[Vpn-help] Phase 2 failing while connection to Cisco 2800 Router
Tamas Pinter
tpinter71 at yahoo.com
Fri Oct 16 12:11:53 CDT 2009
I had the same problem, IOS rejects the phase2 SA if split tunneling is being used.
If you can change the configuration in the router to default to the tunnel it will work, it is controlled by an acl and it should match all traffic.
There can be other problems in the phase2 proposal parameters, be sure to check these too.
IOS expects the phase2 SA in this form:
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1),
where x.x.x.x is the assigned address of the client.
It is working when the tunnel is the default route.
When in split tunneling mode Shrew client tries to negotiate an SA for each destination it has route:
local_proxy= d.d.d.d/255.255.255.255/0/0 (type=1),
remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1)
where d.d.d.d is a destination in the acl
where x.x.x.x is the assigned address of the client.
but these negotiations fail in IOS with these errors:
map_db_find_best did not find matching map
IPSEC(ipsec_process_proposal): proxy identities not supported
IPSec policy invalidated proposal with error 32
ISAKMP:(1355): phase 2 SA policy not acceptable!
ISAKMP:(1355):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
Cisco VPN client always use 0.0.0.0 as a local_proxy even if split tunneling is being used.
I thing Shrew behavior is more correct but IOS cannot handle this.
It would be nice to have an option in the client to use 0.0.0.0 as proxy in phase2 SA and use the routes received.
-pinter
More information about the vpn-help
mailing list