02-25-2010 08:37 AM
This is an information post I wanted to share since I looked all over the net for days to get this VPN sorted out. The issue was setting up a VPN on an IOS router that used a VTI rather than a crypto map. The main issue I had was that the 5gt was rejecting the Phase 1 messaging claiming invalid peer gateway. The solution was that I had to enable the proxy id and set local and remote to 0.0.0.0/0. Once I did that, the VPN came right up. It was odd that a Phase 2 setting needed to be enabled for Phase 1 to pass.
Relevant config excerpts:
Cisco 857w: c850-advsecurityk9-mz.124-6.T5.bin
crypto isakmp policy 10
crypto isakmp key $KEY address XXX.XXX.XXX.XXX
crypto isakmp keepalive 10
crypto ipsec transform-set RTRtun esp-3des esp-sha-hmac
crypto ipsec profile VTI
set transform-set RTRtun
ip address 10.10.10.2 255.255.255.248
ip mtu 1400
tunnel source Dialer1
tunnel destination XXX.XXX.XXX.XXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
Netscreen 5gt: 6.2r1.0
set interface "tunnel.2" zone "Trust"
set interface tunnel.2 ip 10.10.10.1/29
set interface tunnel.2 mtu 1400
set ike gateway "home" address $HOSTNAME Aggr outgoing-interface "trust" preshare "fV4RTVKXN/lCSssS+nCQGFIjv9nRQLhgkA==" sec-level compatible
set vpn "home-VPN" gateway "home" no-replay tunnel idletime 0 sec-level compatible
set vpn "home-VPN" monitor rekey
set vpn "home-VPN" id 0x2 bind interface tunnel.2
set vpn "home-VPN" proxy-id local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 "ANY"
set route 192.168.16.0/24 interface tunnel.2
11-02-2010 06:06 PM
I have been pulling my hair out on this Cisco VTI issue until I came across your post. Thanks for telling us the Proxy-ID needed to be set Local-ID 0.0.0.0/0, Remote-ID 0.0.0.0/0, Service "ANY." Count this as a "solved" point.