asked on
Host to host VPN issue
Hi All
Hopefully an expert can help as I am running out of ideas. We have a supplier providing a trading platform that we need to connect to via VPN. They have provided us with a few IPs of hosts for the trading platform and their peer for the VPN. We don't have sufficient public IP addresses to allocate as a local peer, so they have allocated us a single RFC1918 address (172.28.x.x) to NAT our internal range to. Internally we use a 192.100.x.x range
On our end we have an ASA5505 and at their end, I believe it's a Juniper (although that shouldn't make a difference). The parts of our config that are relevant are:
Packet tracer shows that the IP addresses are being NATted correctly, and it can tell that there is a VPN action, but the result is Subtype - Encrypt, Action - DROP.
In the logs we get:
ERROR: Received no proposal chosen notify.
IKEv2 was unsuccessful at bringing up a tunnel. Map Tag = outside_map. Map_Sequence_Number = 5.
Appreciate any help anyone can give.
Hopefully an expert can help as I am running out of ideas. We have a supplier providing a trading platform that we need to connect to via VPN. They have provided us with a few IPs of hosts for the trading platform and their peer for the VPN. We don't have sufficient public IP addresses to allocate as a local peer, so they have allocated us a single RFC1918 address (172.28.x.x) to NAT our internal range to. Internally we use a 192.100.x.x range
On our end we have an ASA5505 and at their end, I believe it's a Juniper (although that shouldn't make a difference). The parts of our config that are relevant are:
object network site-xx-firewall
host 1.2.3.4
object network site-xx-subnet
subnet 172.28.0.0 255.255.0.0
object network XX_lo1-petp-tavi-01
host 91.202.238.241
object network XX_lo1-petp-tavi-02
host 91.202.237.245
object network NATED_XX_IP_LND
host 172.28.1.167
object-group network DM_INLINE_NETWORK_2
network-object object XX_lo1-petp-tavi-01
network-object object XX_lo1-petp-tavi-02
access-list outside_cryptomap_4 extended permit ip object NATED_XX_IP_LND object-group DM_INLINE_NETWORK_2
nat (inside,outside) source dynamic NETWORK_OBJ_192.168.100.0_24 NATED_XX_IP_LND destination static site-XX-subnet site-XX-subnet
object network inside_for_XX
nat (any,any) dynamic NATED_XX_IP_LND
crypto ipsec ikev2 ipsec-proposal AES2562
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 1.2.3.4
crypto map outside_map 5 set ikev2 ipsec-proposal AES2562
crypto map outside_map 5 set security-association lifetime seconds 3600
crypto map outside_map 5 set df-bit clear-df
crypto map outside_map 5 set validate-icmp-errors
crypto ikev2 policy 3
encryption aes-256
integrity sha256
group 14
lifetime seconds 28880
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
vpn-tunnel-protocol ikev2
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy GroupPolicy3
tunnel-group 1.2.3.4 ipsec-attributes
ikev2 remote-authentication pre-shared-key <PSK>
ikev2 local-authentication pre-shared-key <PSK>
Packet tracer shows that the IP addresses are being NATted correctly, and it can tell that there is a VPN action, but the result is Subtype - Encrypt, Action - DROP.
In the logs we get:
ERROR: Received no proposal chosen notify.
IKEv2 was unsuccessful at bringing up a tunnel. Map Tag = outside_map. Map_Sequence_Number = 5.
Appreciate any help anyone can give.
CiscoVPNHardware Firewalls
Last Comment
Ralph Pickering