Tunnel Establishment Fails at Phase II
After Phase I is established, two peers negotiate with each other to create the IPsec SA. If Phase II negotiation fails, IPsec SA is not established. The following are some of the steps you can follow to troubleshoot Phase II failure:
Step 1. | Check for IPsec transform set mismatches between peers. If there is a mismatch on IPsec Transform set between the peers, quick mode negotiation fails. You need to verify IPsec SA negotiation with the show crypto ipsec sa command. Example 6-14 shows the output of debug crypto isakmp on the initiator router, which is failing in quick mode due to a transform set mismatch resulting in the SA not acceptable message. |