06-03-2007 11:19 PM - edited 02-21-2020 01:33 AM
Hi all,
I am facing a problem trying to establish a tunnel with one of our supplier.
Their side is terminated on a IOS router currently unknown type and version (should be 12.2 - 12.4), my side is an ASA 7.2(2), configurations are attached (at least the snippet of the IOS config I was sent).
Apparently Phase 1 completes correctly but P2 fails with "Received non-routine Notify message: No proposal chosen (14)", I also attach debug from ASA with " debug crypto isakmp 129" and "debug crypto ipsec 129".
I double checked transform sets and IKE policies.
BTW I never had to use static NAT AND IPSec as here (I was asked to do so by other side), I have found few config examples on that (to solve overlapping networks), I hope it is possible with ASA o.s. too.
Many thanx in advance...
Ivano
06-04-2007 05:52 AM
Hi
In my experience IPSEC phase 2 fails for one of two reasons
1) Incorrect settings ie. the ecnryption algorithms, lifetimes etc.
2) The local and remote subnets as defined in the crpyto map access-lists are different.
2) looks okay from the configs.
Could you
1) Get a debug output from the customer on their side or alternativley get them to initiate the connection and send a debug.
2) Before doing that could you explicitly set up PFS under phase2 on both the ASA and the IOS. Each device is using it's default setting for PFS and they may be different.
HTH
Jon
06-04-2007 08:13 AM
Hi Jon,
too bad we are the "customer side" so I am close to none in control of the IOS router config.
Anyway I inserted explicit parameters for pfs and requested them to adapt and send back a debug output.
I will post results asap.
Thanks a lot
Ivano
06-25-2007 06:43 AM
Not an expert but just had similar problem: in your ASA you have:
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 3600
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
and in IOS you have:
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
( no encryption and no DH group )
also couldnt work out what this refers to (may be knowledge gap):
match address ip-isauto
I would have thought this should refer to an access list.
I dont know if any of this will help but hope you find problem. regards, sean.
06-25-2007 07:42 AM
Hi Sean and thanks for replying,
parameters that takes default values don't show up in "show running-config" so that's why you can't find DH Group and encryption in the IOS ISAKMP policy, anyway they matched.
BTW exactly last Friday 22/06 we found what was blocking P2 to complete.
On the IOS router they have stated:
crypto map MAPNAME local-address Loopback0
which I understand use the Loopback0 address as identity in IPSec SA, too bad in some other place of the configuration they never showed me they put:
Interface Loopback0
no ip address
That, without any experience, sounded very strange to me so I asked them to remove the former statement (crypto map .... local-address) and voila' IPSec SA ok and VPN traffic flowing, of course using the physical interfaces IP address as IPSec identities.
It remains the question of why other (IOS based) peers were working correctly (and still are!) with that router totally unregarding the guilty piece of config....
Anyway, thanks to everybody who helped.
Greetings from Italy
Ivano
06-25-2007 07:53 AM
... me again, just wanted to add a little comment.
I wouldn't have been able to solve this if I weren't finally given the debug output of the IOS router where the "local-address" error was clearly pinned.
I then have to say that the debug of the ASA side lacks (or hides) a lot of important informations with respect to IOS platform.
Am I the only one thinking that, or perhaps is that due to my always too limited knowledge?
Thanks again, c u
Ivano
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide