Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

Posted on 2010-08-19
11
Medium Priority
?
1,738 Views
Last Modified: 2012-05-10
Hi
We are trying to establish VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

we are getting the below error is some one can help us to resolve this


Number:                         3232715
Date:                              19Aug2010
Time:                              16:10:22
Product:                         VPN-1 Power/UTM
VPN Feature:                  IKE
Interface:                        daemon
Origin:                            core1260a
Type:                              Log
Action:                            Key Install
Source:                          core1260a (192.x.x.x)
Destination:                   Partygaming-Devel (203.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
IKE Initiator Cookie:       1cf3a97ebdae0396
Information:                   IKE: Main Mode Sent Notification to Peer: no
proposal chosen
Subproduct:                   VPN



and

Number:                         3245614
Date:                              19Aug2010
Time:                              16:14:13
Product:                         VPN-1 Power/UTM
VPN Feature:                  IKE
Interface:                        daemon
Origin:                            core1260a
Type:                              Log
Action:                            Reject
Source:                          Partygaming-Devel (203.x.x.x)
Destination:                   core1260a (192.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
Information:                   IKE: Main Mode No matching dh groups between
myself and the peer
Reject Reason:              IKE failure
Subproduct:                   VPN


ASA Debug Logs

Aug 19 20:05:34 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE MM Initiator FSM error history (struct &0xd46cae00)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE SA MM:71f9cd10 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, sending delete/delete with reason message
Aug 19 20:05:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.x.x.x  local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24,  Crypto map (outside_map)
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing ISAKMP SA payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 02 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 03 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver RFC payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing Fragmentation VID + extended capabilities payload
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360

SENDING PACKET to 194.x.x.x
ISAKMP Header
  Initiator COOKIE: 1f e6 54 75 96 de c9 a6
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 360
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 248
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 236
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 6
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 02 58
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 6d 60
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 5
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 a8 c0
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 4
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 5
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 6
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00


IKE Recv RAW packet dump
1f e6 54 75 96 de c9 a6 00 00 00 00 00 00 00 00    |  ..Tu............
0b 10 05 00 75 87 d3 cf 00 00 00 28 00 00 00 0c    |  ....u......(....
00 00 00 00 01 00 00 0e                            |  ........

 RECV PACKET from 194.x.x.x
ISAKMP Header
  Initiator COOKIE: 1f e6 54 75 96 de c9 a6
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Notification
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 7587D3CF
  Length: 40
  Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 12
    DOI: Isakmp
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 0
    Notify Type: NO_PROPOSAL_CHOSEN
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Information Exchange processing failed

0
Comment
Question by:amitabhg
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33476433
it is right there in the error message:

"NO_PROPOSAL_CHOSEN"
"No matching dh groups between peers"

Ensure the correct group is configured on both ends, typically Group 2.
As far as the proposal, ensure that Phase 1 and Phase 2 proposals are matched between both peers: typically, 3DES SHA1 with a preshared key.

If you want more assistance, please post the configs from both ends.

Billy
0
 

Author Comment

by:amitabhg
ID: 33476534
Hi Tanq for your quick reply

i don't have any control on other end Nokia device

at present that end no one is available when i asked that end guys they said their end also same configuration the did

Config in ASA

My Phase ! config

authentication pre-share
 encryption aes-256
 hash sha
 DH group 5
 lifetime 86400

Phase !!

encryption aes-256
 hash sha
 DH group 5
 lifetime 3600

0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 400 total points
ID: 33476535
from the error it seems ur phase 1 is not negotiating properly

just cross check ur phase 1 values are matching each other

authentication methiod
encryption
md5 group
hash algorith

preshared key

also disable PFS at asa and try
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:amitabhg
ID: 33476703
Thanks anoop

PFS is not enabled in our ASA i will ask other end guys to recheck again the Phase 1 values

once i got some thing i will paste.

ThanQ
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 1600 total points
ID: 33476878
based on what you are using (Group 5), my assumption is that the otherside is not using group 5, but possibly group 2, try changing your side to Group 2 and see if the tunnel comes up, but as I stated in the beginning of the thread, ensure that both ends (p1 and p2) match.

Billy
0
 

Author Comment

by:amitabhg
ID: 33477024
i changed to Group 2 but no luck

i am still getting the below message

Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, IKE MM Initiator FSM error history (struct &0xd3f28a90)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, IKE SA MM:72100df4 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, sending delete/delete with reason message
Aug 19 21:44:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 21:44:08 [IKEv1]: IP = 194.239.185.11, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.239.185.11  local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24,  Crypto map (outside_map)
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing ISAKMP SA payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver 02 payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver 03 payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver RFC payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing Fragmentation VID + extended capabilities payload
Aug 19 21:44:08 [IKEv1]: IP = 194.239.185.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33477271
it was just something you can try until you can get the other side on the horn. You will need to wait to compare configs

Billy
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33477330
can u add the below command in asa and try

crypto isakmp identity address
0
 

Author Comment

by:amitabhg
ID: 33482663
Hi Anoop,

in my ASA i am already enabled NAT- T still the above command is required...??
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33483431
above command is not for nat-t
0
 

Author Comment

by:amitabhg
ID: 33498479
Hi Anoop/rfc1180,

This problem has been solved remote end device they forgot to enable DH5 in VPN general settings.

Thanks for you inputs
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question