Site-to-site vpn configuration: Why ipsec-isakmp tunnel is down? SOLVED

Site-to-site vpn configuration: Why ipsec-isakmp tunnel is down? SOLVED

by Cyrus Lok on Friday, March 5, 2010 at 9:28pm
The problem is with my crypto access list… darn…

When I did an extended ping from R0 and R2, found that:

R2#
*Mar 5 22:11:49.403: ISAKMP:(1001): IPSec policy invalidated proposal with error 32
*Mar 5 22:11:49.407: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 172.16.0.2 remote 172.16.0.1)
*Mar 5 22:11:49.415: ISAKMP:(1001):deleting node 1673201950 error TRUE reason “QM rejected”
R2#
*Mar 5 22:12:17.387: ISAKMP:(1001): IPSec policy invalidated proposal with error 32
*Mar 5 22:12:17.391: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 172.16.0.2 remote 172.16.0.1)
*Mar 5 22:12:17.403: ISAKMP:(1001):deleting node 928163075 error TRUE reason “QM rejected”

R2#sh crypto session
Crypto session current status

Interface: FastEthernet1/0
Session status: UP-ACTIVE
Peer: 172.16.0.1 port 500
IKE SA: local 172.16.0.2/500 remote 172.16.0.1/500 Active
IPSEC FLOW: permit ip 192.168.127.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map

R0#sh crypto session
Crypto session current status

Interface: FastEthernet1/1
Session status: UP-ACTIVE
Peer: 172.16.0.2 port 500
IKE SA: local 172.16.0.1/500 remote 172.16.0.2/500 Active
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.127.0/255.255.255.0
Active SAs: 2, origin: crypto map

IKE phase 1 and phase 2 both have no problem, the problem lies with crypto access-list

for R0 I change the access list destination to a network instead of a specific host.

I did the same for R2

R0 access list:

ip access-list extended PROTECT_TRAFFIC <cr>

permit ip 10.0.0.0 0.0.0.255 192.168.127.0 0.0.0.255 <cr>

R2 access list:

ip access-list extended PROTECT_TRAFFIC <cr>

permit ip 192.168.127.0 0.0.0.255 10.0.0.0 0.0.0.255<cr>

Advertisements
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s