also had this error
[detailed info] [error] MAIN_MODE exchange terminated - IPsec exchange error threshold exceeded
[detailed info] [error] QUICK_MODE exchange terminated - QUICK_MODE exchange processing failed
[error] Failed to validate QUICK mode payloads
[error] policy mismatch
[remote proposal] protocol: ESP spi(4): |bdeb33cb| protocol: ESP, version: 1, encryption: AES:256, integ: SHA1, ESN: OFF, encapsulation: TUNNEL
[local policy] protocol: ESP, zone: 1, options: [ESN], version: 1, encryption: AES:256, integ: SHA1, ESN: ON, encapsulation: TUNNEL
(The difference in the outputs is bolded and underlined)
I believe ESN means "Extended sequence numbers". On the McAfee firewall this is ON and I believe there is a way to turn it off via the GUI. You could also try turning it ON via the Cisco side and the tunnel should connect.
ok, i turn it off, and now i have this error
[detailed info] [error] QUICK_MODE exchange processing failed [error] invalid request for QUICK_MODE exchange, no IKE SA exists which matches request
Thanks for all the help
"Quick Mode" is for phase 2. The error "invalid request for QUICK_MODE exchange, no IKE SA exists which matches request" means that there is no phase 1 Security Association (IKE SA) for this phase 2 packet. This means the other side of the tunnel has a phase 1 SA already and is trying to do phase 2. Restart the tunnel on the far side and they should start the IPSec process over.
I restart my MFE and it work, thans