VPN IPSec VTI interface with Cisco router

General questions
,
1

Hi,

I currently had established Vy0S VPN ipsec with vti interface with our client (Cisco)
Then we route traffic by BGP peering.

My issue is the link is establish for few hours then ipsec phase 2 suddenly down.

From Cisco log :-

ISAKMP: (1084):Checking IPSec proposal 1
ISAKMP: (1084):transform 1, ESP_AES 
ISAKMP: (1084):   attributes in transform:
ISAKMP: (1084):      encaps is 1 (Tunnel)
ISAKMP: (1084):      SA life type in seconds
ISAKMP: (1084):      SA life duration (basic) of 3600
ISAKMP: (1084):      SA life type in kilobytes
ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0 
ISAKMP: (1084):      authenticator is HMAC-SHA256
ISAKMP: (1084):      key length is 256
ISAKMP: (1084):      group is 2
ISAKMP: (1084):atts are acceptable.
ISAKMP-ERROR: (1084):IPSec policy invalidated proposal with error 32
ISAKMP-ERROR: (1084):phase 2 SA policy not acceptable! (local x.x.x.x remote x.x.x.x)

From Vy0S log :-

 packet from x.x.x.x:500: Informational Exchange is for an unknown (expired?) SA
"peer-x.x.x.x-tunnel-vti" #14: responding to Quick Mode
"peer-x.x.x.x-tunnel-vti" #11: ignoring informational payload, type NO_PROPOSAL_CHOSEN
"peer-x.x.x.x-tunnel-vti" #14: discarding duplicate packet; already STATE_QUICK_R1
"peer-x.x.x.x-tunnel-vti" #15: responding to Quick Mode
"peer-x.x.x.x-tunnel-vti" #11: ignoring informational payload, type NO_PROPOSAL_CHOSEN
"peer-x.x.x.x-tunnel-vti" #14: discarding duplicate packet; already STATE_QUICK_R1
"peer-x.x.x.x-tunnel-vti" #15: discarding duplicate packet; already STATE_QUICK_R1
"peer-x.x.x.x-tunnel-vti" #15: discarding duplicate packet; already STATE_QUICK_R1
"peer-x.x.x.x-tunnel-vti" #14: max number of retransmissions (2) reached STATE_QUICK_R1
"peer-x.x.x.x-tunnel-vti" #15: max number of retransmissions (2) reached STATE_QUICK_R1
"peer-x.x.x.x-tunnel-vti" #16: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #10 {using isakmp#11}
"peer-x.x.x.x-tunnel-vti" #11: ignoring informational payload, type NO_PROPOSAL_CHOSEN
"peer-x.x.x.x-tunnel-vti" #17: initiating Main Mode to replace #11
"peer-x.x.x.x-tunnel-vti" #17: received Vendor ID payload [RFC 3947]
"peer-x.x.x.x-tunnel-vti" #17: enabling possible NAT-traversal with method 3
"peer-x.x.x.x-tunnel-vti" #17: ignoring Vendor ID payload [Cisco-Unity]
"peer-x.x.x.x-tunnel-vti" #17: received Vendor ID payload [Dead Peer Detection]
"peer-x.x.x.x-tunnel-vti" #17: ignoring Vendor ID payload [3b175b4b775b1bd479626959ad0631e8]
"peer-x.x.x.x-tunnel-vti" #17: received Vendor ID payload [XAUTH]
"peer-x.x.x.x-tunnel-vti" #17: NAT-Traversal: Result using RFC 3947: no NAT detected
"peer-x.x.x.x-tunnel-vti" #17: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
"peer-x.x.x.x-tunnel-vti" #17: Peer ID is ID_IPV4_ADDR: 'x.x.x.x'
"peer-x.x.x.x-tunnel-vti" #17: ISAKMP SA established
"peer-x.x.x.x-tunnel-vti" #16: max number of retransmissions (2) reached STATE_QUICK_I1
"peer-x.x.x.x-tunnel-vti" #10: IPsec SA expired (LATEST!)
"peer-x.x.x.x-tunnel-vti" #18: responding to Quick Mode
"peer-x.x.x.x-tunnel-vti" #17: ignoring informational payload, type NO_PROPOSAL_CHOSEN
"peer-x.x.x.x-tunnel-vti" #18: discarding duplicate packet; already STATE_QUICK_R1
"peer-x.x.x.x-tunnel-vti" #18: discarding duplicate packet; already STATE_QUICK_R1
"peer-x.x.x.x-tunnel-vti" #19: responding to Quick Mode

After I do “restart vpn” on Vy0S router the ipsec phase is up but only for few hours.
Please help to advise.

2

Hi @zakwan ,
Try changing the IKE lifetime.
If that doesn’t help, attach your Cisco and VyOS configs and we’ll see.

3

Hi Nikolay,

Our client found the issue in their firewall policy. The issue now resolve.

Thank you :ok_hand:t3:

4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.