troubleshooting Question

Host to host VPN issue

Avatar of Ralph Pickering
Ralph PickeringFlag for United Kingdom of Great Britain and Northern Ireland asked on
CiscoVPNHardware Firewalls
1 Comment1 Solution274 ViewsLast Modified:
Hi All

Hopefully an expert can help as I am running out of ideas. We have a supplier providing a trading platform that we need to connect to via VPN. They have provided us with a few IPs of hosts for the trading platform and their peer for the VPN. We don't have sufficient public IP addresses to allocate as a local peer, so they have allocated us a single RFC1918 address (172.28.x.x) to NAT our internal range to. Internally we use a 192.100.x.x range

On our end we have an ASA5505 and at their end, I believe it's a Juniper (although that shouldn't make a difference). The parts of our config that are relevant are:
object network site-xx-firewall
object network site-xx-subnet
object network XX_lo1-petp-tavi-01
object network XX_lo1-petp-tavi-02
object network NATED_XX_IP_LND
object-group network DM_INLINE_NETWORK_2
 network-object object XX_lo1-petp-tavi-01
 network-object object XX_lo1-petp-tavi-02
access-list outside_cryptomap_4 extended permit ip object NATED_XX_IP_LND object-group DM_INLINE_NETWORK_2
nat (inside,outside) source dynamic NETWORK_OBJ_192.168.100.0_24 NATED_XX_IP_LND destination static site-XX-subnet site-XX-subnet

object network inside_for_XX
 nat (any,any) dynamic NATED_XX_IP_LND
crypto ipsec ikev2 ipsec-proposal AES2562
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer
crypto map outside_map 5 set ikev2 ipsec-proposal AES2562
crypto map outside_map 5 set security-association lifetime seconds 3600
crypto map outside_map 5 set df-bit clear-df
crypto map outside_map 5 set validate-icmp-errors

crypto ikev2 policy 3
 encryption aes-256
 integrity sha256
 group 14
 lifetime seconds 28880

group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev2

tunnel-group type ipsec-l2l
tunnel-group general-attributes
 default-group-policy GroupPolicy3
tunnel-group ipsec-attributes
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>

Packet tracer shows that the IP addresses are being NATted correctly, and it can tell that there is a VPN action, but the result is Subtype - Encrypt, Action - DROP.

In the logs we get:
ERROR: Received no proposal chosen notify.
IKEv2 was unsuccessful at bringing up a tunnel. Map Tag = outside_map. Map_Sequence_Number = 5.

Appreciate any help anyone can give.
Ralph Pickering
Infrastructure Consultant

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 1 Comment.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 1 Comment.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros