IPsec VPN Problems Between Cisco 1711 & Netgear

shamimakhtar · ‎09-16-2010

I am trying to set up an IPsec VPN tunnel between a Cisco 1711 and Netgear FVS318 router/firewall. Phase1 is establishing but Phase2 is not. Debug output is provided below.

Netgear Settings:

Encryption: 3DES SHA-1 with Pre-share key, DH Group 2(1024 Bit), SA Lifetime 86400sec

ESP Configuration: 3DES SHA-1

Cisco Configuration:

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ciscotest address REMOTE_IP
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer REMOTE_IP
set transform-set vpn
match address 110
reverse-route
!
interface FastEthernet0
crypto map vpn
!
access-list 110 permit ip 10.50.50.0 0.0.0.255 172.16.0.0 0.0.0.255

Cisco Debug:

ISAKMP (0:268435457): received packet from REMOTE_IP dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -425808973 to QM_IDLE
ISAKMP:(0:1:HW:2): processing HASH payload. message ID = -425808973
ISAKMP:(0:1:HW:2): processing SA payload. message ID = -425808973
ISAKMP:(0:1:HW:2):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      encaps is 1 (Tunnel)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0:1:HW:2):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= WAN_IP, remote= REMOTE_IP,
    local_proxy= 10.50.50.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Crypto mapdb : proxy_match
        src addr     : 10.50.50.0
        dst addr     : 172.16.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-sha-hmac }
ISAKMP:(0:1:HW:2): IPSec policy invalidated proposal
ISAKMP:(0:1:HW:2): phase 2 SA policy not acceptable! (local WAN_IP remote REMOTE_IP)
ISAKMP: set new node -2125033073 to QM_IDLE
ISAKMP:(0:1:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2215118544, message ID = -2125033073
ISAKMP:(0:1:HW:2): sending packet to REMOTE_IP my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(0:1:HW:2):purging node -2125033073
ISAKMP:(0:1:HW:2):deleting node -425808973 error TRUE reason "QM rejected"
ISAKMP (0:268435457): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH: for node -425808973: state = IKE_QM_READY
ISAKMP:(0:1:HW:2):Node -425808973, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY New State = IKE_QM_READY
Sep 16 10:43:44 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at REMOTE_IP

ISAKMP:(0:1:HW:2):purging node -425808973

Federico Coto Fajardo · ‎09-16-2010

Phase 2 is not matching.

Make sure you use ESP instead of AH.

no crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

Please try again after clearing the SAs.

Federico.

shamimakhtar · ‎09-16-2010

i just took out AH as you mentioned, unfortunately it still does not work.

Federico Coto Fajardo · ‎09-16-2010

Are you getting the same mismatch error in phase 2 after the change?

Is the netgear using Perfect Forward Secrecy setting on phase 2?

Federico.