[Vpn-help] Phase 2 failing while connection to Cisco 2800 Router

[Matthew Grooms]

Tamas Pinter wrote:
> I had the same problem, IOS rejects the phase2 SA if split tunneling is being used.
> If you can change the configuration in the router to default to the tunnel it  will work, it is controlled by an acl and it should match all traffic.
> There can be other problems in the phase2 proposal parameters, be sure to check these too. 
> 
> IOS expects the phase2 SA in this form:
> 
> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
> remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1),
> 
> where x.x.x.x is the assigned address of the client.
> It is working when the tunnel is the default route.
> When in split tunneling mode Shrew client tries to negotiate an SA for each destination it has route:
> 
>     local_proxy= d.d.d.d/255.255.255.255/0/0 (type=1),
>     remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1)
> 
> where d.d.d.d is a destination in the acl
> where x.x.x.x is the assigned address of the client.
> 
> but these negotiations fail in IOS with these errors:
> 
> map_db_find_best did not find matching map
> IPSEC(ipsec_process_proposal): proxy identities not supported
> IPSec policy invalidated proposal with error 32
> ISAKMP:(1355): phase 2 SA policy not acceptable! 
> ISAKMP:(1355):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
> 
> Cisco VPN client always use 0.0.0.0 as a local_proxy even if split tunneling is being used.
> I thing Shrew behavior is more correct but IOS cannot handle this.
> It would be nice to have an option in the client to use 0.0.0.0 as proxy in phase2 SA and use the routes received.
> 

Hi Pinter,

This is very good information. Thanks for sharing!

We have known that the Cisco client only negotiates a single IPsec SA 
even when split tunneling. It has been our intent to introduce a new 
mode of operation that works in a similar fashion but we haven't had a 
chance to yet. This could very well be the reason so many people have 
been experiencing issues with IOS based Cisco devices.

-Matthew