?
Solved

Host to host VPN issue

Posted on 2016-09-10
1
Medium Priority
?
84 Views
Last Modified: 2016-09-10
Hi All

Hopefully an expert can help as I am running out of ideas. We have a supplier providing a trading platform that we need to connect to via VPN. They have provided us with a few IPs of hosts for the trading platform and their peer for the VPN. We don't have sufficient public IP addresses to allocate as a local peer, so they have allocated us a single RFC1918 address (172.28.x.x) to NAT our internal range to. Internally we use a 192.100.x.x range

On our end we have an ASA5505 and at their end, I believe it's a Juniper (although that shouldn't make a difference). The parts of our config that are relevant are:
object network site-xx-firewall
 host 1.2.3.4
 
object network site-xx-subnet
 subnet 172.28.0.0 255.255.0.0
 
object network XX_lo1-petp-tavi-01
 host 91.202.238.241
object network XX_lo1-petp-tavi-02
 host 91.202.237.245
object network NATED_XX_IP_LND
 host 172.28.1.167
 
object-group network DM_INLINE_NETWORK_2
 network-object object XX_lo1-petp-tavi-01
 network-object object XX_lo1-petp-tavi-02
 
access-list outside_cryptomap_4 extended permit ip object NATED_XX_IP_LND object-group DM_INLINE_NETWORK_2
nat (inside,outside) source dynamic NETWORK_OBJ_192.168.100.0_24 NATED_XX_IP_LND destination static site-XX-subnet site-XX-subnet

object network inside_for_XX
 nat (any,any) dynamic NATED_XX_IP_LND
 
crypto ipsec ikev2 ipsec-proposal AES2562
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 1.2.3.4
crypto map outside_map 5 set ikev2 ipsec-proposal AES2562
crypto map outside_map 5 set security-association lifetime seconds 3600
crypto map outside_map 5 set df-bit clear-df
crypto map outside_map 5 set validate-icmp-errors

crypto ikev2 policy 3
 encryption aes-256
 integrity sha256
 group 14
 lifetime seconds 28880

group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev2

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy GroupPolicy3
tunnel-group 1.2.3.4 ipsec-attributes
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>

Open in new window


Packet tracer shows that the IP addresses are being NATted correctly, and it can tell that there is a VPN action, but the result is Subtype - Encrypt, Action - DROP.

In the logs we get:
ERROR: Received no proposal chosen notify.
IKEv2 was unsuccessful at bringing up a tunnel. Map Tag = outside_map. Map_Sequence_Number = 5.

Appreciate any help anyone can give.
0
Comment
Question by:Ralph Pickering
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 4

Accepted Solution

by:
Ralph Pickering earned 0 total points
ID: 41792657
We solved it. It needed to be prf sha256 to match the supplier's end! Changed that and it sprang into life.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question