Site-to-site vpn configuration: Why ipsec-isakmp tunnel is down? SOLVED
When I did an extended ping from R0 and R2, found that:
R2#
*Mar 5 22:11:49.403: ISAKMP:(1001): IPSec policy invalidated proposal with error 32
*Mar 5 22:11:49.407: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 172.16.0.2 remote 172.16.0.1)
*Mar 5 22:11:49.415: ISAKMP:(1001):deleting node 1673201950 error TRUE reason “QM rejected”
R2#
*Mar 5 22:12:17.387: ISAKMP:(1001): IPSec policy invalidated proposal with error 32
*Mar 5 22:12:17.391: ISAKMP:(1001): phase 2 SA policy not acceptable! (local 172.16.0.2 remote 172.16.0.1)
*Mar 5 22:12:17.403: ISAKMP:(1001):deleting node 928163075 error TRUE reason “QM rejected”
R2#sh crypto session
Crypto session current status
Interface: FastEthernet1/0
Session status: UP-ACTIVE
Peer: 172.16.0.1 port 500
IKE SA: local 172.16.0.2/500 remote 172.16.0.1/500 Active
IPSEC FLOW: permit ip 192.168.127.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map
R0#sh crypto session
Crypto session current status
Interface: FastEthernet1/1
Session status: UP-ACTIVE
Peer: 172.16.0.2 port 500
IKE SA: local 172.16.0.1/500 remote 172.16.0.2/500 Active
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 192.168.127.0/255.255.255.0
Active SAs: 2, origin: crypto map
IKE phase 1 and phase 2 both have no problem, the problem lies with crypto access-list
for R0 I change the access list destination to a network instead of a specific host.
I did the same for R2
R0 access list:
ip access-list extended PROTECT_TRAFFIC <cr>
permit ip 10.0.0.0 0.0.0.255 192.168.127.0 0.0.0.255 <cr>
R2 access list:
ip access-list extended PROTECT_TRAFFIC <cr>
permit ip 192.168.127.0 0.0.0.255 10.0.0.0 0.0.0.255<cr>