[putimir]

Hi i'm busting my head for quite some time now trying to set up simultaneous site-to-site VPNs (with split tunneling over NAT), remote sw Cisco VPN clients and IOS EZVPN client connection (to my workplace) on my home router (C1812).
So far I've managed to set-up and got working site-to-site VPN tunnels using crypto maps and IOS EZVPN client, but I'm having problems trying to connect remotely using IPSEC VPN clients (Cisco VPN client - v3.6 and 5.0 and Nokia mobile VPN client) using dynamic crypto map:
The connection succesfully finishes PHASE1 (includind MODE config - IPs are assigned etc...), but then PHASE2 gets rejected for some reason...
Here is the relevant part of the debug from the server (I can post whole debug log if you think this part is not enough):

Code:

 
*Jan 21 09:34:16: ISAKMP:(2242):IKE_DPD is enabled, initializing timers
*Jan 21 09:34:16: ISAKMP:(2242):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Jan 21 09:34:16: ISAKMP:(2242):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
*Jan 21 09:34:16: ISAKMP (2242): received packet from xx.xxx.xxx.xx dport 4500 sport 4500 Global (R) QM_IDLE      
*Jan 21 09:34:16: ISAKMP: set new node 1388603735 to QM_IDLE      
*Jan 21 09:34:16: ISAKMP:(2242): processing HASH payload. message ID = 1388603735
*Jan 21 09:34:16: ISAKMP:(2242): processing SA payload. message ID = 1388603735
*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 1
*Jan 21 09:34:16: ISAKMP: transform 1, ESP_AES 
*Jan 21 09:34:16: ISAKMP:   attributes in transform:
*Jan 21 09:34:16: ISAKMP:      authenticator is HMAC-MD5
*Jan 21 09:34:16: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Jan 21 09:34:16: ISAKMP:      key length is 256
*Jan 21 09:34:16: ISAKMP:      SA life type in seconds
*Jan 21 09:34:16: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B 
*Jan 21 09:34:16: <b>ISAKMP:(2242):atts are acceptable.</b>
*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 1
*Jan 21 09:34:16: ISAKMP:(2242):transform 1, IPPCP LZS
*Jan 21 09:34:16: ISAKMP:   attributes in transform:
*Jan 21 09:34:16: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Jan 21 09:34:16: ISAKMP:      SA life type in seconds
*Jan 21 09:34:16: ISAKMP:      SA life duration (VPI) of  0x0 0x20 0xC4 0x9B 
*Jan 21 09:34:16: ISAKMP:(2242):atts are acceptable.
*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #1
*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= xx.xxx.59.12, remote= xx.xx.230.37, 
    local_proxy= xx.xxx.59.12/255.255.255.255/0/0 (type=1), 
    remote_proxy= 192.168.10.47/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel-UDP), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #2
*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #2,
  (key eng. msg.) INBOUND local= xx.xxx.59.12, remote= xx.xxx.230.37, 
    local_proxy= xx.xxx3.59.12/255.255.255.255/0/0 (type=1), 
    remote_proxy= 192.168.10.47/255.255.255.255/0/0 (type=1),
    protocol= PCP, transform= NONE  (Tunnel-UDP), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match
*Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match
*Jan 21 09:34:16: map_db_find_best did not find matching map
*Jan 21 09:34:16: IPSEC(ipsec_process_proposal): proxy identities not supported
*Jan 21 09:34:16: ISAKMP:(2242): IPSec policy invalidated proposal with error 32
*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 2
...
more proposals...(each with "ISAKMP:(2242):atts are acceptable." - ?!? 
at the end I get this:
...
*Jan 21 09:34:16: ISAKMP:(2242): phase 2 SA policy not acceptable! (local xx.xxx.59.12 remote xx.xxx.230.37)
*Jan 21 09:34:16: ISAKMP: set new node -1062817036 to QM_IDLE      
*Jan 21 09:34:16: ISAKMP:(2242):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
       spi 2233179104, message ID = -1062817036
*Jan 21 09:34:16: ISAKMP:(2242): sending packet to xx.xxx.230.37 my_port 4500 peer_port 4500 (R) QM_IDLE      
*Jan 21 09:34:16: ISAKMP:(2242):Sending an IKE IPv4 Packet.
*Jan 21 09:34:16: ISAKMP:(2242):purging node -1062817036
*Jan 21 09:34:16: ISAKMP:(2242):deleting node 1388603735 error TRUE reason "QM rejected"
*Jan 21 09:34:16: ISAKMP:(2242):Node 1388603735, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Jan 21 09:34:16: ISAKMP:(2242):Old State = IKE_QM_READY  New State = IKE_QM_READY
*Jan 21 09:34:16: ISAKMP:(2210):purging node -579202533
*Jan 21 09:34:20: ISAKMP:(2241):purging node 1499311114

The thing, that sticks out (at least to me) is: "remote_proxy= 192.168.10.47/255.255.255.255" - is this ok - is the remote proxy supposed to be a locally (internal) assigned address?
The complete config is attached...
I would be grateful for any hint....
Thanks!
Jure

[spickles]

Your debug is telling you that your VPN client is not configured correctly and there isn't a match for Phase 2 profiles. The relevant debug lines are these:

*Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match
*Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match
*Jan 21 09:34:16: map_db_find_best did not find matching map
*Jan 21 09:34:16: IPSEC(ipsec_process_proposal): proxy identities not supported

Make sure your profile on the client matches what is configured on the firewall.

[putimir]

Hi, thanks for replying, but first: there is nothing to be configured on the Cisco VPN client, regarding transform sets, only groupname and group preshared key, and additionally, as far as I understand, attributes ARE acceptable (ISAKMP2242):atts are acceptable.)

...?

[spickles]

Right, sorry that is the line of thinking for my remote clients on the Netscreen firewall (we use both Netscreen and PIX/ASA). Refer to this post and see if it helps you:

http://www.petri.co.il/forums/showthread.php?t=34350

Make sure your ACL is properly defining the 'interesting traffic' for this connection.