Apr 26 22:26:41.362 EDT: ISAKMP: attributes in transform:
001328: Apr 26 22:26:41.362 EDT: ISAKMP: group is 2
001329: Apr 26 22:26:41.362 EDT: ISAKMP: SA life type in seconds
001330: Apr 26 22:26:41.362 EDT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
001331: Apr 26 22:26:41.362 EDT: ISAKMP: authenticator is HMAC-SHA
001332: Apr 26 22:26:41.362 EDT: ISAKMP: encaps is 1 (Tunnel)
001333: Apr 26 22:26:41.362 EDT: ISAKMP:(1010):atts are acceptable.
001334: Apr 26 22:26:41.366 EDT: IPSEC(validate_proposal_request): proposal part #1
001335: Apr 26 22:26:41.366 EDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 19.24.11.142:0, remote= 19.9.17.1:0,
local_proxy= 19.24.11.245/255.255.255.255/0/0 (type=1),
remote_proxy= 198.96.176.41/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001336: Apr 26 22:26:41.366 EDT: IPSEC(ipsec_process_proposal): proxy identities not supported
001337: Apr 26 22:26:41.366 EDT: ISAKMP:(1010): IPSec policy invalidated proposal with error 32
001338: Apr 26 22:26:41.366 EDT: ISAKMP:(1010): phase 2 SA policy not acceptable! (local 19.24.11.142 remote 19.9.17.1)
001339: Apr 26 22:26:41.366 EDT: ISAKMP: set new node 1666670311 to QM_IDLE
001340: Apr 26 22:26:41.366 EDT: ISAKMP:(1010):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 820964128, message ID = 1666670311
001341: Apr 26 22:26:41.366 EDT: ISAKMP:(1010): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) QM_IDLE
001342: Apr 26 22:26:41.366 EDT: ISAKMP:(1010):Sending an IKE IPv4 Packet.
001343: Apr 26 22:26:41.366 EDT: ISAKMP:(1010):purging node 1666670311
001344: Apr 26 22:26:41.366 EDT: ISAKMP:(1010):deleting node 1351243089 error TRUE reason “QM rejected”
001345: Apr 26 22:26:41.366 EDT: ISAKMP:(1010):Node 1351243089, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
001346: Apr 26 22:26:41.366 EDT: ISAKMP:(1010):Old State = IKE_QM_READY New State = IKE_QM_READY
After third thought and discussed with remote firewall administrator, I changed my access-list again to have all since his encryption domains includes specific ip and whole network.
R-IPSEC1(config-ext-nacl)#do show access-list VPN-VPN
Extended IP access list VPN-VPN
110 permit ip host 19.24.11.53 host 19.9.17.41
120 permit ip host 19.24.11.245 host 19.9.17.41
130 permit ip host 19.24.11.53 19.9.17.0 0.0.0.255
140 permit ip host 19.24.11.245 19.9.17.0 0.0.0.255
Debugging result shows much more details this time:
001565: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
001566: Apr 26 22:40:20.200 EDT: ISAKMP (1012): ID payload
next-payload : 8
type : 1
address : 19.24.11.142
protocol : 17
port : 500
length : 12
001567: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Total payload length: 12
001568: Apr 26 22:40:20.200 EDT: ISAKMP:(1012): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
001569: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Sending an IKE IPv4 Packet.
001570: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
001571: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
001572: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
001573: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
001574: Apr 26 22:40:20.264 EDT: ISAKMP (1012): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE
001575: Apr 26 22:40:20.264 EDT: ISAKMP: set new node -1828063596 to QM_IDLE
001576: Apr 26 22:40:20.264 EDT: ISAKMP:(1012): processing HASH payload. message ID = 2466903700
001577: Apr 26 22:40:20.264 EDT: ISAKMP:(1012): processing SA payload. message ID = 2466903700
001578: Apr 26 22:40:20.264 EDT: ISAKMP:(1012):Checking IPSec proposal 1
001579: Apr 26 22:40:20.264 EDT: ISAKMP: transform 1, ESP_3DES
001580: Apr 26 22:40:20.264 EDT: ISAKMP: attributes in transform:
001581: Apr 26 22:40:20.264 EDT: ISAKMP: group is 2
001582: Apr 26 22:40:20.264 EDT: ISAKMP: SA life type in seconds
001583: Apr 26 22:40:20.264 EDT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
001584: Apr 26 22:40:20.264 EDT: ISAKMP: authenticator is HMAC-SHA
001585: Apr 26 22:40:20.264 EDT: ISAKMP: encaps is 1 (Tunnel)
001586: Apr 26 22:40:20.264 EDT: ISAKMP:(1012):atts are acceptable.
001587: Apr 26 22:40:20.264 EDT: IPSEC(validate_proposal_request): proposal part #1
001588: Apr 26 22:40:20.264 EDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 19.24.11.142:0, remote= 19.9.17.1:0,
local_proxy= 19.24.11.245/255.255.255.255/0/0 (type=1),
remote_proxy= 19.9.17.41/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001589: Apr 26 22:40:20.264 EDT: Crypto mapdb : proxy_match
src addr : 19.24.11.245
dst addr : 19.9.17.41
protocol : 0
src port : 0
dst port : 0
001590: Apr 26 22:40:20.264 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }
001591: Apr 26 22:40:20.264 EDT: ISAKMP:(1012): IPSec policy invalidated proposal with error 256
001592: Apr 26 22:40:20.264 EDT: ISAKMP:(1012): phase 2 SA policy not acceptable! (local 19.24.11.142 remote 19.9.17.1)
001593: Apr 26 22:40:20.264 EDT: ISAKMP: set new node -760845603 to QM_IDLE
001594: Apr 26 22:40:20.264 EDT: ISAKMP:(1012):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 820964128, message ID = 3534121693
001595: Apr 26 22:40:20.264 EDT: ISAKMP:(1012): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) QM_IDLE
001596: Apr 26 22:40:20.264 EDT: ISAKMP:(1012):Sending an IKE IPv4 Packet.
001597: Apr 26 22:40:20.264 EDT: ISAKMP:(1012):purging node -760845603
001598: Apr 26 22:40:20.264 EDT: ISAKMP:(1012):deleting node -1828063596 error TRUE reason “QM rejected”
001599: Apr 26 22:40:20.264 EDT: ISAKMP:(1012):Node 2466903700, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
R-IPSEC1#debu
001600: Apr 26 22:40:20.264 EDT: ISAKMP:(1012):Old State = IKE_QM_READY New State = IKE_QM_READY
R-IPSEC1#
001601: Apr 26 22:41:10.264 EDT: ISAKMP:(1012):purging node -1828063596
“IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }” shows I used wrong transform set. I am using ah-sha-hmac.
Quickly changed to esp-sha-hmac:
crypto ipsec transform-set VPN-Set esp-3des esp-sha-hmac
This time, finally vpn tunnel get fully up in phase 1 and phase 2. From output of “show crypto ipsec sa”, encrypt and decrypt numbers are increasing when test it.
test
001701: Apr 26 22:46:39.512 EDT: ISAKMP:(1013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
001702: Apr 26 22:46:39.512 EDT: ISAKMP:(1013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
001703: Apr 26 22:46:39.560 EDT: ISAKMP (1013): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE
001704: Apr 26 22:46:39.560 EDT: ISAKMP: set new node -963038103 to QM_IDLE
001705: Apr 26 22:46:39.560 EDT: ISAKMP:(1013): processing HASH payload. message ID = 3331929193
001706: Apr 26 22:46:39.560 EDT: ISAKMP:(1013): processing SA payload. message ID = 3331929193
001707: Apr 26 22:46:39.560 EDT: ISAKMP:(1013):Checking IPSec proposal 1
001708: Apr 26 22:46:39.560 EDT: ISAKMP: transform 1, ESP_3DES
001709: Apr 26 22:46:39.560 EDT: ISAKMP: attributes in transform:
001710: Apr 26 22:46:39.560 EDT: ISAKMP: group is 2
001711: Apr 26 22:46:39.560 EDT: ISAKMP: SA life type in seconds
001712: Apr 26 22:46:39.560 EDT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
001713: Apr 26 22:46:39.560 EDT: ISAKMP: authenticator is HMAC-SHA
001714: Apr 26 22:46:39.560 EDT: ISAKMP: encaps is 1 (Tunnel)
001715: Apr 26 22:46:39.560 EDT: ISAKMP:(1013):atts are acceptable.
001716: Apr 26 22:46:39.560 EDT: IPSEC(validate_proposal_request): proposal part #1
001717: Apr 26 22:46:39.560 EDT: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 19.24.11.142:0, remote= 19.9.17.1:0,
local_proxy= 19.24.11.245/255.255.255.255/0/0 (type=1),
remote_proxy= 198.96.176.41/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
001718: Apr 26 22:46:39.560 EDT: Crypto mapdb : proxy_match
src addr : 19.24.11.245
dst addr : 198.96.176.41
protocol : 0
src port : 0
dst port : 0
001719: Apr 26 22:46:39.580 EDT: ISAKMP:(1013): processing NONCE payload. message ID = 3331929193
001720: Apr 26 22:46:39.580 EDT: ISAKMP:(1013): processing KE payload. message ID = 3331929193
001721: Apr 26 22:46:39.608 EDT: ISAKMP:(1013): processing ID payload. message ID = 3331929193
001722: Apr 26 22:46:39.608 EDT: ISAKMP:(1013): processing ID payload. message ID = 3331929193
001723: Apr 26 22:46:39.608 EDT: ISAKMP:(1013):QM Responder gets spi
001724: Apr 26 22:46:39.608 EDT: ISAKMP:(1013):Node 3331929193, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
001725: Apr 26 22:46:39.608 EDT: ISAKMP:(1013):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
001726: Apr 26 22:46:39.608 EDT: ISAKMP:(1013): Creating IPSec SAs
001727: Apr 26 22:46:39.608 EDT: inbound SA from 19.9.17.1 to 19.24.11.142 (f/i) 0/ 0
(proxy 198.96.176.41 to 19.24.11.245)
001728: Apr 26 22:46:39.608 EDT: has spi 0x4F77DACA and conn_id 0
001729: Apr 26 22:46:39.608 EDT: lifetime of 3600 seconds
001730: Apr 26 22:46:39.608 EDT: outbound SA from 19.24.11.142 to 19.9.17.1 (f/i) 0/0
(proxy 19.24.11.245 to 198.96.176.41)
001731: Apr 26 22:46:39.608 EDT: has spi 0x990B6255 and conn_id 0
001732: Apr 26 22:46:39.608 EDT: lifetime of 3600 seconds
001733: Apr 26 22:46:39.608 EDT: ISAKMP:(1013): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) QM_IDLE
001734: Apr 26 22:46:39.608 EDT: ISAKMP:(1013):Sending an IKE IPv4 Packet.
001735: Apr 26 22:46:39.608 EDT: ISAKMP:(1013):Node 3331929193, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
001736: Apr 26 22:46:39.608 EDT: ISAKMP:(1013):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
001737: Apr 26 22:46:39.608 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001738: Apr 26 22:46:39.608 EDT: Crypto mapdb : proxy_match
src addr : 19.24.11.245
dst addr : 198.96.176.41
protocol : 0
src port : 0
dst port : 0
001739: Apr 26 22:46:39.612 EDT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 19.9.17.1
001740: Apr 26 22:46:39.612 EDT: IPSEC(policy_db_add_ident): src 19.24.11.245, dest 198.96.176.41, dest_port 0
001741: Apr 26 22:46:39.612 EDT: IPSEC(create_sa): sa created,
(sa) sa_dest= 19.24.11.142, sa_proto= 50,
sa_spi= 0x4F77DACA(1333254858),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
sa_lifetime(k/sec)= (4586756/3600)
001742: Apr 26 22:46:39.612 EDT: IPSEC(create_sa): sa created,
(sa) sa_dest= 19.9.17.1, sa_proto= 50,
sa_spi= 0x990B6255(2567660117),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2002
sa_lifetime(k/sec)= (4586756/3600)
001743: Apr 26 22:46:39.656 EDT: ISAKMP (1013): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE
001744: Apr 26 22:46:39.656 EDT: ISAKMP:(1013):deleting node -963038103 error FALSE reason “QM done (await)”
001745: Apr 26 22:46:39.656 EDT: ISAKMP:(1013):Node 3331929193, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
001746: Apr 26 22:46:39.656 EDT: ISAKMP:(1013):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
001747: Apr 26 22:46:39.656 EDT: IPSEC(key_engine): got a queue event with 1 KMI message(s)
001748: Apr 26 22:46:39.656 EDT: IPSEC(key_engine_enable_outbound): rec’d enable notify from ISAKMP
001749: Apr 26 22:46:39.656 EDT: IPSEC(key_engine_enable_outbound): enable SA with spi 2567660117/50
001750: Apr 26 22:46:39.656 EDT: IPSEC(update_current_outbound_sa): get enable SA peer 19.9.17.1 current outbound sa to SPI 990B6255
001751: Apr 26 22:46:39.656 EDT: IPSEC(update_current_outbound_sa): updated peer 19.9.17.1 current outbound sa to SPI 990B6255
001752: Apr 26 22:46:39.696 EDT: %AAA-3-BADSERVERTYPEERROR: Cannot process accounting server type tacacs+ (UNKNOWN)
001753: Apr 26 22:46:39.756 EDT: ISAKMP (1013): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE
001754: Apr 26 22:46:39.756 EDT: ISAKMP:(1013): phase 2 packet is a duplicate of a previous packet.
001755: Apr 26 22:46:39.756 EDT: ISAKMP:(1013): retransmitting due to retransmit phase 2
001756: Apr 26 22:46:39.756 EDT: ISAKMP:(1013): ignoring retransmission,because phase2 node marked dead -963038103
001757: Apr 26 22:46:39.856 EDT: ISAKMP (1013): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE
001758: Apr 26 22:46:39.856 EDT: ISAKMP:(1013): phase 2 packet is a duplicate of a previous packet.
[confirm]
001759: Apr 26 22:46:39.856 EDT: ISAKMP:(1013): retransmitting due to retransmit phase 2
001760: Apr 26 22:46:39.856 EDT: ISAKMP:(1013): ignoring retransmission,because phase2 node marked dead -963038103
[confirm]
Debugging Command:
- debug crypto engine—Displays debug messages about crypto engines, which perform encryption and decryption.
- debug crypto isakmp—Displays messages about IKE events.
- debug crypto ipsec—Displays IPSec events.
- clear crypto isakmp—Clears all active IKE connections.
- clear crypto sa—Clears all IPSec SAs.
- IPSEC1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
19.24.11.142 19.9.17.1 QM_IDLE 1014 ACTIVE
19.24.11.142 19.9.17.1 QM_IDLE 1013 ACTIVE - clear crypto isakmp 1013—Clears connection id of SA.
Reference:
- 1. L2L VPN TroubleShooting :”IPSec policy invalidated proposal with error 32″
- 2. Configuring an IPSec Tunnel Between a Cisco Router and a Checkpoint NG
- 3. IPSec Troubleshooting: Problem Scenarios Part 1
Related Post
Cisco ipsec policy invalidated proposal with error 32
Не получается установить соединение Site-to-Site между Cisco 2900 (C2900-UNIVERSALK9-M), Version 15.4(3)M6a, RELEASE SOFTWARE (fc1) и, Microsoft Forefront TMG 2010 (Version: 7.0.9193.500). TMG находится за NAT C2951 (Version 15.0(1r)M13, RELEASE SOFTWARE (fc1)).
(10.72.0.0/16) С2900 (х.х.37.29) —Internet— (x.x.199.5) С2951 NAT (192.168.11.1) — (192.168.11.3) TMG2010 (172.16.0.0/24)
Первая фаза соединения завершается нормально:
355510: Jan 25 09:21:42.063 YEKT: ISAKMP:(6300):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
CR02#sh cry is sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.37.29 x.x.199.5 QM_IDLE 6300 ACTIVE
А вот вторая фаза — не устанавливается. Причем пытается, но не выходит с разным результатом через раз! Лог:
==== 1 попытка!
355511: Jan 25 09:21:42.119 YEKT: ISAKMP (6300): received packet from x.x.199.5 dport 4500 sport 4500 Global (R) QM_IDLE
355512: Jan 25 09:21:42.119 YEKT: ISAKMP: set new node 1 to QM_IDLE
355513: Jan 25 09:21:42.119 YEKT: ISAKMP:(6300): processing HASH payload. message >355514: Jan 25 09:21:42.119 YEKT: ISAKMP:(6300): processing SA payload. message >355515: Jan 25 09:21:42.119 YEKT: ISAKMP:(6300):Checking IPSec proposal 1
355516: Jan 25 09:21:42.119 YEKT: ISAKMP: transform 1, ESP_3DES
355517: Jan 25 09:21:42.119 YEKT: ISAKMP: attributes in transform:
355518: Jan 25 09:21:42.119 YEKT: ISAKMP: encaps is 3 (Tunnel-UDP)
355519: Jan 25 09:21:42.119 YEKT: ISAKMP: authenticator is HMAC-SHA
355520: Jan 25 09:21:42.119 YEKT: ISAKMP: group is 2
355521: Jan 25 09:21:42.119 YEKT: ISAKMP: SA life type in seconds
355522: Jan 25 09:21:42.119 YEKT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x70 0x80
355523: Jan 25 09:21:42.119 YEKT: ISAKMP: SA life type in kilobytes
355524: Jan 25 09:21:42.119 YEKT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
355525: Jan 25 09:21:42.119 YEKT: ISAKMP:(6300):atts are acceptable.
==== 1 попытка. Ошибка одна!
355526: Jan 25 09:21:42.119 YEKT: IPSEC(ipsec_process_proposal): proxy identities not supported
355527: Jan 25 09:21:42.119 YEKT: ISAKMP:(6300): IPSec policy invalidated proposal with error 32
355528: Jan 25 09:21:42.123 YEKT: ISAKMP:(6300): phase 2 SA policy not acceptable! (local х.х.37.29 remote х.х.199.5)
355529: Jan 25 09:21:42.123 YEKT: ISAKMP: set new node -54067319 to QM_IDLE
355530: Jan 25 09:21:42.123 YEKT: ISAKMP:(6300):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 568588472, message >355531: Jan 25 09:21:42.123 YEKT: ISAKMP:(6300): sending packet to х.х.199.5my_port 4500 peer_port 4500 (R) QM_IDLE
355532: Jan 25 09:21:42.123 YEKT: ISAKMP:(6300):Sending an IKE IPv4 Packet.
355533: Jan 25 09:21:42.123 YEKT: ISAKMP:(6300):purging node -54067319
355534: Jan 25 09:21:42.123 YEKT: ISAKMP:(6300):deleting node 1 error TRUE reason «QM rejected»
355535: Jan 25 09:21:42.123 YEKT: ISAKMP:(6300):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
355536: Jan 25 09:21:42.123 YEKT: ISAKMP:(6300):Old State = IKE_QM_READY New State = IKE_QM_READY
==== 2 попытка!
355537: Jan 25 09:21:44.395 YEKT: ISAKMP (6300): received packet from х.х.199.5 dport 4500 sport 4500 Global (R) QM_IDLE
355538: Jan 25 09:21:44.395 YEKT: ISAKMP: set new node 2 to QM_IDLE
355539: Jan 25 09:21:44.395 YEKT: ISAKMP:(6300): processing HASH payload. message >355540: Jan 25 09:21:44.395 YEKT: ISAKMP:(6300): processing SA payload. message >355541: Jan 25 09:21:44.395 YEKT: ISAKMP:(6300):Checking IPSec proposal 1
355542: Jan 25 09:21:44.395 YEKT: ISAKMP: transform 1, ESP_3DES
355543: Jan 25 09:21:44.395 YEKT: ISAKMP: attributes in transform:
355544: Jan 25 09:21:44.395 YEKT: ISAKMP: encaps is 3 (Tunnel-UDP)
355545: Jan 25 09:21:44.395 YEKT: ISAKMP: authenticator is HMAC-SHA
355546: Jan 25 09:21:44.395 YEKT: ISAKMP: group is 2
355547: Jan 25 09:21:44.395 YEKT: ISAKMP: SA life type in seconds
355548: Jan 25 09:21:44.395 YEKT: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x70 0x80
355549: Jan 25 09:21:44.395 YEKT: ISAKMP: SA life type in kilobytes
355550: Jan 25 09:21:44.395 YEKT: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
355551: Jan 25 09:21:44.395 YEKT: ISAKMP:(6300):atts are acceptable.
355552: Jan 25 09:21:44.419 YEKT: ISAKMP:(6300): processing KE payload. message >355553: Jan 25 09:21:44.443 YEKT: ISAKMP:(6300): processing NONCE payload. message >355554: Jan 25 09:21:44.443 YEKT: ISAKMP:(6300): processing ID payload. message >355555: Jan 25 09:21:44.443 YEKT: ISAKMP:(6300): processing ID payload. message >355556: Jan 25 09:21:44.443 YEKT: ISAKMP:(6300):QM Responder gets spi
355557: Jan 25 09:21:44.443 YEKT: ISAKMP:(6300):Node 2, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
355558: Jan 25 09:21:44.443 YEKT: ISAKMP:(6300):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
355559: Jan 25 09:21:44.447 YEKT: ISAKMP:(6300):Node 2, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
355560: Jan 25 09:21:44.447 YEKT: ISAKMP:(6300):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
355561: Jan 25 09:21:44.447 YEKT: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer х.х.199.5
355562: Jan 25 09:21:44.447 YEKT: IPSEC(create_sa): sa created,
(sa) sa_dest= х.х.37.29, sa_proto= 50,
sa_spi= 0x67F55285(1744130693),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5125
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= х.х.37.29:0, remote= х.х.199.5:0,
local_proxy= 10.72.0.0/255.255.0.0/256/0,
remote_proxy= 172.16.0.0/255.255.0.0/256/0
355563: Jan 25 09:21:44.447 YEKT: IPSEC(create_sa): sa created,
(sa) sa_dest= х.х.199.5, sa_proto= 50,
sa_spi= 0xAB691798(2875791256),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5126
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= х.х.37.29:0, remote= х.х.199.5:0,
local_proxy= 10.72.0.0/255.255.0.0/256/0,
remote_proxy= 172.16.0.0/255.255.0.0/256/0
355564: Jan 25 09:21:44.447 YEKT: ISAKMP:(6300):Received IPSec Install callback. proceeding with the negotiation
355565: Jan 25 09:21:44.447 YEKT: ISAKMP:(6300):Successfully installed IPSEC SA (SPI:0x67F55285) on Port-channel1.82
355566: Jan 25 09:21:44.455 YEKT: ISAKMP:(6300): sending packet to х.х.199.5 my_port 4500 peer_port 4500 (R) QM_IDLE
355567: Jan 25 09:21:44.455 YEKT: ISAKMP:(6300):Sending an IKE IPv4 Packet.
355568: Jan 25 09:21:44.455 YEKT: ISAKMP:(6300):Node 2, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
355569: Jan 25 09:21:44.455 YEKT: ISAKMP:(6300):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
==== 2 попытка. Ошибка другая!
355570: Jan 25 09:21:54.455 YEKT: ISAKMP:(6300): retransmitting phase 2 QM_IDLE 2 .
355571: Jan 25 09:21:54.455 YEKT: ISAKMP (6300): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
355572: Jan 25 09:21:54.455 YEKT: ISAKMP:(6300): retransmitting phase 2 2 QM_IDLE
355573: Jan 25 09:21:54.455 YEKT: ISAKMP:(6300): sending packet to х.х.199.5 my_port 4500 peer_port 4500 (R) QM_IDLE
355574: Jan 25 09:21:54.455 YEKT: ISAKMP:(6300):Sending an IKE IPv4 Packet.
355575: Jan 25 09:22:04.455 YEKT: ISAKMP:(6300): retransmitting phase 2 QM_IDLE 2 .
355576: Jan 25 09:22:04.455 YEKT: ISAKMP (6300): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
355577: Jan 25 09:22:04.455 YEKT: ISAKMP:(6300): retransmitting phase 2 2 QM_IDLE
355578: Jan 25 09:22:04.455 YEKT: ISAKMP:(6300): sending packet to х.х.199.5 my_port 4500 peer_port 4500 (R) QM_IDLE
355579: Jan 25 09:22:04.455 YEKT: ISAKMP:(6300):Sending an IKE IPv4 Packet.
355581: Jan 25 09:22:09.703 YEKT: IPSEC(ipsec_process_proposal): proxy identities not supported
355582: Jan 25 09:22:14.455 YEKT: ISAKMP:(6300): retransmitting phase 2 QM_IDLE 2 .
355583: Jan 25 09:22:14.455 YEKT: ISAKMP (6300): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
355584: Jan 25 09:22:14.455 YEKT: ISAKMP:(6300): retransmitting phase 2 2 QM_IDLE
355585: Jan 25 09:22:14.455 YEKT: ISAKMP:(6300): sending packet to х.х.199.5 my_port 4500 peer_port 4500 (R) QM_IDLE
355586: Jan 25 09:22:14.455 YEKT: ISAKMP:(6300):Sending an IKE IPv4 Packet.
355587: Jan 25 09:22:24.455 YEKT: ISAKMP:(6300): retransmitting phase 2 QM_IDLE 2 .
355588: Jan 25 09:22:24.455 YEKT: ISAKMP (6300): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
355589: Jan 25 09:22:24.455 YEKT: ISAKMP:(6300): retransmitting phase 2 2 QM_IDLE
355590: Jan 25 09:22:24.455 YEKT: ISAKMP:(6300): sending packet to х.х.199.5 my_port 4500 peer_port 4500 (R) QM_IDLE
355591: Jan 25 09:22:24.455 YEKT: ISAKMP:(6300):Sending an IKE IPv4 Packet.
355592: Jan 25 09:22:32.123 YEKT: ISAKMP:(6300):purging node 1
355593: Jan 25 09:22:34.455 YEKT: ISAKMP:(6300): retransmitting phase 2 QM_IDLE 2 .
355594: Jan 25 09:22:34.455 YEKT: ISAKMP (6300): incrementing error counter on node, attempt 5 of 5: retransmit phase 2
355595: Jan 25 09:22:34.455 YEKT: ISAKMP:(6300): retransmitting phase 2 2 QM_IDLE
355596: Jan 25 09:22:34.455 YEKT: ISAKMP:(6300): sending packet to х.х.199.5 my_port 4500 peer_port 4500 (R) QM_IDLE
355597: Jan 25 09:22:34.455 YEKT: ISAKMP:(6300):Sending an IKE IPv4 Packet.
355598: Jan 25 09:22:39.703 YEKT: IPSEC(ipsec_process_proposal): proxy identities not supported
355599: Jan 25 09:22:44.455 YEKT: ISAKMP:(6300): retransmitting phase 2 QM_IDLE 2 .
355600: Jan 25 09:22:44.455 YEKT: ISAKMP:(6300):deleting node 2 error TRUE reason «Phase 2 err count exceeded»
355601: Jan 25 09:22:44.455 YEKT: ISAKMP:(6300):peer does not do paranoid keepalives.
355602: Jan 25 09:22:44.455 YEKT: ISAKMP:(6300):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0xAB691798)
355603: Jan 25 09:22:44.455 YEKT: ISAKMP:(6300): QM node retransmission timeout, deleting all the IKE and IPSec SA
355604: Jan 25 09:22:44.455 YEKT: IPSEC: delete incomplete sa: 0x40020890
355605: Jan 25 09:22:44.455 YEKT: IPSEC(key_engine_delete_sas): delete SA with spi 0xAB691798 proto 50 for х.х.199.5
355606: Jan 25 09:22:44.455 YEKT: IPSEC(update_current_outbound_sa): updated peer х.х.199.5 current outbound sa to SPI 0
355607: Jan 25 09:22:44.455 YEKT: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Вернее ошибка всегда одна = IPSEC(ipsec_process_proposal): proxy identities not supported = но возникает на разных стадиях почему-то.
Прошу помочь с решением данной проблемы. Жду вопросов/предложений. Очень надо.
Ответить | Правка | Cообщить модератору
- IPSEC между Cisco Router и MS Forefront TMG, msanlimit, 11:39 , 25-Янв-17, ( 1 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 13:24 , 25-Янв-17, ( 2 )
- IPSEC между Cisco Router и MS Forefront TMG, msanlimit, 15:11 , 25-Янв-17, ( 3 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 15:30 , 25-Янв-17, ( 4 )
- IPSEC между Cisco Router и MS Forefront TMG, msanlimit, 17:33 , 25-Янв-17, ( 5 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 17:55 , 25-Янв-17, ( 6 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 18:40 , 25-Янв-17, ( 7 )
- IPSEC между Cisco Router и MS Forefront TMG, crash, 18:50 , 25-Янв-17, ( 8 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 18:58 , 25-Янв-17, ( 9 )
- IPSEC между Cisco Router и MS Forefront TMG, crash, 18:50 , 25-Янв-17, ( 8 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 18:40 , 25-Янв-17, ( 7 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 20:10 , 25-Янв-17, ( 10 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 21:00 , 25-Янв-17, ( 11 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 17:55 , 25-Янв-17, ( 6 )
- IPSEC между Cisco Router и MS Forefront TMG, msanlimit, 17:33 , 25-Янв-17, ( 5 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 15:30 , 25-Янв-17, ( 4 )
- IPSEC между Cisco Router и MS Forefront TMG, msanlimit, 15:11 , 25-Янв-17, ( 3 )
- IPSEC между Cisco Router и MS Forefront TMG, Dev_Dimon, 13:24 , 25-Янв-17, ( 2 )
| Сообщения по теме | [Сортировка по времени | RSS] |
Взгляни на данный пример:
| 1 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от msanlimit (ok) on 25-Янв-17, 11:39 | |
| Ответить | Правка | ^ к родителю #0 | Наверх | Cообщить модератору |
 |
|
| 2 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
Сообщение от Dev_Dimon  (ok) on 25-Янв-17, 13:24 |
|
|
По данной инструкции в crypto isakmp key и crypto map указывается внутренний адрес за NAT. Т.е. в моем случае в обоих блоках 192.168.11.3. Сделал С такими настройками не проходит даже 1 фаза — «Phase1 SA policy proposal not accepted» state (R) MM_NO_STATE» Не находит ни одного подходящего условия: Т.е. роутер определеяет только внешний IP, а не внутренний! Менять на внешний в pre-shared key или что-то другое надо донастроить? |
|
| Ответить | Правка | ^ к родителю #1 | Наверх | Cообщить модератору |
|
|
| 3 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от msanlimit (ok) on 25-Янв-17, 15:11 | |
Не так. В примере указан и isakamp key внешний адрес пира и в crypto map set peer указан внешний адрес. crypto isakmp key cisco123 address 95.95.95.2 В acl для крипто карты указываете интересующий трафик. access-list 115 permit ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255 А в acl для route-map запрещаете интересующий трафик для NAT-а и разрешаете трафик который нужно отправлять в NAT. access-list 110 deny ip 10.103.1.0 0.0.0.255 10.50.50.0 0.0.0.255 |
|
| Ответить | Правка | ^ к родителю #2 | Наверх | Cообщить модератору |
|
|
| 4 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от Dev_Dimon (ok) on 25-Янв-17, 15:30 |
|
Ну так для роутера А адрес 95.95.95.20 является моим ВНУТРЕННИМ адресом роутера Б (ISA) перед НАТом. Мой ВНЕШНИЙ = 9.9.9.1 по схеме. И на роутере А — НЕТ НАТа, т.е. прописывается интересный трафик только (он прописан). |
|
| Ответить | Правка | ^ к родителю #3 | Наверх | Cообщить модератору |
|
|
| 5 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от msanlimit (ok) on 25-Янв-17, 17:33 | |
Посмотри конфиги ниже, на основании твоей схемы. У меня туннель работает: crypto isakmp policy 1 ! crypto isakmp policy 1 |
|
| Ответить | Правка | ^ к родителю #4 | Наверх | Cообщить модератору |
|
|
| 6 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от Dev_Dimon (ok) on 25-Янв-17, 17:55 |
|
TMG2010 — Это Windows-машина с Microsoft TMG 2010 — прокси-сервером Но спасибо, чуть позже, когда верну схему — сравню настройки на NAT и роутере. В данный момент привел инет напрямую на прокси TMG2010. Результат тот же и без NAT. (( |
|
| Ответить | Правка | ^ к родителю #5 | Наверх | Cообщить модератору |
|
|
| 7 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от Dev_Dimon (ok) on 25-Янв-17, 18:40 |
|
Вот что получаю на второй фазе: 420540: Jan 25 20:33:49.754 YEKT: ISAKMP (6433): received packet from х.х.199.5 dport 500 sport 500 Global (R) QM_IDLE |
|
| Ответить | Правка | ^ к родителю #6 | Наверх | Cообщить модератору |
|
|
| 8 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от crash (ok) on 25-Янв-17, 18:50 | |
Это сообщение появляется в командах отладки, если списки доступа трафика IPSec не совпадают. 1d00h: IPSec(validate_transform_proposal): proxy identities not supported Списки доступа каждого узла должны быть зеркальным отражением друг друга (все записи должны быть зеркальным отражением друг друга). Этот вопрос представлен в следующем примере. Peer A |
|
| Ответить | Правка | ^ к родителю #7 | Наверх | Cообщить модератору |
|
|
| 9 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от Dev_Dimon (ok) on 25-Янв-17, 18:58 |
|
Это понятно. Но как это реализовать на прокси-сервере Windows?! Там правило такое: Allow access All outbound traffik from 172.16.0.0/22 to 10.72.0.0/24 All users На маршрутизаторе правило такое: |
|
| Ответить | Правка | ^ к родителю #8 | Наверх | Cообщить модератору |
|
|
| 10 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от Dev_Dimon (ok) on 25-Янв-17, 20:10 |
|
Вернул конфигурацию сети с НАТом, сделал все как в указанном конфиге, за исключением конечно Windows. Результат тот же, ошибка та же (( Думаю, что тут проблема взаимодействия Cisco и стороннего производителя в процессе поднятия канала ( Не знаю даже. Буду дальше рыть. |
|
| Ответить | Правка | ^ к родителю #5 | Наверх | Cообщить модератору |
|
|
| 11 . «IPSEC между Cisco Router и MS Forefront TMG» | + / – |
| Сообщение от Dev_Dimon (ok) on 25-Янв-17, 21:00 |
|
УДАЛОСЬ РЕШИТЬ ПРОБЛЕМУ! Вся проблема заключалась в том, что в настройках IPSec было установлено не одинаковое значение таймаута сессии в секундах в фазе 2. Установил значение, указанное на роутере и фаза 2 поднялась! Источник Adblock |
Re: Cisco ipsec dlink dsr-1000
Lomax писал(а):
Крипто мапу нормальную сделайте:
crypto map WGMap 10
set transform-set WGTS
match address WGCLUBNET
и первый пермит в АСЛ лишний
ip access-list extended WGCLUBNET
permit ip host x.x.30.214 host x.x.54.66
permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255
Убрал динамическую карту сделал через обычную
Код:
crypto keyring wgsecret
pre-shared-key address x.x.54.66 255.255.255.252 key DEVopengl1982
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp profile WGprofile
keyring wgsecret
match identity address x.x.54.66 255.255.255.252
!
!
crypto ipsec transform-set WGTS esp-des esp-sha-hmac
mode tunnel
!
!
!
!
!
!
crypto map WGMAp 10 ipsec-isakmp
! Incomplete
set transform-set WGTS
set isakmp-profile WGprofile
match address WGCLUBNET
reverse-route
!
ip access-list extended WGCLUBNET
permit ip 192.168.11.0 0.0.0.255 172.22.32.0 0.0.1.255
Вот результат в логах. Подключение не прошло.
Код:
*Oct 10 07:52:36.557: ISAKMP (0): received packet from x.x.54.66 dport 500 sport 500 Global (N) NEW SA
*Oct 10 07:52:36.557: ISAKMP: Created a peer struct for x.x.54.66, peer port 500
*Oct 10 07:52:36.557: ISAKMP: New peer created peer = 0x8B88D9E8 peer_handle = 0x8000000D
*Oct 10 07:52:36.557: ISAKMP: Locking peer struct 0x8B88D9E8, refcount 1 for crypto_isakmp_process_block
*Oct 10 07:52:36.557: ISAKMP: local port 500, remote port 500
*Oct 10 07:52:36.557: ISAKMP:(0):insert sa successfully sa = 8E0E6128
*Oct 10 07:52:36.557: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 10 07:52:36.557: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 10 07:52:36.557: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 10 07:52:36.557: ISAKMP:(0): processing vendor id payload
*Oct 10 07:52:36.557: ISAKMP:(0): vendor ID is DPD
*Oct 10 07:52:36.557: ISAKMP:(0):found peer pre-shared key matching x.x.54.66
*Oct 10 07:52:36.557: ISAKMP:(0): local preshared key found
*Oct 10 07:52:36.557: ISAKMP : Scanning profiles for xauth … WGprofile
*Oct 10 07:52:36.557: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Oct 10 07:52:36.557: ISAKMP: life type in seconds
*Oct 10 07:52:36.557: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Oct 10 07:52:36.557: ISAKMP: encryption DES-CBC
*Oct 10 07:52:36.557: ISAKMP: auth pre-share
*Oct 10 07:52:36.557: ISAKMP: hash SHA
*Oct 10 07:52:36.557: ISAKMP: default group 2
*Oct 10 07:52:36.557: ISAKMP:(0):atts are acceptable. Next payload is 0
*Oct 10 07:52:36.557: ISAKMP:(0):Acceptable atts:actual life: 86400
*Oct 10 07:52:36.557: ISAKMP:(0):Acceptable atts:life: 0
*Oct 10 07:52:36.557: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct 10 07:52:36.557: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Oct 10 07:52:36.557: ISAKMP:(0):Returning Actual lifetime: 86400
*Oct 10 07:52:36.557: ISAKMP:(0)::Started lifetime timer: 86400.
*Oct 10 07:52:36.561: ISAKMP:(0): processing vendor id payload
*Oct 10 07:52:36.561: ISAKMP:(0): vendor ID is DPD
*Oct 10 07:52:36.561: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 10 07:52:36.561: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 10 07:52:36.561: ISAKMP:(0): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 10 07:52:36.561: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 10 07:52:36.561: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 10 07:52:36.561: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Oct 10 07:52:36.809: ISAKMP (0): received packet from x.x.54.66 dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 10 07:52:36.809: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 10 07:52:36.809: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Oct 10 07:52:36.809: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 10 07:52:36.829: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct 10 07:52:36.829: ISAKMP:(0):found peer pre-shared key matching x.x.54.66
*Oct 10 07:52:36.829: ISAKMP:(2004): processing vendor id payload
*Oct 10 07:52:36.829: ISAKMP:(2004): vendor ID seems Unity/DPD but major 139 mismatch
*Oct 10 07:52:36.833: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 10 07:52:36.833: ISAKMP:(2004):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Oct 10 07:52:36.833: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 10 07:52:36.833: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:52:36.833: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 10 07:52:36.833: ISAKMP:(2004):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Oct 10 07:52:37.497: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Oct 10 07:52:37.501: ISAKMP:(2004): processing ID payload. message ID = 0
*Oct 10 07:52:37.501: ISAKMP (2004): ID payload
next-payload : 8
type : 1
address : x.x.54.66
protocol : 17
port : 500
length : 12
*Oct 10 07:52:37.501: ISAKMP:(0):: peer matches WGprofile profile
*Oct 10 07:52:37.501: ISAKMP:(2004):Found ADDRESS key in keyring wgsecret
*Oct 10 07:52:37.501: ISAKMP:(2004): processing HASH payload. message ID = 0
*Oct 10 07:52:37.501: ISAKMP:(2004):SA authentication status:
authenticated
*Oct 10 07:52:37.501: ISAKMP:(2004):SA has been authenticated with x.x.54.66
*Oct 10 07:52:37.501: ISAKMP: Trying to insert a peer x.x.30.214/x.x.54.66/500/, and inserted successfully 8B88D9E8.
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Oct 10 07:52:37.501: ISAKMP:(2004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 10 07:52:37.501: ISAKMP (2004): ID payload
next-payload : 8
type : 1
address : 188.168.30.214
protocol : 17
port : 500
length : 12
*Oct 10 07:52:37.501: ISAKMP:(2004):Total payload length: 12
*Oct 10 07:52:37.501: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 10 07:52:37.501: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Oct 10 07:52:37.501: ISAKMP:(2004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 10 07:52:37.501: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 10 07:52:37.521: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:37.521: ISAKMP: set new node -328894163 to QM_IDLE
*Oct 10 07:52:37.521: ISAKMP:(2004): processing HASH payload. message ID = 3966073133
*Oct 10 07:52:37.521: ISAKMP:(2004): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 3966073133, sa = 0x8E0E6128
*Oct 10 07:52:37.521: ISAKMP:(2004):SA authentication status:
authenticated
*Oct 10 07:52:37.521: ISAKMP:(2004): Process initial contact,
bring down existing phase 1 and 2 SA’s with local x.x.30.214 remote x.x.54.66 remote port 500
cisco-gw#
*Oct 10 07:52:37.521: ISAKMP:(2004):deleting node -328894163 error FALSE reason «Informational (in) state 1»
*Oct 10 07:52:37.521: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 10 07:52:37.521: ISAKMP:(2004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 10 07:52:37.521: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 10 07:52:38.537: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:38.537: ISAKMP: set new node -1813039523 to QM_IDLE
*Oct 10 07:52:38.537: ISAKMP:(2004): processing HASH payload. message ID = 2481927773
*Oct 10 07:52:38.537: ISAKMP:(2004): processing SA payload. message ID = 2481927773
*Oct 10 07:52:38.537: ISAKMP:(2004):Checking IPSec proposal 1
*Oct 10 07:52:38.537: ISAKMP: transform 1, ESP_DES
*Oct 10 07:52:38.537: ISAKMP: attributes in transform:
*Oct 10 07:52:38.537: ISAKMP: SA life type in seconds
*Oct 10 07:52:38.537: ISAKMP: SA life duration (basic) of 3600
*Oct 10 07:52:38.537: ISAKMP: encaps is 1 (Tunnel)
*Oct 10 07:52:38.537: ISAKMP: authenticator is HMAC-SHA
*Oct 10 07:52:38.537: ISAKMP:(2004):atts are acceptable.
*Oct 10 07:52:38.537: IPSEC(validate_proposal_request): proposal part #1
*Oct 10 07:52:38.537: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct 10 07:52:38.537: ISAKMP:(2004): IPSec policy invalidated proposal with error 32
*Oct 10 07:52:38.537: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)
*Oct 10 07:52:38.537: ISAKMP: set new node 1494915460 to QM_IDLE
cisco-gw#
*Oct 10 07:52:38.537: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2371042928, message ID = 1494915460
*Oct 10 07:52:38.537: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 10 07:52:38.537: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:52:38.537: ISAKMP:(2004):purging node 1494915460
*Oct 10 07:52:38.537: ISAKMP:(2004):deleting node -1813039523 error TRUE reason «QM rejected»
*Oct 10 07:52:38.537: ISAKMP:(2004):Node 2481927773, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 10 07:52:38.537: ISAKMP:(2004):Old State = IKE_QM_READY New State = IKE_QM_READY
cisco-gw#
*Oct 10 07:52:48.557: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:48.557: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:52:48.557: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:52:48.557: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:52:58.573: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:52:58.573: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:52:58.573: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:52:58.573: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:53:08.585: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:08.585: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:53:08.585: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:53:08.585: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:53:18.601: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:18.601: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:53:18.601: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:53:18.601: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
cisco-gw#
*Oct 10 07:53:27.521: ISAKMP:(2004):purging node -328894163
cisco-gw#
*Oct 10 07:53:28.537: ISAKMP:(2004):purging node -1813039523
*Oct 10 07:53:28.977: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:28.977: ISAKMP: set new node -1813039523 to QM_IDLE
*Oct 10 07:53:28.977: ISAKMP:(2004): processing HASH payload. message ID = 2481927773
*Oct 10 07:53:28.977: ISAKMP:(2004): processing SA payload. message ID = 2481927773
*Oct 10 07:53:28.977: ISAKMP:(2004):Checking IPSec proposal 1
*Oct 10 07:53:28.977: ISAKMP: transform 1, ESP_DES
*Oct 10 07:53:28.977: ISAKMP: attributes in transform:
*Oct 10 07:53:28.977: ISAKMP: SA life type in seconds
*Oct 10 07:53:28.977: ISAKMP: SA life duration (basic) of 3600
*Oct 10 07:53:28.977: ISAKMP: encaps is 1 (Tunnel)
*Oct 10 07:53:28.977: ISAKMP: authenticator is HMAC-SHA
*Oct 10 07:53:28.977: ISAKMP:(2004):atts are acceptable.
*Oct 10 07:53:28.977: IPSEC(validate_proposal_request): proposal part #1
*Oct 10 07:53:28.977: IPSEC(initialize_sas): invalid IPv4 proxy IDs
*Oct 10 07:53:28.977: ISAKMP:(2004): IPSec policy invalidated proposal with error 32
*Oct 10 07:53:28.977: ISAKMP:(2004): phase 2 SA policy not acceptable! (local x.x.30.214 remote x.x.54.66)
*Oct 10 07:53:28.977: ISAKMP: set new node 23007779 to QM_IDLE
cisco-gw#
*Oct 10 07:53:28.977: ISAKMP:(2004):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2371042928, message ID = 23007779
*Oct 10 07:53:28.977: ISAKMP:(2004): sending packet to x.x.54.66 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 10 07:53:28.977: ISAKMP:(2004):Sending an IKE IPv4 Packet.
*Oct 10 07:53:28.977: ISAKMP:(2004):purging node 23007779
*Oct 10 07:53:28.977: ISAKMP:(2004):deleting node -1813039523 error TRUE reason «QM rejected»
*Oct 10 07:53:28.977: ISAKMP:(2004):Node 2481927773, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 10 07:53:28.977: ISAKMP:(2004):Old State = IKE_QM_READY New State = IKE_QM_READY
cisco-gw#
*Oct 10 07:53:37.997: ISAKMP (2004): received packet from x.x.54.66 dport 500 sport 500 Global (R) QM_IDLE
*Oct 10 07:53:37.997: ISAKMP:(2004): phase 2 packet is a duplicate of a previous packet.
*Oct 10 07:53:37.997: ISAKMP:(2004): retransmitting due to retransmit phase 2
*Oct 10 07:53:37.997: ISAKMP:(2004): Quick Mode is being processed. Ignoring retransmission
Вот лог с делинка
Код:
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: accept a request to establish IKE-SA: x.x.30.214
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Beginning Identity Protection mode.
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Configuration found for x.x.30.214.
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 1 negotiation: x.x.54.66[500]<=>x.x.30.214[500]
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received unknown Vendor ID
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: CISCO-UNITY
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: DPD
Mon Oct 10 08:19:11 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mon Oct 10 08:19:12 2016 (GMT +0000): [DSR-1000] [IKE] INFO: ISAKMP-SA established for x.x.54.66[500]-x.x.30.214[500] with spi:7a71f16e02d182e4:c7b75d7981d40948
Mon Oct 10 08:19:12 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Sending Informational Exchange: notify payload[INITIAL-CONTACT]
Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found.
Mon Oct 10 08:19:13 2016 (GMT +0000): [DSR-1000] [IKE] INFO: Initiating new phase 2 negotiation: x.x.54.66[500]<=>x.x.30.214[0]
Mon Oct 10 08:20:04 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Unknown notify message from x.x.30.214[500].No phase2 handle found.
Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] ERROR: Phase 2 negotiation failed due to time up. 7a71f16e02d182e4:c7b75d7981d40948:93ef365d
Mon Oct 10 08:21:03 2016 (GMT +0000): [DSR-1000] [IKE] INFO: an undead schedule has been deleted: ‘quick_i1prep’.
Hello,
I’ve been going up and down this issue with trying to create VPN tunnel from our Cisco 1111 to a remote sonicwall that keeps failing phase 2 with an error :
ISAKMP-ERROR: (1097):IPSec policy invalidated proposal with error 32
ISAKMP-ERROR: (1097):phase 2 SA policy not acceptable!
It seem to point to somewhere on the ACL but I’ve gone through the statements and I’m not coming up with anything.
The internal networks set to traverse the VPN are
Cisco 1111
Network: 10.2.1.46/27
SonicWall:
The internal network is on the Cisco is on a separate and is the only network that needs access. For the config on my end I have:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key PASSWORD address X.X.X.X
crypto isakmp profile SAGEVPN
match identity address 10.0.0.100 255.255.255.255
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map SAGE 10 ipsec-isakmp
set peer X.X.X.X
set transform-set TS
match address SAGE-VPN
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description OUTSIDE
ip address X.X.X.X 255.255.255.224
ip nat outside
negotiation auto
crypto map SAGE
!
!
!
!
!
!
interface Vlan14
ip address 10.2.1.46 255.255.255.240
ip nat inside
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
!
ip access-list extended SAGE-VPN
permit ip 10.2.1.32 0.0.0.15 10.0.0.0 0.0.0.255
!
access-list 1 permit 10.2.1.0 0.0.0.255
access-list 1 permit 10.2.2.0 0.0.0.255
access-list 1 permit 10.2.3.0 0.0.0.255
access-list 1 permit 10.2.4.0 0.0.0.255
access-list 1 permit 10.14.251.0 0.0.0.255
access-list 1 permit 10.14.253.0 0.0.0.255
access-list 100 deny ip 10.2.1.0 0.0.0.240 10.0.0.0 0.0.0.255
access-list 100 deny ip 10.2.1.14 0.0.0.240 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.2.1.0 0.0.0.255 any
!
The remote site is setup on a Sonicwall and they can see the port 500 traffic but they just receive policy not accepted.
the only other error I can see is a note on whitespaces on the password under the sho crypto tech.
I would just like to know if I may have missed anything on my end. any advice would be greatly appreciated.
by Cyrus Lok on Friday, March 5, 2010 at 9:28pm
The problem is with my crypto access list… darn…
When I did an extended ping from R0 and R2, found that:
R2#
*Mar 5 22:11:49.403: ISAKMP:(1001): IPSec policy invalidated proposal with error 32
*Mar 5 22:11:49.407: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 172.16.0.2 remote 172.16.0.1)
*Mar 5 22:11:49.415: ISAKMP:(1001):deleting node 1673201950 error TRUE reason “QM rejected”
R2#
*Mar 5 22:12:17.387: ISAKMP:(1001): IPSec policy invalidated proposal with error 32
*Mar 5 22:12:17.391: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 172.16.0.2 remote 172.16.0.1)
*Mar 5 22:12:17.403: ISAKMP:(1001):deleting node 928163075 error TRUE reason “QM rejected”
R2#sh crypto session
Crypto session current status
Interface: FastEthernet1/0
Session status: UP-ACTIVE
Peer: 172.16.0.1 port 500
IKE SA: local 172.16.0.2/500 remote 172.16.0.1/500 Active
IPSEC FLOW: permit ip 192.168.127.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
R0#sh crypto session
Crypto session current status
Interface: FastEthernet1/1
Session status: UP-ACTIVE
Peer: 172.16.0.2 port 500
IKE SA: local 172.16.0.1/500 remote 172.16.0.2/500 Active
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.127.0/255.255.255.0
Active SAs: 2, origin: crypto map
IKE phase 1 and phase 2 both have no problem, the problem lies with crypto access-list
for R0 I change the access list destination to a network instead of a specific host.
I did the same for R2
R0 access list:
ip access-list extended PROTECT_TRAFFIC <cr>
permit ip 10.0.0.0 0.0.0.255 192.168.127.0 0.0.0.255 <cr>
R2 access list:
ip access-list extended PROTECT_TRAFFIC <cr>
permit ip 192.168.127.0 0.0.0.255 10.0.0.0 0.0.0.255<cr>
Published
September 9, 2010
(If you need to terminate all customers (or users, or any other remote parties) on only one WAN (outside) interface, for example when terminating IPSec VPN on Internet facing interface, see also VRF aware IPSEC with NAT using only one WAN (outside) interface)
If it is required to terminate multiple IPsec connections from multiple customers on same router, and customer address spaces are overlapping, one solution is VRF aware IPsec together with VRF aware NAT functionality using new ip nat enable syntax.
Each customer is connected to central site using its own private link that is through 802.1q connected to separate subinterface dedicated to each customer on WAN interface on central router.
In this example both customer sites arrive to central site using same IP address from their LAN: 192.168.10.1
This IP address is NAT-ed to 10.10.101.1 for customer A, and to 10.10.102.1 for customer B.
This allows central site to differentiate packets sent from different customers with same source IP address, and to be able to correctly route packets back.
There are numerous parts in this setup to do wrong. Some of the possible errors are:
proxy identities not supported
IPSec policy invalidated proposal with error 32
phase 2 SA policy not acceptable
Jun 17 13:24:57.739: IPSEC(ipsec_process_proposal): proxy identities not supported
Jun 17 13:24:57.739: ISAKMP:(1009): IPSec policy invalidated proposal with error 32
Jun 17 13:24:57.739: ISAKMP:(1009): phase 2 SA policy not acceptable! (local 192.168.1.2 remote 192.168.1.1)
Profile discarded due to VRF mismatch
peer matches *none* of the profiles
Jun 18 09:24:55.763: ISAKMP:(0):: Profile User_A_ISAKMP_PROFILE discarded due to VRF mismatch * * *
Jun 18 09:24:55.763: ISAKMP:(0):: Have you put proper FVRF in "match id ip-address" command?
Jun 18 09:24:55.763: ISAKMP:(0):: peer matches *none* of the profiles
unroutable in debug ip packet output
Jun 18 13:03:31.107: IP: s=192.168.10.1 (GigabitEthernet0/1.102), d=10.10.2.1, len 100, unroutable
Important parts to make this all working are (bold in Central site router configuration below):
- Add vrf vrf name after crypto keyring commands.
- Add vrf name after match identity address in crypto isakmp profiles.
- Put frontend outside interfaces in FVRF using ip vrf forwarding commands.
- We have found 15.0-1.M7 to be more stable with this setup, but in the meantime it is possible that newer releases in 15.1 and 15.2 are also fine
- Use two routes for each customer, one in Central VRF (with addresses NAT-ed to addresses how customer addresses are seen on Central site, one in Customer VRF (with original non-NAT-ed customer addresses – since we are using VRFs and NAT, these addresses can (and in this example are) overlapping.
ip route vrf Central_site_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Central_site_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
Here are working configurations:
Central site router:
ip vrf Central_site_VRF
rd 100:100
!
ip vrf Customer_A_VRF
rd 100:101
!
ip vrf Customer_B_VRF
rd 100:102
!
crypto keyring Customer_A_CRYPTO_KEYRING vrf Customer_A_VRF
pre-shared-key address 192.168.1.1 key abc123
crypto keyring Customer_B_CRYPTO_KEYRING vrf Customer_B_VRF
pre-shared-key address 192.168.1.1 key abc123
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile Customer_A_ISAKMP_PROFILE
vrf Customer_A_VRF
keyring Customer_A_CRYPTO_KEYRING
match identity address 192.168.1.1 255.255.255.255 Customer_A_VRF
crypto isakmp profile Customer_B_ISAKMP_PROFILE
vrf Customer_B_VRF
keyring Customer_B_CRYPTO_KEYRING
match identity address 192.168.1.1 255.255.255.255 Customer_B_VRF
!
crypto ipsec transform-set Customer_A_TRANSFORM_SET esp-aes 256 esp-sha-hmac
crypto ipsec transform-set Customer_B_TRANSFORM_SET esp-aes 256 esp-sha-hmac
!
crypto map Customer_A_CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set Customer_A_TRANSFORM_SET
set isakmp-profile Customer_A_ISAKMP_PROFILE
match address Customer_A_CRYPTO_ACL
!
crypto map Customer_B_CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set Customer_B_TRANSFORM_SET
set isakmp-profile Customer_B_ISAKMP_PROFILE
match address Customer_B_CRYPTO_ACL
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN Interface
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.101
description To_Customer_A
encapsulation dot1Q 101
ip vrf forwarding Customer_A_VRF
ip address 192.168.1.2 255.255.255.0
ip nat enable
crypto map Customer_A_CRYPTO_MAP
!
interface GigabitEthernet0/1.102
description To_Customer_B
encapsulation dot1Q 102
ip vrf forwarding Customer_B_VRF
ip address 192.168.1.2 255.255.255.0
ip nat enable
crypto map Customer_B_CRYPTO_MAP
!
interface GigabitEthernet0/2
description To_Central_site_LAN
ip vrf forwarding Central_site_VRF
ip address 10.10.1.1 255.255.255.0
ip nat enable
duplex auto
speed auto
!
ip forward-protocol nd
!
ip nat source static 192.168.10.1 10.10.101.1 vrf Customer_A_VRF
ip nat source static 192.168.10.1 10.10.102.1 vrf Customer_B_VRF
ip route vrf Central_site_VRF 10.10.2.1 255.255.255.255 10.10.1.2
ip route vrf Central_site_VRF 10.10.101.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Central_site_VRF 10.10.102.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
ip route vrf Customer_A_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_A_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.101 192.168.1.1
ip route vrf Customer_B_VRF 10.10.2.1 255.255.255.255 GigabitEthernet0/2 10.10.1.2
ip route vrf Customer_B_VRF 192.168.10.1 255.255.255.255 GigabitEthernet0/1.102 192.168.1.1
!
ip access-list extended Customer_A_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended Customer_B_CRYPTO_ACL
permit ip 10.10.2.0 0.0.0.255 192.168.10.0 0.0.0.255
Customer A:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set ts
match address CRYPTO_ACL
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252
speed auto
crypto map CRYPTO_MAP
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
ip access-list extended CRYPTO_ACL
permit ip 192.168.10.0 0.0.0.255 10.10.2.0 0.0.0.255
Customer B (same as Customer B – to cover overlapping addresses case. It is of course possible to have different configurations, even different router or firewall vendors at customer sites):
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key abc123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ts esp-aes 256 esp-sha-hmac
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer 192.168.1.2
set transform-set ts
match address CRYPTO_ACL
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface Loopback1
ip address 192.168.10.3 255.255.255.255
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.252
speed auto
crypto map CRYPTO_MAP
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2
!
ip access-list extended CRYPTO_ACL
permit ip 192.168.10.0 0.0.0.255 10.10.2.0 0.0.0.255