[Vpn-help] Phase 2 failing while connection to Cisco 2800 Router
Matthew Grooms
mgrooms at shrew.net
Sun Oct 18 17:29:26 CDT 2009
Edwards Stephen wrote:
> I've just tried all the PFS groups and each one fails.
>
> It's a possibility that the gateway is IPsec over TCP but surely if that
> where the case then the Phase 1 part would also fail? Also would that
> not be indicated in the Cisco Log file?
>
Your assumption sounds reasonable but I'm not that familiar with IPsec
over TCP. Maybe it negotiates with IKE over UDP and then uses TCP for
the transport? I'm not really sure to be honest.
The bottom line is that the phase2 proposal is being rejected for some
reason. It could be your network identifiers ( SRC -> DST ) or it could
be a parameter in the phase2 proposal tab. Its hard to tell without
knowing how the gateway is configured. Do you have any output from the
'debug crypto isakmp'?
-Matthew
More information about the vpn-help
mailing list