[Vpn-help] Phase 2 failing while connection to Cisco 2800 Router

[philippe brangier]

Tamas Pinter a écrit :
> I had the same problem, IOS rejects the phase2 SA if split tunneling is being used.
> If you can change the configuration in the router to default to the tunnel it  will work, it is controlled by an acl and it should match all traffic.
> There can be other problems in the phase2 proposal parameters, be sure to check these too. 
>
> IOS expects the phase2 SA in this form:
>
> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
> remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1),
>
> where x.x.x.x is the assigned address of the client.
> It is working when the tunnel is the default route.
> When in split tunneling mode Shrew client tries to negotiate an SA for each destination it has route:
>
>     local_proxy= d.d.d.d/255.255.255.255/0/0 (type=1),
>     remote_proxy= x.x.x.x/255.255.255.255/0/0 (type=1)
>
> where d.d.d.d is a destination in the acl
> where x.x.x.x is the assigned address of the client.
>
> but these negotiations fail in IOS with these errors:
>
> map_db_find_best did not find matching map
> IPSEC(ipsec_process_proposal): proxy identities not supported
> IPSec policy invalidated proposal with error 32
> ISAKMP:(1355): phase 2 SA policy not acceptable! 
> ISAKMP:(1355):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
>
> Cisco VPN client always use 0.0.0.0 as a local_proxy even if split tunneling is being used.
> I thing Shrew behavior is more correct but IOS cannot handle this.
> It would be nice to have an option in the client to use 0.0.0.0 as proxy in phase2 SA and use the routes received.
>
> -pinter
>   

Hello,

 I try to use shrew vpn with our cisco router. I have a working cisco 
client vpn configuration but i can't get it to work with shrew vpn.
 I follow your indication, because we use split tunneling, but it's not 
enough

can you, please, share your working ios configuration with us ?

thanks

Philippe Brangier