What do you want to achieve? You must have EasyVPN client configured to use DVTI. SVTI configuration is not EasyVPN.
2011/3/5 Bruno <[email protected]> > Sorry Piotr, but that`s the config > > > R1 > interface Tunnel100 > ip address 1.1.1.1 255.255.255.0 > tunnel source FastEthernet0/0 > tunnel destination 136.1.122.2 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile ipsec_prof > > R2 > interface Virtual-Template2 type tunnel > ip address 1.1.1.2 255.255.255.0 > tunnel source FastEthernet0/0 > tunnel mode ipsec ipv4 > tunnel protection ipsec profile ipsec_prof > > > Router 2 > *show cry isa sa* > dst src state conn-id slot status > 136.1.122.2 136.1.121.1 QM_IDLE 1003 0 ACTIVE > > *show cry isa sa det* > C-id Local Remote I-VRF Status Encr Hash Auth DH > Lifetime Cap. > > 1003 136.1.122.2 136.1.121.1 ACTIVE 3des md5 rsig 2 > 23:59:40 > > Router1 > *show cry ips sa* > Rack1R1(config)#do cry2 > > interface: Tunnel100 > Crypto map tag: Tunnel100-head-0, local addr 136.1.121.1 > > protected vrf: (none) > local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) > remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) > current_peer 136.1.122.2 port 500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 > #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 > > > Running EIGRP on both Routers > router eigrp 1 > network 1.1.1.0 0.0.0.255 > > Still same issue > Mar 2 08:45:02.331: IPSEC(ipsec_process_proposal): invalid local address > 136.1.122.2 > Mar 2 08:45:02.335: ISAKMP:(1003): IPSec policy invalidated proposal with > error 8 > Mar 2 08:45:02.339: ISAKMP:(1003): phase 2 SA policy not acceptable! > (local 136.1.122.2 remote 136.1.121.1) > Mar 2 08:45:02.343: ISAKMP: set new node -1211542580 to QM_IDLE > Mar 2 08:45:02.347: ISAKMP:(1003):Sending NOTIFY PROPOSAL_NOT_CHOSEN > protocol 3 > spi 1690522144, message ID = -1211542580 > Mar 2 08:45:02.355: ISAKMP:(1003): sending packet to 136.1.121.1 my_port > 500 peer_port 500 (R) QM_IDLE > Rack1R2(config-if)# > Mar 2 08:45:02.355: ISAKMP:(1003):Sending an IKE IPv4 Packet. > Mar 2 08:45:02.359: ISAKMP:(1003):purging node -1211542580 > Mar 2 08:45:02.363: ISAKMP:(1003):deleting node 729790222 error TRUE > reason "QM rejected" > > As I said, as soon as I configure "tunnel destination 136.1.121.1" pointing > to R1, it works. I did not configure any isakmp profile on R2 to attach > virtual-template because I don't think it would be the solution > > > Rack1R2(config-if)#*tunnel destination 136.1.121.1* > Mar 2 08:49:11.675: %LINEPROTO-5-UPDOWN: Line protocol on Interface > Virtual-Template2, changed state to up > Mar 2 08:49:12.443: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 1.1.1.1 > (Virtual-Template2) is up: new adjacency > > > > On Sat, Mar 5, 2011 at 1:56 PM, Piotr Matusiak <[email protected]> wrote: > >> interface Virtual-Template2 type tunnel >> tunnel protection ipsec profile ipsec_prof >> >> >> >> 2011/3/5 Bruno <[email protected]> >> >>> Hey guys, >>> >>> I've been trying to get this stuff working a while and no luck. I am >>> thinking it`s no possible but would like some insights >>> >>> R1 <> ASA <> R2 >>> >>> R1 >>> interface Tunnel100 >>> ip address 1.1.1.1 255.255.255.0 >>> tunnel source FastEthernet0/0 >>> tunnel destination 136.1.122.2 >>> tunnel mode ipsec ipv4 >>> tunnel protection ipsec profile ipsec_prof >>> >>> R2 initially had the same config and it worked just fine. Then I changed >>> the configuration on R2 to DVTI >>> interface Virtual-Template2 type tunnel >>> ip address 1.1.1.2 255.255.255.0 >>> tunnel source FastEthernet0/0 >>> tunnel mode ipsec ipv4 >>> >>> The interesting is that as soon as I configured *"tunnel destination*" >>> pointing to R1 it works. But that's exactly what I do not want to do, >>> supposing R1 had dynamic ip, it should work without destination address. >>> >>> The log is: >>> IPSec policy invalidated proposal with error 8 >>> Mar 2 07:20:35.303: ISAKMP:(1013): phase 2 SA policy not acceptable! >>> (local 136.1.122.2 remote 136.1.121.1) >>> Mar 2 07:20:35.303: ISAKMP: set new node 1645030739 to QM_IDLE >>> Mar 2 07:20:35.311: ISAKMP:(1013):Sending NOTIFY PROPOSAL_NOT_CHOSEN >>> protocol 3 >>> >>> Any idea is welcome. >>> >>> Cisco DOC for VTI >>> >>> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html >>> >>> -- >>> Bruno Fagioli (by Jaunty Jackalope) >>> Cisco Security Professional >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
