IKE notify messages

Unanswered Question
Mar 26th, 2009

Hi Guys,

I have a question that I just can't seem to find an answer for in any of my usual libraries.

Can someone tell me what the the following debug message is trying to tell me?

processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1

Now, to me, it says this router has received a Notify message from the peer advising that a Proposal has not been chosen. But my question is who hasn't chosen it? And what do they mean by proposal not chosen? Did this device not send any proposal or did the receiving device ignore the proposals sent?

I'd love some help on this one. The RFC is doing my head in.

TIA

Cheers

Scott

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a.alekseev Thu, 03/26/2009 - 02:19

Both peers cannot choose a proposal.

The proposal must match in both peers.

Scott Cannon Thu, 03/26/2009 - 03:44

Thanks for the prompt reply Aleksey.

Can you refer me to documentation supporting this?

The reason I ask is that when 2 (cisco) devices share proposals you can see the assessment of the proposal. It goes something like this:

ISAKMP (0:134217729): received packet from 10.0.0.2 dport500 sport 500 Global (I) QM_IDLE

ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1587827672

ISAKMP:(0:1:SW:1): processing SA payload. message ID = -1587827672

ISAKMP:(0:1:SW:1):Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES

ISAKMP: attributes in transform:

ISAKMP: encaps is 1 (Tunnel)

ISAKMP: SA life type in seconds

ISAKMP: SA life duration (basic) of 120

ISAKMP: SA life type in kilobytes

ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

ISAKMP: authenticator is HMAC-MD5

ISAKMP:(0:1:SW:1):atts are acceptable.

In the scenario I'm experiencing, I get as far as processing the hash payload, it never looks a the SA payload. See the following debug extract:

ISAKMP (0:116): received packet from 10.1.1.1dport 500 sport 500 Global (I) QM_IDLE

ISAKMP: set new node 1138554522 to QM_IDLE

ISAKMP (0:116): processing HASH payload. message ID = 1138554522

ISAKMP (0:116): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 1

So, as I read it, a hash is sent for keying for the quick mode uni-directial SAs, however no security paramaters are received. To me it sounds like information isn't being sent.... almost like there is no 'match transform-set' statement on the crypto map.

Would anyone care to comment on my assessment or the issue in general?

Rgds

Scott

Actions

This Discussion