Toon posts:

[CISCO871] IPSEC: "invalid local address" bij VPN verbinding

Pagina: 1
Acties:

vrijdag 18 november 2011 18:26

Acties:
  • JasperE
  • Registratie: December 2003
  • Laatst online: 14-12 10:21

JasperE

Topicstarter
Ik probeer om een VPN verbinding te leggen tussen een CISCO871 (61.12.10.233 - 192.168.20.0/24) en een Fortigate 50B (80.54.202.93 - 192.168.0.0/24)

Op de CISCO krijg ik echter de onderstaande foutmelding als ik de VPN verbinding vanaf de Fortigate 50B probeer te leggen:

code:
1
2
3
4
5
6
7
8
9
10
11

.Nov 18 17:13:44.511: IPSEC(validate_proposal_request): proposal part #1
.Nov 18 17:13:44.511: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 61.12.10.233, remote= 80.54.202.93,
    local_proxy= 192.168.20.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
.Nov 18 17:13:44.511: IPSEC(ipsec_process_proposal): invalid local address 61.12.10.233
.Nov 18 17:13:44.511: ISAKMP:(2003): IPSec policy invalidated proposal with error 8
.Nov 18 17:13:44.511: ISAKMP:(2003): phase 2 SA policy not acceptable! (local 61.12.10.233 remote 80.54.202.93)


Vreemd, want het internetadres van de CISCO871 is toch echt 61.12.10.233 en ik heb ook de onderstaande configuratieregel toegevoegd (naar aanleiding van dit cisco artikel)
code:
1

crypto map outside-map local-address Loopback1


Blijkbaar doe ik toch nog iets verkeerd. Ik ben nu al de hele dag aan het googlen maar kan de oplossing niet vinden. Iemand die mij met dit probleem kan helpen?

Onderstaand de Cisco config:
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188

!
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname C871
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable password ********
!
aaa new-model
!
!
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 1
clock summer-time CET recurring
!
crypto pki trustpoint TP-self-signed-656636748
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-656636748
 revocation-check none
 rsakeypair TP-self-signed-656636748
!
!
crypto pki certificate chain TP-self-signed-656636748
 certificate self-signed 01
-Knip-
        quit
dot11 syslog
ip cef
!
!
no ip domain lookup
ip domain name hoofdvestiging.com
ip name-server 213.75.63.70
ip name-server 213.75.63.36
!
!
!
username jasper privilege 15 password 0 ********
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key ******** address 80.54.202.93
!
!
crypto ipsec transform-set cm-transformset-1 esp-3des esp-md5-hmac
!
crypto map vestiging2VPN 10 ipsec-isakmp
 set peer 80.54.202.93
 set transform-set cm-transformset-1
 match address vestiging2IP
!
crypto map outside-map local-address Loopback1
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Loopback1
 description Loopback interface for main public IP (always up)
 ip address 61.12.10.233 255.255.255.248
!
interface FastEthernet0
 switchport access vlan 2
 no cdp enable
!
interface FastEthernet1
 no cdp enable
!
interface FastEthernet2
 no cdp enable
!
interface FastEthernet3
 no cdp enable
!
interface FastEthernet4
 description Link to EVPN CPE
 no ip address
 load-interval 30
 speed 100
 full-duplex
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 description VLan for public IP address pool
 ip unnumbered Loopback1
 ip access-group 99 out
 ip verify unicast reverse-path
 ip tcp adjust-mss 1452
 load-interval 30
!
interface Vlan2
 description VLan for local IP address pool 192.168.20.0/24
 ip address 192.168.20.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 crypto map vestiging2VPN
!
interface Dialer1
 description Customer Traffic PPPoE Connection
 mtu 1492
 ip unnumbered Loopback1
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly max-reassemblies 64
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username KPN password 0 KPN
 ppp ipcp mask request
 ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NATPOOL 61.12.10.233 61.12.10.233 netmask 255.255.255.248
ip nat inside source list 100 pool NATPOOL overload
ip nat inside source static tcp 192.168.20.244 25 61.12.10.233 25 extendable
!
ip access-list extended vestiging2IP
 permit ip 192.198.20.0 0.0.0.255 192.198.0.0 0.0.0.255
!
access-list 23 permit 192.168.20.0 0.0.0.255
access-list 98 deny   any
access-list 99 deny   10.0.0.0 0.255.255.255
access-list 99 deny   172.16.0.0 0.15.255.255
access-list 99 deny   192.168.0.0 0.0.255.255
access-list 99 permit any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO 23
no cdp run
!
!
!
control-plane
!
banner login ^C
Authorized access only!
^C
!
line con 0
 exec-timeout 30 0
 password ********
 no modem enable
 notify
line aux 0
 transport output none
line vty 0 4
 access-class 98 in
 exec-timeout 20 0
 privilege level 15
 password ********
 notify
 transport input telnet
 transport output none
!
scheduler max-task-time 5000
ntp clock-period 17177606
ntp server 131.155.2.3
end


*(IP's in deze thread zijn met "alles vervangen" aangepast van de werkelijke IP's)

zaterdag 19 november 2011 12:12

Acties:
  • JasperE
  • Registratie: December 2003
  • Laatst online: 14-12 10:21

JasperE

Topicstarter
Het probleem is inmiddels opgelost, de crypto map was aan de verkeerde interface toegewezen (moest op Dialer1) en er zat een typefout in de vestiging2IP access-list |:(
Vervolgens moest ik nog VPN verkeer uitsluiten van NAT en toen werkte alles.

Topic kan dicht dus! :*)

[ Voor 3% gewijzigd door JasperE op 19-11-2011 12:12 ]

Reageer

Apple iPhone 17 LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq