09-16-2010 01:48 PM - edited 02-21-2020 04:51 PM
I am trying to set up an IPsec VPN tunnel between a Cisco 1711 and Netgear FVS318 router/firewall. Phase1 is establishing but Phase2 is not. Debug output is provided below.
Netgear Settings:
Encryption: 3DES SHA-1 with Pre-share key, DH Group 2(1024 Bit), SA Lifetime 86400sec
ESP Configuration: 3DES SHA-1
Cisco Configuration:
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ciscotest address REMOTE_IP
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer REMOTE_IP
set transform-set vpn
match address 110
reverse-route
!
interface FastEthernet0
crypto map vpn
!
access-list 110 permit ip 10.50.50.0 0.0.0.255 172.16.0.0 0.0.0.255
Cisco Debug:
ISAKMP (0:268435457): received packet from REMOTE_IP dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -425808973 to QM_IDLE
ISAKMP:(0:1:HW:2): processing HASH payload. message ID = -425808973
ISAKMP:(0:1:HW:2): processing SA payload. message ID = -425808973
ISAKMP:(0:1:HW:2):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: authenticator is HMAC-SHA
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0:1:HW:2):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= WAN_IP, remote= REMOTE_IP,
local_proxy= 10.50.50.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Crypto mapdb : proxy_match
src addr : 10.50.50.0
dst addr : 172.16.0.0
protocol : 0
src port : 0
dst port : 0
IPSEC(validate_transform_proposal): transform proposal not supported for identity:
{esp-3des esp-sha-hmac }
ISAKMP:(0:1:HW:2): IPSec policy invalidated proposal
ISAKMP:(0:1:HW:2): phase 2 SA policy not acceptable! (local WAN_IP remote REMOTE_IP)
ISAKMP: set new node -2125033073 to QM_IDLE
ISAKMP:(0:1:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2215118544, message ID = -2125033073
ISAKMP:(0:1:HW:2): sending packet to REMOTE_IP my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(0:1:HW:2):purging node -2125033073
ISAKMP:(0:1:HW:2):deleting node -425808973 error TRUE reason "QM rejected"
ISAKMP (0:268435457): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -425808973: state = IKE_QM_READY
ISAKMP:(0:1:HW:2):Node -425808973, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY New State = IKE_QM_READY
Sep 16 10:43:44 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at REMOTE_IP
ISAKMP:(0:1:HW:2):purging node -425808973
09-16-2010 02:06 PM
Phase 2 is not matching.
Make sure you use ESP instead of AH.
no crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
Please try again after clearing the SAs.
Federico.
09-16-2010 02:16 PM
i just took out AH as you mentioned, unfortunately it still does not work.
09-16-2010 03:14 PM
Are you getting the same mismatch error in phase 2 after the change?
Is the netgear using Perfect Forward Secrecy setting on phase 2?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide