[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1759
  • Last Modified:

VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

Hi
We are trying to establish VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

we are getting the below error is some one can help us to resolve this


Number:                         3232715
Date:                              19Aug2010
Time:                              16:10:22
Product:                         VPN-1 Power/UTM
VPN Feature:                  IKE
Interface:                        daemon
Origin:                            core1260a
Type:                              Log
Action:                            Key Install
Source:                          core1260a (192.x.x.x)
Destination:                   Partygaming-Devel (203.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
IKE Initiator Cookie:       1cf3a97ebdae0396
Information:                   IKE: Main Mode Sent Notification to Peer: no
proposal chosen
Subproduct:                   VPN



and

Number:                         3245614
Date:                              19Aug2010
Time:                              16:14:13
Product:                         VPN-1 Power/UTM
VPN Feature:                  IKE
Interface:                        daemon
Origin:                            core1260a
Type:                              Log
Action:                            Reject
Source:                          Partygaming-Devel (203.x.x.x)
Destination:                   core1260a (192.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
Information:                   IKE: Main Mode No matching dh groups between
myself and the peer
Reject Reason:              IKE failure
Subproduct:                   VPN


ASA Debug Logs

Aug 19 20:05:34 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE MM Initiator FSM error history (struct &0xd46cae00)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE SA MM:71f9cd10 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, sending delete/delete with reason message
Aug 19 20:05:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.x.x.x  local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24,  Crypto map (outside_map)
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing ISAKMP SA payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 02 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 03 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver RFC payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing Fragmentation VID + extended capabilities payload
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360

SENDING PACKET to 194.x.x.x
ISAKMP Header
  Initiator COOKIE: 1f e6 54 75 96 de c9 a6
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 360
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 248
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 236
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 6
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 02 58
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 6d 60
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 5
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 a8 c0
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 4
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 5
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 6
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00


IKE Recv RAW packet dump
1f e6 54 75 96 de c9 a6 00 00 00 00 00 00 00 00    |  ..Tu............
0b 10 05 00 75 87 d3 cf 00 00 00 28 00 00 00 0c    |  ....u......(....
00 00 00 00 01 00 00 0e                            |  ........

 RECV PACKET from 194.x.x.x
ISAKMP Header
  Initiator COOKIE: 1f e6 54 75 96 de c9 a6
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Notification
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 7587D3CF
  Length: 40
  Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 12
    DOI: Isakmp
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 0
    Notify Type: NO_PROPOSAL_CHOSEN
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Information Exchange processing failed

0
amitabhg
Asked:
amitabhg
  • 5
  • 3
  • 3
2 Solutions
 
rfc1180Commented:
it is right there in the error message:

"NO_PROPOSAL_CHOSEN"
"No matching dh groups between peers"

Ensure the correct group is configured on both ends, typically Group 2.
As far as the proposal, ensure that Phase 1 and Phase 2 proposals are matched between both peers: typically, 3DES SHA1 with a preshared key.

If you want more assistance, please post the configs from both ends.

Billy
0
 
amitabhgAuthor Commented:
Hi Tanq for your quick reply

i don't have any control on other end Nokia device

at present that end no one is available when i asked that end guys they said their end also same configuration the did

Config in ASA

My Phase ! config

authentication pre-share
 encryption aes-256
 hash sha
 DH group 5
 lifetime 86400

Phase !!

encryption aes-256
 hash sha
 DH group 5
 lifetime 3600

0
 
anoopkmrCommented:
from the error it seems ur phase 1 is not negotiating properly

just cross check ur phase 1 values are matching each other

authentication methiod
encryption
md5 group
hash algorith

preshared key

also disable PFS at asa and try
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
amitabhgAuthor Commented:
Thanks anoop

PFS is not enabled in our ASA i will ask other end guys to recheck again the Phase 1 values

once i got some thing i will paste.

ThanQ
0
 
rfc1180Commented:
based on what you are using (Group 5), my assumption is that the otherside is not using group 5, but possibly group 2, try changing your side to Group 2 and see if the tunnel comes up, but as I stated in the beginning of the thread, ensure that both ends (p1 and p2) match.

Billy
0
 
amitabhgAuthor Commented:
i changed to Group 2 but no luck

i am still getting the below message

Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, IKE MM Initiator FSM error history (struct &0xd3f28a90)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, IKE SA MM:72100df4 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, sending delete/delete with reason message
Aug 19 21:44:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 21:44:08 [IKEv1]: IP = 194.239.185.11, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.239.185.11  local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24,  Crypto map (outside_map)
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing ISAKMP SA payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver 02 payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver 03 payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver RFC payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing Fragmentation VID + extended capabilities payload
Aug 19 21:44:08 [IKEv1]: IP = 194.239.185.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360
0
 
rfc1180Commented:
it was just something you can try until you can get the other side on the horn. You will need to wait to compare configs

Billy
0
 
anoopkmrCommented:
can u add the below command in asa and try

crypto isakmp identity address
0
 
amitabhgAuthor Commented:
Hi Anoop,

in my ASA i am already enabled NAT- T still the above command is required...??
0
 
anoopkmrCommented:
above command is not for nat-t
0
 
amitabhgAuthor Commented:
Hi Anoop/rfc1180,

This problem has been solved remote end device they forgot to enable DH5 in VPN general settings.

Thanks for you inputs
0

Featured Post

Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

  • 5
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now