Solved

Host to host VPN issue

Posted on 2016-09-10
1
70 Views
Last Modified: 2016-09-10
Hi All

Hopefully an expert can help as I am running out of ideas. We have a supplier providing a trading platform that we need to connect to via VPN. They have provided us with a few IPs of hosts for the trading platform and their peer for the VPN. We don't have sufficient public IP addresses to allocate as a local peer, so they have allocated us a single RFC1918 address (172.28.x.x) to NAT our internal range to. Internally we use a 192.100.x.x range

On our end we have an ASA5505 and at their end, I believe it's a Juniper (although that shouldn't make a difference). The parts of our config that are relevant are:
object network site-xx-firewall
 host 1.2.3.4
 
object network site-xx-subnet
 subnet 172.28.0.0 255.255.0.0
 
object network XX_lo1-petp-tavi-01
 host 91.202.238.241
object network XX_lo1-petp-tavi-02
 host 91.202.237.245
object network NATED_XX_IP_LND
 host 172.28.1.167
 
object-group network DM_INLINE_NETWORK_2
 network-object object XX_lo1-petp-tavi-01
 network-object object XX_lo1-petp-tavi-02
 
access-list outside_cryptomap_4 extended permit ip object NATED_XX_IP_LND object-group DM_INLINE_NETWORK_2
nat (inside,outside) source dynamic NETWORK_OBJ_192.168.100.0_24 NATED_XX_IP_LND destination static site-XX-subnet site-XX-subnet

object network inside_for_XX
 nat (any,any) dynamic NATED_XX_IP_LND
 
crypto ipsec ikev2 ipsec-proposal AES2562
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 1.2.3.4
crypto map outside_map 5 set ikev2 ipsec-proposal AES2562
crypto map outside_map 5 set security-association lifetime seconds 3600
crypto map outside_map 5 set df-bit clear-df
crypto map outside_map 5 set validate-icmp-errors

crypto ikev2 policy 3
 encryption aes-256
 integrity sha256
 group 14
 lifetime seconds 28880

group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev2

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy GroupPolicy3
tunnel-group 1.2.3.4 ipsec-attributes
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>

Open in new window


Packet tracer shows that the IP addresses are being NATted correctly, and it can tell that there is a VPN action, but the result is Subtype - Encrypt, Action - DROP.

In the logs we get:
ERROR: Received no proposal chosen notify.
IKEv2 was unsuccessful at bringing up a tunnel. Map Tag = outside_map. Map_Sequence_Number = 5.

Appreciate any help anyone can give.
0
Comment
Question by:Ralph Pickering
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 4

Accepted Solution

by:
Ralph Pickering earned 0 total points
ID: 41792657
We solved it. It needed to be prf sha256 to match the supplier's end! Changed that and it sprang into life.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question