• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 111
  • Last Modified:

Host to host VPN issue

Hi All

Hopefully an expert can help as I am running out of ideas. We have a supplier providing a trading platform that we need to connect to via VPN. They have provided us with a few IPs of hosts for the trading platform and their peer for the VPN. We don't have sufficient public IP addresses to allocate as a local peer, so they have allocated us a single RFC1918 address (172.28.x.x) to NAT our internal range to. Internally we use a 192.100.x.x range

On our end we have an ASA5505 and at their end, I believe it's a Juniper (although that shouldn't make a difference). The parts of our config that are relevant are:
object network site-xx-firewall
 host 1.2.3.4
 
object network site-xx-subnet
 subnet 172.28.0.0 255.255.0.0
 
object network XX_lo1-petp-tavi-01
 host 91.202.238.241
object network XX_lo1-petp-tavi-02
 host 91.202.237.245
object network NATED_XX_IP_LND
 host 172.28.1.167
 
object-group network DM_INLINE_NETWORK_2
 network-object object XX_lo1-petp-tavi-01
 network-object object XX_lo1-petp-tavi-02
 
access-list outside_cryptomap_4 extended permit ip object NATED_XX_IP_LND object-group DM_INLINE_NETWORK_2
nat (inside,outside) source dynamic NETWORK_OBJ_192.168.100.0_24 NATED_XX_IP_LND destination static site-XX-subnet site-XX-subnet

object network inside_for_XX
 nat (any,any) dynamic NATED_XX_IP_LND
 
crypto ipsec ikev2 ipsec-proposal AES2562
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 1.2.3.4
crypto map outside_map 5 set ikev2 ipsec-proposal AES2562
crypto map outside_map 5 set security-association lifetime seconds 3600
crypto map outside_map 5 set df-bit clear-df
crypto map outside_map 5 set validate-icmp-errors

crypto ikev2 policy 3
 encryption aes-256
 integrity sha256
 group 14
 lifetime seconds 28880

group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev2

tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy GroupPolicy3
tunnel-group 1.2.3.4 ipsec-attributes
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>

Open in new window


Packet tracer shows that the IP addresses are being NATted correctly, and it can tell that there is a VPN action, but the result is Subtype - Encrypt, Action - DROP.

In the logs we get:
ERROR: Received no proposal chosen notify.
IKEv2 was unsuccessful at bringing up a tunnel. Map Tag = outside_map. Map_Sequence_Number = 5.

Appreciate any help anyone can give.
0
Ralph Pickering
Asked:
Ralph Pickering
1 Solution
 
Ralph PickeringAuthor Commented:
We solved it. It needed to be prf sha256 to match the supplier's end! Changed that and it sprang into life.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now