Shahid,
The proxy information is exchanged during Phase 2 IPsec negotiation. As what it received didn't match its own proxy configuration the SA negotiation failed. The debug is showing you the problem. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: <mailto:[email protected]> [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of shahid rox Sent: Saturday, August 01, 2009 2:31 AM To: [email protected] Subject: [OSL | CCIE_Security] Crypto acls confusion !! Hi all, I am really confused that when ipsec sa negotiation takes place, does crypto acl is also sent as part of it ? Pls consider my following scenario a very basic vpn site to site R1 is connected to R2. R1 ip is 10.0.0.1/8 and R2 is 10.0.0.2/8 R1 crypto config is crypto isakmp key 0 cisco123 address 10.0.0.2 crypto isakmp policy 1 auth pre en de grou 2 has md life 60 crypto ipsec trans set esp-des access-list 111 per ip 1.1.0.0 0.0.255.255 3.3.3.0 0.0.0.255 crypto map my 10 ipsec-isa mat add 111 set peer 10.0.0.2 set transform-set set (1.1.1.1/8 is on R1 loopback 0 and 3.3.3.3/8 is on R2 loopback0) R2 crypto config is crypto isakmp key 0 cisco123 address 10.0.0.1 crypto isakmp policy 1 auth pre en de grou 2 has md life 60 crypto ipsec trans set esp-des access-list 111 per ip 2.2.0.0 0.0.255.255 6.6.6.0 0.0.0.255 crypto map my 10 ipsec-isa mat add 111 set peer 10.0.0.1 set transform-set set As you can see there is a clear mismatch in both routers ACL. Now when i do debug crypto ipsec on R2 this is the result i got R2# *Mar 1 00:09:19.867: %SYS-5-CONFIG_I: Configured from console by console R2# *Mar 1 00:09:47.247: IPSEC(key_engine): got a queue event with 1 kei messages *Mar 1 00:09:47.479: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.0.0.2, remote= 10.0.0.1, local_proxy= 3.3.3.0/255.255.255.0/0/0 (type=4), remote_proxy= 1.1.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp-des (Tunnel), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2 *Mar 1 00:09:47.491: IPSEC(validate_transform_proposal): no IPSEC cryptomap exi sts for local address 10.0.0.2 R2# *Mar 1 00:09:47.503: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 10.0.0.1 See !! how come R2 got the crypto acl ( with their correct masks) ? does it mean that at the time of sa exchange, acls or proxies are also exchanged ?
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
