Solved

Host to host VPN issue

Posted on 2016-09-10
1
78 Views
Last Modified: 2016-09-10
Hi All

Hopefully an expert can help as I am running out of ideas. We have a supplier providing a trading platform that we need to connect to via VPN. They have provided us with a few IPs of hosts for the trading platform and their peer for the VPN. We don't have sufficient public IP addresses to allocate as a local peer, so they have allocated us a single RFC1918 address (172.28.x.x) to NAT our internal range to. Internally we use a 192.100.x.x range

On our end we have an ASA5505 and at their end, I believe it's a Juniper (although that shouldn't make a difference). The parts of our config that are relevant are:
object network site-xx-firewall
 host 1.2.3.4
 
object network site-xx-subnet
 subnet 172.28.0.0 255.255.0.0
 
object network XX_lo1-petp-tavi-01
 host 91.202.238.241
object network XX_lo1-petp-tavi-02
 host 91.202.237.245
object network NATED_XX_IP_LND
 host 172.28.1.167
 
object-group network DM_INLINE_NETWORK_2
 network-object object XX_lo1-petp-tavi-01
 network-object object XX_lo1-petp-tavi-02
 
access-list outside_cryptomap_4 extended permit ip object NATED_XX_IP_LND object-group DM_INLINE_NETWORK_2
nat (inside,outside) source dynamic NETWORK_OBJ_192.168.100.0_24 NATED_XX_IP_LND destination static site-XX-subnet site-XX-subnet

object network inside_for_XX
 nat (any,any) dynamic NATED_XX_IP_LND
 
crypto ipsec ikev2 ipsec-proposal AES2562
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 1.2.3.4
crypto map outside_map 5 set ikev2 ipsec-proposal AES2562
crypto map outside_map 5 set security-association lifetime seconds 3600
crypto map outside_map 5 set df-bit clear-df
crypto map outside_map 5 set validate-icmp-errors

crypto ikev2 policy 3
 encryption aes-256
 integrity sha256
 group 14
 lifetime seconds 28880

group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev2

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy GroupPolicy3
tunnel-group 1.2.3.4 ipsec-attributes
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>

Open in new window


Packet tracer shows that the IP addresses are being NATted correctly, and it can tell that there is a VPN action, but the result is Subtype - Encrypt, Action - DROP.

In the logs we get:
ERROR: Received no proposal chosen notify.
IKEv2 was unsuccessful at bringing up a tunnel. Map Tag = outside_map. Map_Sequence_Number = 5.

Appreciate any help anyone can give.
0
Comment
Question by:Ralph Pickering
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 4

Accepted Solution

by:
Ralph Pickering earned 0 total points
ID: 41792657
We solved it. It needed to be prf sha256 to match the supplier's end! Changed that and it sprang into life.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question