-
Fixing ‘IPSEC(initialize_sas): Invalid Proxy IDs’ with dynamic VPNs
Posté le 9th décembre 2008 Pas de commentairesDynamic VPNs is a Cisco feature that makes a central router accept VPN establishment without specifying a peer or an ACL for the SA.
The configuration is very simple (even simpler than normal, statically specified tunnels) so when the tunnel doesn’t come up, it is quite frustrating.
And when you get ‘IPSEC(initialize_sas): Invalid Proxy IDs’, meaning SA ACL doesn’t match on both sides, you start to pull your hairs out : how can’t they match when they are not needer on the headend side ??
Well, it seems that the headend is checking the remote SA specification (Proxy ID) anyway, and bails out from isakmp when things go wrong.
Consider this log, saw on a router sitting at 172.22.1.130/27 with
debug crypto ipsecand
debug crypto isakmp*Mar 1 00:45:39.227: ISAKMP: set new node 909606036 to QM_IDLE
*Mar 1 00:45:39.227: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 909606036
*Mar 1 00:45:39.227: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 909606036
*Mar 1 00:45:39.231: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Mar 1 00:45:39.231: ISAKMP: transform 1, ESP_3DES
*Mar 1 00:45:39.231: ISAKMP: attributes in transform:
*Mar 1 00:45:39.231: ISAKMP: encaps is 1 (Tunnel)
*Mar 1 00:45:39.231: ISAKMP: SA life type in seconds
*Mar 1 00:45:39.231: ISAKMP: SA life duration (basic) of 3600
*Mar 1 00:45:39.231: ISAKMP: SA life type in kilobytes
*Mar 1 00:45:39.231: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 1 00:45:39.231: ISAKMP: authenticator is HMAC-SHA
*Mar 1 00:45:39.231: ISAKMP:(0:1:SW:1):atts are acceptable.
*Mar 1 00:45:39.231: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.22.1.130, remote= 172.22.80.129,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.22.80.128/255.255.255.193/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 1 00:45:39.231: IPSEC(initialize_sas): invalid proxy IDs
*Mar 1 00:45:39.231: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Mar 1 00:45:39.231: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable! (local 172.22.1.130 remote 172.22.80.129)See it ?
remote_proxy= 172.22.80.128/255.255.255.193/0/0 (type=4),the subnet mask 255.255.255.193 comes from a wrong ACL specification :
permit ip 172.22.80.128 0.0.0.62 192.168.1.0 0.0.0.255instead of
permit ip 172.22.80.128 0.0.0.63 192.168.1.0 0.0.0.255So 255.255.255.193 last byte yields a discontinuous mask (11000001) which is not so commonly used
That’s why the tunnel is not coming up, and how you lost the last hour.
Twitter: l3u
- RT @Yunikio: pake kostam apa ya pagi ini? hahahhaha
- Santai mæn gitar
- masih bingung??dch lama mæn ga'ngerti juga?di mana rame nya mæn twitter??
- masih,bingung?di mana rame nya mæn twitter???udah lama kaya gene2 aj?apa asyik nya gak gaguduh.
- what ever!!!!
Wiki
- projets:fool - [Téléchargement] 12 décembre 2011
- projets:ledmatrixhacking-driver.sh - [Pilote pour LedMatrix] 17 juillet 2011
- projets:ledmatrixhacking - Charlieplexing 19 mai 2011