Solved

VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

Posted on 2010-08-19
11
1,674 Views
Last Modified: 2012-05-10
Hi
We are trying to establish VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

we are getting the below error is some one can help us to resolve this


Number:                         3232715
Date:                              19Aug2010
Time:                              16:10:22
Product:                         VPN-1 Power/UTM
VPN Feature:                  IKE
Interface:                        daemon
Origin:                            core1260a
Type:                              Log
Action:                            Key Install
Source:                          core1260a (192.x.x.x)
Destination:                   Partygaming-Devel (203.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
IKE Initiator Cookie:       1cf3a97ebdae0396
Information:                   IKE: Main Mode Sent Notification to Peer: no
proposal chosen
Subproduct:                   VPN



and

Number:                         3245614
Date:                              19Aug2010
Time:                              16:14:13
Product:                         VPN-1 Power/UTM
VPN Feature:                  IKE
Interface:                        daemon
Origin:                            core1260a
Type:                              Log
Action:                            Reject
Source:                          Partygaming-Devel (203.x.x.x)
Destination:                   core1260a (192.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
Information:                   IKE: Main Mode No matching dh groups between
myself and the peer
Reject Reason:              IKE failure
Subproduct:                   VPN


ASA Debug Logs

Aug 19 20:05:34 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE MM Initiator FSM error history (struct &0xd46cae00)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE SA MM:71f9cd10 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, sending delete/delete with reason message
Aug 19 20:05:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.x.x.x  local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24,  Crypto map (outside_map)
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing ISAKMP SA payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 02 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 03 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver RFC payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing Fragmentation VID + extended capabilities payload
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360

SENDING PACKET to 194.x.x.x
ISAKMP Header
  Initiator COOKIE: 1f e6 54 75 96 de c9 a6
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 360
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 248
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 236
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 6
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 02 58
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 6d 60
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 5
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 a8 c0
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 4
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 5
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 6
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00


IKE Recv RAW packet dump
1f e6 54 75 96 de c9 a6 00 00 00 00 00 00 00 00    |  ..Tu............
0b 10 05 00 75 87 d3 cf 00 00 00 28 00 00 00 0c    |  ....u......(....
00 00 00 00 01 00 00 0e                            |  ........

 RECV PACKET from 194.x.x.x
ISAKMP Header
  Initiator COOKIE: 1f e6 54 75 96 de c9 a6
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Notification
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 7587D3CF
  Length: 40
  Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 12
    DOI: Isakmp
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 0
    Notify Type: NO_PROPOSAL_CHOSEN
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Information Exchange processing failed

0
Comment
Question by:amitabhg
  • 5
  • 3
  • 3
11 Comments
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
it is right there in the error message:

"NO_PROPOSAL_CHOSEN"
"No matching dh groups between peers"

Ensure the correct group is configured on both ends, typically Group 2.
As far as the proposal, ensure that Phase 1 and Phase 2 proposals are matched between both peers: typically, 3DES SHA1 with a preshared key.

If you want more assistance, please post the configs from both ends.

Billy
0
 

Author Comment

by:amitabhg
Comment Utility
Hi Tanq for your quick reply

i don't have any control on other end Nokia device

at present that end no one is available when i asked that end guys they said their end also same configuration the did

Config in ASA

My Phase ! config

authentication pre-share
 encryption aes-256
 hash sha
 DH group 5
 lifetime 86400

Phase !!

encryption aes-256
 hash sha
 DH group 5
 lifetime 3600

0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 100 total points
Comment Utility
from the error it seems ur phase 1 is not negotiating properly

just cross check ur phase 1 values are matching each other

authentication methiod
encryption
md5 group
hash algorith

preshared key

also disable PFS at asa and try
0
 

Author Comment

by:amitabhg
Comment Utility
Thanks anoop

PFS is not enabled in our ASA i will ask other end guys to recheck again the Phase 1 values

once i got some thing i will paste.

ThanQ
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 400 total points
Comment Utility
based on what you are using (Group 5), my assumption is that the otherside is not using group 5, but possibly group 2, try changing your side to Group 2 and see if the tunnel comes up, but as I stated in the beginning of the thread, ensure that both ends (p1 and p2) match.

Billy
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:amitabhg
Comment Utility
i changed to Group 2 but no luck

i am still getting the below message

Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, IKE MM Initiator FSM error history (struct &0xd3f28a90)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, IKE SA MM:72100df4 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, sending delete/delete with reason message
Aug 19 21:44:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 21:44:08 [IKEv1]: IP = 194.239.185.11, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.239.185.11  local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24,  Crypto map (outside_map)
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing ISAKMP SA payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver 02 payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver 03 payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver RFC payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing Fragmentation VID + extended capabilities payload
Aug 19 21:44:08 [IKEv1]: IP = 194.239.185.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360
0
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
it was just something you can try until you can get the other side on the horn. You will need to wait to compare configs

Billy
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
can u add the below command in asa and try

crypto isakmp identity address
0
 

Author Comment

by:amitabhg
Comment Utility
Hi Anoop,

in my ASA i am already enabled NAT- T still the above command is required...??
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
above command is not for nat-t
0
 

Author Comment

by:amitabhg
Comment Utility
Hi Anoop/rfc1180,

This problem has been solved remote end device they forgot to enable DH5 in VPN general settings.

Thanks for you inputs
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now