Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

Posted on 2010-08-19
11
Medium Priority
?
1,744 Views
Last Modified: 2012-05-10
Hi
We are trying to establish VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

we are getting the below error is some one can help us to resolve this


Number:                         3232715
Date:                              19Aug2010
Time:                              16:10:22
Product:                         VPN-1 Power/UTM
VPN Feature:                  IKE
Interface:                        daemon
Origin:                            core1260a
Type:                              Log
Action:                            Key Install
Source:                          core1260a (192.x.x.x)
Destination:                   Partygaming-Devel (203.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
IKE Initiator Cookie:       1cf3a97ebdae0396
Information:                   IKE: Main Mode Sent Notification to Peer: no
proposal chosen
Subproduct:                   VPN



and

Number:                         3245614
Date:                              19Aug2010
Time:                              16:14:13
Product:                         VPN-1 Power/UTM
VPN Feature:                  IKE
Interface:                        daemon
Origin:                            core1260a
Type:                              Log
Action:                            Reject
Source:                          Partygaming-Devel (203.x.x.x)
Destination:                   core1260a (192.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
Information:                   IKE: Main Mode No matching dh groups between
myself and the peer
Reject Reason:              IKE failure
Subproduct:                   VPN


ASA Debug Logs

Aug 19 20:05:34 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE MM Initiator FSM error history (struct &0xd46cae00)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE SA MM:71f9cd10 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, sending delete/delete with reason message
Aug 19 20:05:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.x.x.x  local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24,  Crypto map (outside_map)
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing ISAKMP SA payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 02 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 03 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver RFC payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing Fragmentation VID + extended capabilities payload
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360

SENDING PACKET to 194.x.x.x
ISAKMP Header
  Initiator COOKIE: 1f e6 54 75 96 de c9 a6
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 360
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 248
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 236
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 6
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 02 58
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 6d 60
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 5
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 a8 c0
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 4
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 5
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 6
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Group Description: Group 2
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
      c0 00 00 00


IKE Recv RAW packet dump
1f e6 54 75 96 de c9 a6 00 00 00 00 00 00 00 00    |  ..Tu............
0b 10 05 00 75 87 d3 cf 00 00 00 28 00 00 00 0c    |  ....u......(....
00 00 00 00 01 00 00 0e                            |  ........

 RECV PACKET from 194.x.x.x
ISAKMP Header
  Initiator COOKIE: 1f e6 54 75 96 de c9 a6
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Notification
  Version: 1.0
  Exchange Type: Informational
  Flags: (none)
  MessageID: 7587D3CF
  Length: 40
  Payload Notification
    Next Payload: None
    Reserved: 00
    Payload Length: 12
    DOI: Isakmp
    Protocol-ID: PROTO_ISAKMP
    Spi Size: 0
    Notify Type: NO_PROPOSAL_CHOSEN
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Information Exchange processing failed

0
Comment
Question by:amitabhg
  • 5
  • 3
  • 3
11 Comments
 
LVL 24

Expert Comment

by:rfc1180
ID: 33476433
it is right there in the error message:

"NO_PROPOSAL_CHOSEN"
"No matching dh groups between peers"

Ensure the correct group is configured on both ends, typically Group 2.
As far as the proposal, ensure that Phase 1 and Phase 2 proposals are matched between both peers: typically, 3DES SHA1 with a preshared key.

If you want more assistance, please post the configs from both ends.

Billy
0
 

Author Comment

by:amitabhg
ID: 33476534
Hi Tanq for your quick reply

i don't have any control on other end Nokia device

at present that end no one is available when i asked that end guys they said their end also same configuration the did

Config in ASA

My Phase ! config

authentication pre-share
 encryption aes-256
 hash sha
 DH group 5
 lifetime 86400

Phase !!

encryption aes-256
 hash sha
 DH group 5
 lifetime 3600

0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 400 total points
ID: 33476535
from the error it seems ur phase 1 is not negotiating properly

just cross check ur phase 1 values are matching each other

authentication methiod
encryption
md5 group
hash algorith

preshared key

also disable PFS at asa and try
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 

Author Comment

by:amitabhg
ID: 33476703
Thanks anoop

PFS is not enabled in our ASA i will ask other end guys to recheck again the Phase 1 values

once i got some thing i will paste.

ThanQ
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 1600 total points
ID: 33476878
based on what you are using (Group 5), my assumption is that the otherside is not using group 5, but possibly group 2, try changing your side to Group 2 and see if the tunnel comes up, but as I stated in the beginning of the thread, ensure that both ends (p1 and p2) match.

Billy
0
 

Author Comment

by:amitabhg
ID: 33477024
i changed to Group 2 but no luck

i am still getting the below message

Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, IKE MM Initiator FSM error history (struct &0xd3f28a90)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, IKE SA MM:72100df4 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 21:44:06 [IKEv1 DEBUG]: IP = 194.239.185.11, sending delete/delete with reason message
Aug 19 21:44:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 21:44:08 [IKEv1]: IP = 194.239.185.11, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.239.185.11  local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24,  Crypto map (outside_map)
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing ISAKMP SA payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver 02 payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver 03 payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing NAT-Traversal VID ver RFC payload
Aug 19 21:44:08 [IKEv1 DEBUG]: IP = 194.239.185.11, constructing Fragmentation VID + extended capabilities payload
Aug 19 21:44:08 [IKEv1]: IP = 194.239.185.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 33477271
it was just something you can try until you can get the other side on the horn. You will need to wait to compare configs

Billy
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33477330
can u add the below command in asa and try

crypto isakmp identity address
0
 

Author Comment

by:amitabhg
ID: 33482663
Hi Anoop,

in my ASA i am already enabled NAT- T still the above command is required...??
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33483431
above command is not for nat-t
0
 

Author Comment

by:amitabhg
ID: 33498479
Hi Anoop/rfc1180,

This problem has been solved remote end device they forgot to enable DH5 in VPN general settings.

Thanks for you inputs
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question