[c-nsp] Static Virtual Tunnel Interface: No phase 2 proposal

Nick Cutting ncutting at edgetg.com
Fri Oct 7 08:58:38 EDT 2016


Can you post the relevant configurations? 
Phase 1 / phas2 / tunnel configs
With omitted sensitive information
Thank you

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of eyeballi77
Sent: Friday, October 7, 2016 4:02 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Static Virtual Tunnel Interface: No phase 2 proposal

hello all...

Hoping I can get some input on an issue I am having with the above.

I have a ASR1002X as a PE that I am also trying to terminate a small number of internet based VTI's from C867vae CPE routers on VDSL/PPPoE links.

As these are SVTI the encryption domain is always 0.0.0.0/0.0.0.0

CPE running c860vae-advsecurityk9-mz.155-3.M.bin
ASR running asr1002x-universalk9.03.13.04.S.154-3.S4-ext.SPA.bin


end to end ping is ok.  Phase 1 completes fine, but continue to get Phase 2 failure;


Oct  6 17:27:52.540 BST: IPSEC(ipsec_process_proposal): invalid local address xx.xxx.139.169

Oct  6 17:27:52.540 BST: ISAKMP:(1167): IPSec policy invalidated proposal with error 8

Oct  6 17:27:52.543 BST: ISAKMP:(1167):Checking IPSec proposal 2

Oct  6 17:27:52.543 BST: ISAKMP: transform 1, ESP_AES

Oct  6 17:27:52.543 BST: ISAKMP:   attributes in transform:

Oct  6 17:27:52.543 BST: ISAKMP:      encaps is 1 (Tunnel)

Oct  6 17:27:52.543 BST: ISAKMP:      SA life type in seconds

Oct  6 17:27:52.543 BST: ISAKMP:      SA life duration (basic) of 3600

Oct  6 17:27:52.543 BST: ISAKMP:      SA life type in kilobytes

Oct  6 17:27:52.543 BST: ISAKMP:      SA life duration (VPI) of  0x0 0x46
0x50 0x0

Oct  6 17:27:52.543 BST: ISAKMP:      authenticator is HMAC-SHA256

Oct  6 17:27:52.543 BST: ISAKMP:      key length is 128

Oct  6 17:27:52.543 BST: ISAKMP:(1167):atts are acceptable.

Oct  6 17:27:52.543 BST: IPSEC(validate_proposal_request): proposal part #1



I had used the following links as the basis for the config and tested it out in lab environment (albeit with different software/hardware)


http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16/sec-sec-for-vpns-w-ipsec-xe-16-book/sec-ipsec-virt-tunnl.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-ike-for-ipsec-vpns-xe-16-book/sec-key-exch-ipsec.html#GUID-E3B3DAA7-282B-44D6-BA11-BEECE495D5F4


http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1082268


Thanks.

Neil
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list