[Vpn-help] Phase 2 failing while connection to Cisco 2800 Router
Matthew Grooms
mgrooms at shrew.net
Sun Oct 18 18:15:26 CDT 2009
Tamas Pinter wrote:
> I had the same problem, IOS rejects the phase2 SA if split tunneling is being used.
> If you can change the configuration in the router to default to the tunnel it will work, it is controlled by an acl and it should match all traffic.
> There can be other problems in the phase2 proposal parameters, be sure to check these too.
>
> IOS expects the phase2 SA in this form:
>
> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
> remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1),
>
> where x.x.x.x is the assigned address of the client.
> It is working when the tunnel is the default route.
> When in split tunneling mode Shrew client tries to negotiate an SA for each destination it has route:
>
> local_proxy= d.d.d.d/255.255.255.255/0/0 (type=1),
> remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1)
>
> where d.d.d.d is a destination in the acl
> where x.x.x.x is the assigned address of the client.
>
> but these negotiations fail in IOS with these errors:
>
> map_db_find_best did not find matching map
> IPSEC(ipsec_process_proposal): proxy identities not supported
> IPSec policy invalidated proposal with error 32
> ISAKMP:(1355): phase 2 SA policy not acceptable!
> ISAKMP:(1355):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
>
> Cisco VPN client always use 0.0.0.0 as a local_proxy even if split tunneling is being used.
> I thing Shrew behavior is more correct but IOS cannot handle this.
> It would be nice to have an option in the client to use 0.0.0.0 as proxy in phase2 SA and use the routes received.
>
Hi Pinter,
This is very good information. Thanks for sharing!
We have known that the Cisco client only negotiates a single IPsec SA
even when split tunneling. It has been our intent to introduce a new
mode of operation that works in a similar fashion but we haven't had a
chance to yet. This could very well be the reason so many people have
been experiencing issues with IOS based Cisco devices.
-Matthew
More information about the vpn-help
mailing list