Hello Bruno, If you configure a dynamic virtual tunnel interface, make sure you use an ISAKMP profile as well.
So on R2: crypto isakmp profile dvty1 virtual-template 2 HTH PJ On 5 mrt 2011, at 17:03, Bruno wrote: > Hey guys, > > I've been trying to get this stuff working a while and no luck. I am thinking > it`s no possible but would like some insights > > R1 <> ASA <> R2 > > R1 > interface Tunnel100 > ip address 1.1.1.1 255.255.255.0 > tunnel source FastEthernet0/0 > tunnel destination 136.1.122.2 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile ipsec_prof > > R2 initially had the same config and it worked just fine. Then I changed the > configuration on R2 to DVTI > interface Virtual-Template2 type tunnel > ip address 1.1.1.2 255.255.255.0 > tunnel source FastEthernet0/0 > tunnel mode ipsec ipv4 > > The interesting is that as soon as I configured "tunnel destination" pointing > to R1 it works. But that's exactly what I do not want to do, supposing R1 had > dynamic ip, it should work without destination address. > > The log is: > IPSec policy invalidated proposal with error 8 > Mar 2 07:20:35.303: ISAKMP:(1013): phase 2 SA policy not acceptable! (local > 136.1.122.2 remote 136.1.121.1) > Mar 2 07:20:35.303: ISAKMP: set new node 1645030739 to QM_IDLE > Mar 2 07:20:35.311: ISAKMP:(1013):Sending NOTIFY PROPOSAL_NOT_CHOSEN > protocol 3 > > Any idea is welcome. > > Cisco DOC for VTI > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com --- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected] Web: http://www.nefkensadvies.nl/
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
