[c-nsp] Static Virtual Tunnel Interface: No phase 2 proposal
Nick Cutting
ncutting at edgetg.com
Fri Oct 7 08:58:38 EDT 2016
Can you post the relevant configurations?
Phase 1 / phas2 / tunnel configs
With omitted sensitive information
Thank you
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of eyeballi77
Sent: Friday, October 7, 2016 4:02 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Static Virtual Tunnel Interface: No phase 2 proposal
hello all...
Hoping I can get some input on an issue I am having with the above.
I have a ASR1002X as a PE that I am also trying to terminate a small number of internet based VTI's from C867vae CPE routers on VDSL/PPPoE links.
As these are SVTI the encryption domain is always 0.0.0.0/0.0.0.0
CPE running c860vae-advsecurityk9-mz.155-3.M.bin
ASR running asr1002x-universalk9.03.13.04.S.154-3.S4-ext.SPA.bin
end to end ping is ok. Phase 1 completes fine, but continue to get Phase 2 failure;
Oct 6 17:27:52.540 BST: IPSEC(ipsec_process_proposal): invalid local address xx.xxx.139.169
Oct 6 17:27:52.540 BST: ISAKMP:(1167): IPSec policy invalidated proposal with error 8
Oct 6 17:27:52.543 BST: ISAKMP:(1167):Checking IPSec proposal 2
Oct 6 17:27:52.543 BST: ISAKMP: transform 1, ESP_AES
Oct 6 17:27:52.543 BST: ISAKMP: attributes in transform:
Oct 6 17:27:52.543 BST: ISAKMP: encaps is 1 (Tunnel)
Oct 6 17:27:52.543 BST: ISAKMP: SA life type in seconds
Oct 6 17:27:52.543 BST: ISAKMP: SA life duration (basic) of 3600
Oct 6 17:27:52.543 BST: ISAKMP: SA life type in kilobytes
Oct 6 17:27:52.543 BST: ISAKMP: SA life duration (VPI) of 0x0 0x46
0x50 0x0
Oct 6 17:27:52.543 BST: ISAKMP: authenticator is HMAC-SHA256
Oct 6 17:27:52.543 BST: ISAKMP: key length is 128
Oct 6 17:27:52.543 BST: ISAKMP:(1167):atts are acceptable.
Oct 6 17:27:52.543 BST: IPSEC(validate_proposal_request): proposal part #1
I had used the following links as the basis for the config and tested it out in lab environment (albeit with different software/hardware)
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16/sec-sec-for-vpns-w-ipsec-xe-16-book/sec-ipsec-virt-tunnl.html?referring_site=RE&pos=3&page=http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16/sec-ike-for-ipsec-vpns-xe-16-book/sec-key-exch-ipsec.html#GUID-E3B3DAA7-282B-44D6-BA11-BEECE495D5F4
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1082268
Thanks.
Neil
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list