The HUB is managed at a data center with external IP 200.200.200.200.
There are 10 remote offices.
Office 9 HUB
10.1.9.0 - 100.100.100.100 ->> VPN <<- 200.200.200.200 - 10.1.1.0
In office 9 only,
after upgrading from ADSL to EFM and replaced Cisco 887 with Cisco 1812 (both running IOS 12.4).
Copied the config, replaced internet connection details.
Not sure if relevant, but there is also a router in bridge mode the EFM provider installed the 1812 connects through.
Now the ISAKMP is connected
MYCISCO#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
100.100.100.100 200.200.200.200 MM_NO_STATE 2262 0 ACTIVE (deleted)
But Phase 2 IPSEC SA will not come up. the logs produce errors:
- transform proposal not supported for identity
- IPSec policy invalidated proposal with error 256
- phase 2 SA policy not acceptable!
From show log:
*Apr 2 21:44:09.198: ISAKMP:(2125):Old State = IKE_QM_READY New State = IKE_QM_READY
*Apr 2 21:44:12.246: ISAKMP (0:2125): received packet from 200.200.200.200 dport 500 sport 500 Global (I) QM_IDLE
*Apr 2 21:44:12.246: ISAKMP: set new node -505694825 to QM_IDLE
*Apr 2 21:44:12.246: crypto_engine: Decrypt IKE packet
*Apr 2 21:44:12.246: crypto_engine: Generate IKE hash
*Apr 2 21:44:12.246: ISAKMP:(2125): processing HASH payload. message ID = -505694825
*Apr 2 21:44:12.246: ISAKMP:(2125): processing SA payload. message ID = -505694825
*Apr 2 21:44:12.246: ISAKMP:(2125):Checking IPSec proposal 0
*Apr 2 21:44:12.246: ISAKMP: transform 0, ESP_AES
*Apr 2 21:44:12.246: ISAKMP: attributes in transform:
*Apr 2 21:44:12.246: ISAKMP: group is 5
*Apr 2 21:44:12.246: ISAKMP: encaps is 1 (Tunnel)
*Apr 2 21:44:12.246: ISAKMP: SA life type in seconds
*Apr 2 21:44:12.246: ISAKMP: SA life duration (basic) of 28800
*Apr 2 21:44:12.246: ISAKMP: authenticator is HMAC-SHA
*Apr 2 21:44:12.246: ISAKMP: key length is 128
*Apr 2 21:44:12.246: CryptoEngine0: validate proposal
*Apr 2 21:44:12.246: ISAKMP:(2125):atts are acceptable.
*Apr 2 21:44:12.246: IPSEC(validate_proposal_request): proposal part #1
*Apr 2 21:44:12.246: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 100.100.100.100, remote= 200.200.200.200,
local_proxy= 10.1.9.0/255.255.255.0/0/0 (type=4),
remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 2 21:44:12.246: Crypto mapdb : proxy_match
src addr : 10.1.9.0
dst addr : 10.1.1.0
protocol : 0
src port : 0
dst port : 0
*Apr 2 21:44:12.246: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
*Apr 2 21:44:12.246: ISAKMP:(2125): IPSec policy invalidated proposal with error 256
*Apr 2 21:44:12.246: ISAKMP:(2125): phase 2 SA policy not acceptable! (local 100.100.100.100 remote 200.200.200.200)
My Configuration:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MYCISCO
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone AEST 10
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.9.1 10.1.9.99
!
ip dhcp pool VLAN1
import all
network 10.1.9.0 255.255.255.0
default-router 10.1.9.254
domain-name MYDOMAIN.COM
dns-server 8.8.8.8
!
!
ip tcp path-mtu-discovery
no ip bootp server
no ip domain lookup
ip domain name MYDOMAIN.COM
ip name-server 8.8.8.8
!
password encryption aes
crypto pki token default removal timeout 0
!
!
!
no spanning-tree vlan 1
no spanning-tree vlan 2
username ADMINUSERNAME password 0 ADMINPASSWORD
archive
log config
hidekeys
!
!
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 5
lifetime 3600
crypto isakmp key PRESHAREDKEY address 200.200.200.200 no-xauth
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
crypto ipsec transform-set myset3 esp-aes 256
crypto ipsec transform-set myset4 esp-aes 256 esp-md5-hmac
crypto ipsec transform-set myset5 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 200.200.200.200
set security-association lifetime seconds 28800
set transform-set myset myset1 myset2 myset3 myset4 myset5
match address 110
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface FastEthernet0
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no shutdown
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description Internal Network
ip address 10.1.9.254 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
load-interval 30
!
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
interface Dialer0
no ip redirects
no ip unreachables
no ip proxy-arp
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp chap hostname CHAP@HOST.COM
ppp chap password 0 CHAPPASSWORD
ppp pap sent-username PAP@HOST.COM password 0 PAPPASSWORD
ppp ipcp dns request accept
crypto map clientmap
!
!
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 remark IP Addresses Permitted to login via ssh and telnet
access-list 1 permit 200.200.200.200
access-list 1 permit 10.1.9.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 deny any
access-list 3 remark NTP Server addresses
access-list 3 permit X.X.X.X
access-list 4 remark Deny All
access-list 4 deny any
access-list 102 remark NAT
access-list 102 deny ip 10.1.9.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.1.9.0 0.0.0.255 any
access-list 110 remark VPN
access-list 110 permit ip 10.1.9.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
!
line con 0
password CONPASSWORD
line aux 0
access-class 4 in
line vty 0 4
access-class 1 in
exec-timeout 500 0
privilege level 3
password VTYPASSWORD
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
ntp access-group peer 3
ntp access-group serve 4
ntp master
ntp server X.X.X.X
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
I'm suspecting the Access List settings, but again this is identical to 9 other offices, and the network support team who are providing the HUB end have taken a look and the settings are all correct.
Thanks for your comments!
Best Answer
Access lists aren't a problem here.
The output from show cypro isakmp sa tells you that the key negotiation is failing (MM_NO_STATE).
The log entry says that the hub wants to use a transform set (esp-aes, esp-sha-hmac) that you don't support. None of the transform sets on your router include esp-aes, esp-sha-hmac.
I suggest you add that to your list of transforms. While you're at it, unless you really need the others (myset1-5), you might as well take them out.
Your new set will be: