09-16-2010 06:25 PM
I am trying to connect 2 locations with a vpn tunnel. Cisc0 1941 and Nortel 2700. I can't them to connect. The nortel the connection with the error <no proposal chosen>. The 2700 is at the main location and the 1941 is at the remote location. I want the Cisco to be the initiator and nailed up. Here is a copy of my config.
license udi pid CISCO1941/K9 sn FTX1435808A
!
!
username admin privilege 15 secret 5 $1$57OK$Rpl8X77/lH4nl49WgU4fe.
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 1800
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 5
crypto isakmp key testrules address 1.2.3.4
!
!
crypto ipsec transform-set testset esp-aes esp-sha-hmac
!
crypto map aptmap 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set testset
match address 110
!
!
!
!
!
interface GigabitEthernet0/0
description GE 0/0
ip address 2.2.2.2 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map unitedmap
!
!
interface GigabitEthernet0/1
exit
ip address 3.3.3.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool local 6.6.6.192 6.6.6.254 prefix-length 26
ip nat inside source route-map coke pool local
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 3.0.0.0 255.255.255.0 3.3.3.1
!
access-list 1 permit 3.0.0.0 0.255.255.255.0
access-list 110 permit ip 6.6.6.192 255.255.255.192 8.8.0.0 0.0.255.255
!
!
!
!
route-map local permit 10
match ip address 1
match interface GigabitEthernet0/0
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Thanks for any help with this.
09-16-2010 06:37 PM
The crypto map that has been created is named "aptmap", however, the crypto map assigned to the outside interface (g0/0) is "unitedmap".
Please also run debug on the 1941 router to see where it's failing, and if you can also share the corresponding Nortel configuration to see if it matches, that would be great.
Debug on 1941 to run:
debug cry isa
debug cry ipsec
09-16-2010 06:43 PM
halijenn is right. verify the name of the crypto map as well.
09-17-2010 08:58 AM
Thanks I've corrected the crypto map and here is the
debug of ipsec and isa.
*Sep 17 13:19:59.187: ISAKMP (0): received packet from
*Sep 17 13:19:59.187: ISAKMP: Created a peer struct for
*Sep 17 13:19:59.187: ISAKMP: New peer created peer = 0x311C5E60 peer_handle = 0x80000003
*Sep 17 13:19:59.187: ISAKMP: Locking peer struct 0x311C5E60, refcount 1 for crypto_isakmp_process_block
*Sep 17 13:19:59.187: ISAKMP: local port 500, remote port 500
*Sep 17 13:19:59.187: ISAKMP:(0):insert sa successfully sa = 26D047BC
*Sep 17 13:19:59.187: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 17 13:19:59.187: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Sep 17 13:19:59.187: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 17 13:19:59.187: ISAKMP:(0):found peer pre-shared key matching
*Sep 17 13:19:59.187: ISAKMP:(0): local preshared key found
*Sep 17 13:19:59.187: ISAKMP : Scanning profiles for xauth ...
*Sep 17 13:19:59.187: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 17 13:19:59.187: ISAKMP: encryption 3DES-CBC
*Sep 17 13:19:59.187: ISAKMP: hash SHA
*Sep 17 13:19:59.187: ISAKMP: auth pre-share
*Sep 17 13:19:59.187: ISAKMP: default group 2
*Sep 17 13:19:59.187: ISAKMP:(0):Lifetime type not found in proposal. Using configured lifetime instead.
*Sep 17 13:19:59.187: ISAKMP:(0):atts are acceptable. Next payload is 3
*Sep 17 13:19:59.187: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 17 13:19:59.187: ISAKMP:(0):Acceptable atts:life: 1800
*Sep 17 13:19:59.187: ISAKMP:(0):Returning Actual lifetime: 1800
*Sep 17 13:19:59.187: ISAKMP:(0)::Started lifetime timer: 1800.
*Sep 17 13:19:59.187: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 17 13:19:59.187: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Sep 17 13:19:59.187: ISAKMP:(0): sending packet to
*Sep 17 13:19:59.187: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 17 13:19:59.187: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 17 13:19:59.187: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Sep 17 13:19:59.331: ISAKMP (0): received packet from
*Sep 17 13:19:59.331: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 17 13:19:59.331: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Sep 17 13:19:59.331: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 17 13:19:59.359: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 17 13:19:59.359: ISAKMP:(0):found peer pre-shared key matching
*Sep 17 13:19:59.359: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 17 13:19:59.359: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Sep 17 13:19:59.359: ISAKMP:(1002): sending packet to
*Sep 17 13:19:59.359: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Sep 17 13:19:59.359: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 17 13:19:59.359: ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Sep 17 13:19:59.443: ISAKMP (1002): received packet from
*Sep 17 13:19:59.443: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 17 13:19:59.443: ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Sep 17 13:19:59.443: ISAKMP:(1002): processing ID payload. message ID = 0
*Sep 17 13:19:59.443: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address :
protocol : 0
port : 0
length : 12
*Sep 17 13:19:59.443: ISAKMP:(0):: peer matches *none* of the profiles
*Sep 17 13:19:59.443: ISAKMP:(1002): processing HASH payload. message ID = 0
*Sep 17 13:19:59.443: ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 26D047BC
*Sep 17 13:19:59.443: ISAKMP:(1002):SA authentication status:
authenticated
*Sep 17 13:19:59.443: ISAKMP:(1002):SA has been authenticated with
*Sep 17 13:19:59.443: ISAKMP:(1002):SA authentication status:
authenticated
*Sep 17 13:19:59.443: ISAKMP:(1002): Process initial contact,
bring down existing phase 1 and 2 SA's with local
*Sep 17 13:19:59.443: ISAKMP: Trying to insert a peer
*Sep 17 13:19:59.443: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 17 13:19:59.443: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Sep 17 13:19:59.443: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 17 13:19:59.443: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Sep 17 13:19:59.443: ISAKMP (1002): ID payload
next-payload : 8
type : 1
address :
protocol : 17
port : 500
length : 12
*Sep 17 13:19:59.443: ISAKMP:(1002):Total payload length: 12
*Sep 17 13:19:59.443: ISAKMP:(1002): sending packet to
*Sep 17 13:19:59.443: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Sep 17 13:19:59.443: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 17 13:19:59.443: ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Sep 17 13:19:59.443: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Sep 17 13:19:59.443: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Sep 17 13:20:06.563: ISAKMP (1002): received packet from
*Sep 17 13:20:06.563: ISAKMP: set new node 988593670 to QM_IDLE
*Sep 17 13:20:06.563: ISAKMP:(1002): processing HASH payload. message ID = 988593670
*Sep 17 13:20:06.563: ISAKMP:(1002): processing SA payload. message ID = 988593670
*Sep 17 13:20:06.563: ISAKMP:(1002):Checking IPSec proposal 1
*Sep 17 13:20:06.563: ISAKMP: transform 1, ESP_3DES
*Sep 17 13:20:06.563: ISAKMP: attributes in transform:
*Sep 17 13:20:06.563: ISAKMP: authenticator is HMAC-SHA
*Sep 17 13:20:06.563: ISAKMP: encaps is 1 (Tunnel)
*Sep 17 13:20:06.563: ISAKMP: group is 2
*Sep 17 13:20:06.563: ISAKMP: SA life type in seconds
*Sep 17 13:20:06.563: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 17 13:20:06.563: ISAKMP:(1002):atts are acceptable.
*Sep 17 13:20:06.563: ISAKMP:(1002):Checking IPSec proposal 1
*Sep 17 13:20:06.563: ISAKMP: transform 2, ESP_3DES
*Sep 17 13:20:06.563: ISAKMP: attributes in transform:
*Sep 17 13:20:06.563: ISAKMP: authenticator is HMAC-MD5
*Sep 17 13:20:06.563: ISAKMP: encaps is 1 (Tunnel)
*Sep 17 13:20:06.563: ISAKMP: group is 2
*Sep 17 13:20:06.563: ISAKMP: SA life type in seconds
*Sep 17 13:20:06.563: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x70 0x80
*Sep 17 13:20:06.563: ISAKMP:(1002):atts are acceptable.
*Sep 17 13:20:06.563: IPSEC(validate_proposal_request): proposal part #1
*Sep 17 13:20:06.563: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local=
local_proxy= 161.162.12.192/255.255.255.192/0/0 (type=4),
remote_proxy= 151.162.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Sep 17 13:20:06.563: Crypto mapdb : proxy_match
src addr : 161.162.12.192
dst addr : 151.162.0.0
protocol : 0
src port : 0
dst port : 0
*Sep 17 13:20:06.563: Crypto mapdb : proxy_match
src addr : 161.162.12.192
dst addr : 151.162.0.0
protocol : 0
src port : 0
dst port : 0
*Sep 17 13:20:06.563: map_db_find_best did not find matching map
*Sep 17 13:20:06.563: IPSEC(ipsec_process_proposal): proxy identities not supported
*Sep 17 13:20:06.563: ISAKMP:(1002): IPSec policy invalidated proposal with error 32
*Sep 17 13:20:06.563: IPSEC(validate_proposal_request): proposal part #1
*Sep 17 13:20:06.563: IPSEC(validate_proposal_request): proposal part #1,
09-17-2010 09:06 AM
Hey,
Looks like phase1 is coming up just fine. Problem seems to be when the router is trying to match the configured crypto maps:
*Sep 17 13:20:06.563: Crypto mapdb : proxy_match
src addr : 161.162.12.192
dst addr : 151.162.0.0
protocol : 0
src port : 0
dst port : 0
*Sep 17 13:20:06.563: Crypto mapdb : proxy_match
src addr : 161.162.12.192
dst addr : 151.162.0.0
protocol : 0
src port : 0
dst port : 0
*Sep 17 13:20:06.563: map_db_find_best did not find matching map
*Sep 17 13:20:06.563: IPSEC(ipsec_process_proposal): proxy identities not supported
Can you paste the output of "show crypto map" or a "show run | sec crypto" with masked IP addresses as necessary from this router?
Regards,
Prapanch
09-16-2010 06:41 PM
Based in this config
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 1800
You are using the cisco router default hash (md5 I think)? Is it the same in your 2700 sh1t?
Please post the debug cryto isakmp.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide