7200emu.hacki.at

liaksey · Joined: 31 Mar 2010 Posts: 2 Location: Belarus, Minsk

Hello anyone.
I've tried to implement Site-to-Site IPSec VPN. It doesn't work, this is the output of debug crypto isakmp command:
...
ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar 31 17:57:16.987: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Mar 31 17:57:16.991: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 170.10.20.1 remote 170.10.20.6)
*Mar 31 17:57:16.995: ISAKMP: set new node -283484586 to QM_IDLE
*Mar 31 17:57:17.003: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1701542520, message ID = -283484586
...
Here it is the part of configs from both routers:
R2
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key first address 170.10.20.6 255.255.255.252
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set VPN-TEST esp-3des esp-sha-hmac
!
crypto map VPN-TEST 10 ipsec-isakmp
set peer 170.10.20.6
set transform-set VPN-TEST
match address 101

interface Serial2/0
ip address 170.10.20.1 255.255.255.252
serial restart-delay 0
crypto map VPN-TEST

access-list 101 permit tcp 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255 eq telnet
access-list 101 deny ip any any log

R4
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
lifetime 120
crypto isakmp key first address 170.10.20.1 255.255.255.252
!
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set VPN-TEST esp-3des esp-sha-hmac
!
crypto map VPN-TEST 10 ipsec-isakmp
set peer 170.10.20.1
set transform-set VPN-TEST
match address 199

interface Serial1/0
ip address 170.10.20.6 255.255.255.252
serial restart-delay 0
no fair-queue
crypto map VPN-TEST

access-list 199 permit tcp 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255 eq telnet
access-list 199 deny ip any any log

I've tried whith two IOS (c7200-jk9s-mz.124-13b.bin and c7200-ik9s-mz.123-17b.bin) any combinations of encryption, hash, authentication, group in crypto isakmp policy part of config. Tunnel and transport modes. All without success.
Could anyone help me to solve this problem? May be it's known bug? Has anybody ever faced with similar problem?
If interesting, please, find in attachments full configs from both routers and full outputs of debug crypto isakpm command also from both routers.
Thanks in advance

liaksey · Joined: 31 Mar 2010 Posts: 2 Location: Belarus, Minsk

Hi everyone.
I've found time for come back to my topology, and I've found mistake. It was simple, I've made mistake in ACL. Here it is correct ACL on R2:

access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255

and, of course, mirrored ACL on R4.

This way IPSec works perfectly.

Ticket can be closed Smile

))