[c-nsp] Static Virtual Tunnel Interface: No phase 2 proposal

eyeballi77 eyeballi77 at gmail.com
Mon Oct 10 11:26:53 EDT 2016 

sorry Nick...

omitted to include you on the reply.

thanks again.

On 7 October 2016 at 09:01, eyeballi77 <eyeballi77 at gmail.com> wrote:

> hello all...
>
> Hoping I can get some input on an issue I am having with the above.
>
> I have a ASR1002X as a PE that I am also trying to terminate a small
> number of internet based VTI's from C867vae CPE routers on VDSL/PPPoE links.
>
> As these are SVTI the encryption domain is always 0.0.0.0/0.0.0.0
>
> CPE running c860vae-advsecurityk9-mz.155-3.M.bin
> ASR running asr1002x-universalk9.03.13.04.S.154-3.S4-ext.SPA.bin
>
>
> end to end ping is ok.  Phase 1 completes fine, but continue to get Phase
> 2 failure;
>
>
> Oct  6 17:27:52.540 BST: IPSEC(ipsec_process_proposal): invalid local
> address xx.xxx.139.169
>
> Oct  6 17:27:52.540 BST: ISAKMP:(1167): IPSec policy invalidated proposal
> with error 8
>
> Oct  6 17:27:52.543 BST: ISAKMP:(1167):Checking IPSec proposal 2
>
> Oct  6 17:27:52.543 BST: ISAKMP: transform 1, ESP_AES
>
> Oct  6 17:27:52.543 BST: ISAKMP:   attributes in transform:
>
> Oct  6 17:27:52.543 BST: ISAKMP:      encaps is 1 (Tunnel)
>
> Oct  6 17:27:52.543 BST: ISAKMP:      SA life type in seconds
>
> Oct  6 17:27:52.543 BST: ISAKMP:      SA life duration (basic) of 3600
>
> Oct  6 17:27:52.543 BST: ISAKMP:      SA life type in kilobytes
>
> Oct  6 17:27:52.543 BST: ISAKMP:      SA life duration (VPI) of  0x0 0x46
> 0x50 0x0
>
> Oct  6 17:27:52.543 BST: ISAKMP:      authenticator is HMAC-SHA256
>
> Oct  6 17:27:52.543 BST: ISAKMP:      key length is 128
>
> Oct  6 17:27:52.543 BST: ISAKMP:(1167):atts are acceptable.
>
> Oct  6 17:27:52.543 BST: IPSEC(validate_proposal_request): proposal part
> #1
>
>
>
> I had used the following links as the basis for the config and tested it
> out in lab environment (albeit with different software/hardware)
>
>
> http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_
> vpnips/configuration/xe-16/sec-sec-for-vpns-w-ipsec-xe-
> 16-book/sec-ipsec-virt-tunnl.html?referring_site=RE&pos=3&
> page=http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_
> conn_ikevpn/configuration/xe-16/sec-ike-for-ipsec-vpns-xe-
> 16-book/sec-key-exch-ipsec.html#GUID-E3B3DAA7-282B-44D6-BA11-BEECE495D5F4
>
>
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/
> feature/guide/gtIPSctm.html#wp1082268
>
>
> Thanks.
>
> Neil
>
>
>

More information about the cisco-nsp mailing list