Sorry Piotr, but that`s the config
R1
interface Tunnel100
ip address 1.1.1.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 136.1.122.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_prof
R2
interface Virtual-Template2 type tunnel
ip address 1.1.1.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_prof
Router 2
*show cry isa sa*
dst src state conn-id slot status
136.1.122.2 136.1.121.1 QM_IDLE 1003 0 ACTIVE
*show cry isa sa det*
C-id Local Remote I-VRF Status Encr Hash Auth DH
Lifetime Cap.
1003 136.1.122.2 136.1.121.1 ACTIVE 3des md5 rsig 2
23:59:40
Router1
*show cry ips sa*
Rack1R1(config)#do cry2
interface: Tunnel100
Crypto map tag: Tunnel100-head-0, local addr 136.1.121.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 136.1.122.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Running EIGRP on both Routers
router eigrp 1
network 1.1.1.0 0.0.0.255
Still same issue
Mar 2 08:45:02.331: IPSEC(ipsec_process_proposal): invalid local address
136.1.122.2
Mar 2 08:45:02.335: ISAKMP:(1003): IPSec policy invalidated proposal with
error 8
Mar 2 08:45:02.339: ISAKMP:(1003): phase 2 SA policy not acceptable! (local
136.1.122.2 remote 136.1.121.1)
Mar 2 08:45:02.343: ISAKMP: set new node -1211542580 to QM_IDLE
Mar 2 08:45:02.347: ISAKMP:(1003):Sending NOTIFY PROPOSAL_NOT_CHOSEN
protocol 3
spi 1690522144, message ID = -1211542580
Mar 2 08:45:02.355: ISAKMP:(1003): sending packet to 136.1.121.1 my_port
500 peer_port 500 (R) QM_IDLE
Rack1R2(config-if)#
Mar 2 08:45:02.355: ISAKMP:(1003):Sending an IKE IPv4 Packet.
Mar 2 08:45:02.359: ISAKMP:(1003):purging node -1211542580
Mar 2 08:45:02.363: ISAKMP:(1003):deleting node 729790222 error TRUE reason
"QM rejected"
As I said, as soon as I configure "tunnel destination 136.1.121.1" pointing
to R1, it works. I did not configure any isakmp profile on R2 to attach
virtual-template because I don't think it would be the solution
Rack1R2(config-if)#*tunnel destination 136.1.121.1*
Mar 2 08:49:11.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Virtual-Template2, changed state to up
Mar 2 08:49:12.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.1
(Virtual-Template2) is up: new adjacency
On Sat, Mar 5, 2011 at 1:56 PM, Piotr Matusiak <[email protected]> wrote:
> interface Virtual-Template2 type tunnel
> tunnel protection ipsec profile ipsec_prof
>
>
>
> 2011/3/5 Bruno <[email protected]>
>
>> Hey guys,
>>
>> I've been trying to get this stuff working a while and no luck. I am
>> thinking it`s no possible but would like some insights
>>
>> R1 <> ASA <> R2
>>
>> R1
>> interface Tunnel100
>> ip address 1.1.1.1 255.255.255.0
>> tunnel source FastEthernet0/0
>> tunnel destination 136.1.122.2
>> tunnel mode ipsec ipv4
>> tunnel protection ipsec profile ipsec_prof
>>
>> R2 initially had the same config and it worked just fine. Then I changed
>> the configuration on R2 to DVTI
>> interface Virtual-Template2 type tunnel
>> ip address 1.1.1.2 255.255.255.0
>> tunnel source FastEthernet0/0
>> tunnel mode ipsec ipv4
>>
>> The interesting is that as soon as I configured *"tunnel destination*"
>> pointing to R1 it works. But that's exactly what I do not want to do,
>> supposing R1 had dynamic ip, it should work without destination address.
>>
>> The log is:
>> IPSec policy invalidated proposal with error 8
>> Mar 2 07:20:35.303: ISAKMP:(1013): phase 2 SA policy not acceptable!
>> (local 136.1.122.2 remote 136.1.121.1)
>> Mar 2 07:20:35.303: ISAKMP: set new node 1645030739 to QM_IDLE
>> Mar 2 07:20:35.311: ISAKMP:(1013):Sending NOTIFY PROPOSAL_NOT_CHOSEN
>> protocol 3
>>
>> Any idea is welcome.
>>
>> Cisco DOC for VTI
>>
>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html
>>
>> --
>> Bruno Fagioli (by Jaunty Jackalope)
>> Cisco Security Professional
>>
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>
--
Bruno Fagioli (by Jaunty Jackalope)
Cisco Security Professional
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
