There was vpn set up recently using Cisco Router to connect Check Point firewall. It seems quite simple task but “IPSec policy invalidated proposal with error 32” made me go through all troubleshooting steps which shows below.
Other examples to troubleshoot IPSec VPN issue:
- Troubleshooting Cisco IPSec Site to Site VPN – “reason: Unknown delete reason!” after Phase 1 Completed
- Troubleshooting Cisco IPSec Site to Site VPN – “IPSec policy invalidated proposal with error 32”
Topology is quite simple:
Remote Site is using Check Point Firewall do to vpn gateway, and it has been used to all kinds of vpn connection.
Here is my original vpn configuration.
|
interface GigabitEthernet0/0
ip address 19.24.11.142 255.255.255.0 duplex auto speed auto crypto map vpn crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key cisco123 address 19.9.17.1 crypto isakmp aggressive-mode disable ! ! crypto ipsec transform-set VPN-Set ah-sha-hmac esp-3des ! crypto map vpn 10 ipsec-isakmp description VPN VPN set peer 198.96.178.1 set transform-set VPN-Set set pfs group2 match address VPN-VPN ip access-list extended VPN-VPN |
Check Point Firewall is at remote and I am not managing. From the collected information, here is Check Point configuration looks like:
- Center gateways: the object representing the Check Point enforcement point
- Satellite gateways: the object representing the Cisco router – CiscoVPN
- Encryption:
- Encryption Method: IKEv1 Only
- Encryption Suite: Custom with the following properties
- IKE (Phase 1) Properties
- Perform key exchange encryption with: 3Des
- Perform data integrity with: SHA-1
- IPSec (Phase 2) Properties
- Perform IPSec data encryption with: 3Des
- Perform data integrity with: SHA-1
- Tunnel Management: VPN Tunnel sharing: One VPN tunnel per subnet pair
- Advanced settings
- VPN Routing: To center only
- Shared Secret: Use only Shared Secret for all external members, then add the shared secret to CiscoVPN
- Advanced VPN Properties:IKE (Phase 1): Use Diffie-Helman Group: Group 2
Looks like quite straighforward and it should not has any surprise.
Unfortunately the tunnel did not come up as expected. I got following debugging messages:
|
000421: Apr 26 21:40:20.568 EDT: ISAKMP (0): received packet from 19.9.17.1 dport 500 sport 500 Global (N) NEW SA 000422: Apr 26 21:40:20.568 EDT: ISAKMP: Created a peer struct for 19.9.17.1, peer port 500 000423: Apr 26 21:40:20.568 EDT: ISAKMP: New peer created peer = 0x2B149B28 peer_handle = 0x8000000D 000424: Apr 26 21:40:20.568 EDT: ISAKMP: Locking peer struct 0x2B149B28, refcount 1 for crypto_isakmp_process_block 000425: Apr 26 21:40:20.568 EDT: ISAKMP: local port 500, remote port 500 000426: Apr 26 21:40:20.568 EDT: ISAKMP:(0):insert sa successfully sa = 2A25BEAC 000427: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 000428: Apr 26 21:40:20.568 EDT: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 000429: Apr 26 21:40:20.568 EDT: ISAKMP:(0): processing SA payload. message ID = 0 000451: Apr 26 21:40:20.588 EDT: ISAKMP:(0): processing vendor id payload 000457: Apr 26 21:40:20.588 EDT: ISAKMP:(0): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) MM_SA_SETUP 000461: Apr 26 21:40:20.616 EDT: ISAKMP (0): received packet from 19.9.17.1 dport 500 sport 500 Global (R) MM_SA_SETUP 000464: Apr 26 21:40:20.620 EDT: ISAKMP:(0): processing KE payload. message ID = 0 000469: Apr 26 21:40:20.644 EDT: ISAKMP:(1006): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH 000473: Apr 26 21:40:20.676 EDT: ISAKMP (1006): received packet from 19.9.17.1 dport 500 sport 500 Global (R) MM_KEY_EXCH 000476: Apr 26 21:40:20.680 EDT: ISAKMP:(1006): processing ID payload. message ID = 0 000485: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR 000492: Apr 26 21:40:20.680 EDT: ISAKMP:(1006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 000494: Apr 26 21:40:20.708 EDT: ISAKMP (1006): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE R-IPSEC1#show crypto isakmp sa |
There is “IPSec policy invalidated proposal with error 32”. It is not having enough details for me to conclude the cause. L2L VPN TroubleShooting :”IPSec policy invalidated proposal with error 32″ situation is not applying to me.
After second thought, I am thinking it may relates to access-list mis-mirrored on both end since that was common issue happened between Check Point and Cisco. Remote site vpn may use wider vpn encryption domain such as /24 network. But I am using /32 instead. So I changed my access-list to following:
|
R-IPSEC1(config-ext-nacl)#do sh access-list VPN-VPN
Extended IP access list VPN-VPN 50 permit ip host 19.24.11.245 19.9.17.0 0.0.0.255 60 permit ip host 19.24.11.53 19.9.17.0 0.0.0.255 |
Got a little better result but still similar messages.
|
001319: Apr 26 22:26:41.310 EDT: ISAKMP:(1010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
001320: Apr 26 22:26:41.310 EDT: ISAKMP:(1010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 001321: Apr 26 22:26:41.362 EDT: ISAKMP (1010): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE 001343: Apr 26 22:26:41.366 EDT: ISAKMP:(1010):purging node 1666670311 |
After third thought and discussed with remote firewall administrator, I changed my access-list again to have all since his encryption domains includes specific ip and whole network.
|
R-IPSEC1(config-ext-nacl)#do show access-list VPN-VPN
Extended IP access list VPN-VPN 110 permit ip host 19.24.11.53 host 19.9.17.41 120 permit ip host 19.24.11.245 host 19.9.17.41 130 permit ip host 19.24.11.53 19.9.17.0 0.0.0.255 140 permit ip host 19.24.11.245 19.9.17.0 0.0.0.255 |
Debugging result shows much more details this time:
|
001565: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
001566: Apr 26 22:40:20.200 EDT: ISAKMP (1012): ID payload next-payload : 8 type : 1 address : 19.24.11.142 protocol : 17 port : 500 length : 12 001567: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Total payload length: 12 001568: Apr 26 22:40:20.200 EDT: ISAKMP:(1012): sending packet to 19.9.17.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH 001569: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Sending an IKE IPv4 Packet. 001570: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 001571: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE 001572: Apr 26 22:40:20.200 EDT: ISAKMP:(1012):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 001574: Apr 26 22:40:20.264 EDT: ISAKMP (1012): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE |
“IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }” shows I used wrong transform set. I am using ah-sha-hmac.
Quickly changed to esp-sha-hmac:
|
crypto ipsec transform-set VPN-Set esp-3des esp-sha-hmac
|
This time, finally vpn tunnel get fully up in phase 1 and phase 2. From output of “show crypto ipsec sa”, encrypt and decrypt numbers are increasing when test it.
|
test 001701: Apr 26 22:46:39.512 EDT: ISAKMP:(1013):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE 001702: Apr 26 22:46:39.512 EDT: ISAKMP:(1013):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE 001703: Apr 26 22:46:39.560 EDT: ISAKMP (1013): received packet from 19.9.17.1 dport 500 sport 500 Global (R) QM_IDLE 001741: Apr 26 22:46:39.612 EDT: IPSEC(create_sa): sa created, |
Debugging Command:
- debug crypto engine—Displays debug messages about crypto engines, which perform encryption and decryption.
- debug crypto isakmp—Displays messages about IKE events.
- debug crypto ipsec—Displays IPSec events.
- clear crypto isakmp—Clears all active IKE connections.
- clear crypto sa—Clears all IPSec SAs.
- IPSEC1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
19.24.11.142 19.9.17.1 QM_IDLE 1014 ACTIVE
19.24.11.142 19.9.17.1 QM_IDLE 1013 ACTIVE - clear crypto isakmp 1013—Clears connection id of SA.
Reference:
- 1. L2L VPN TroubleShooting :”IPSec policy invalidated proposal with error 32″
- 2. Configuring an IPSec Tunnel Between a Cisco Router and a Checkpoint NG
- 3. IPSec Troubleshooting: Problem Scenarios Part 1
