Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Bronze

IPSec VPN Issue

Dears ,

I'm just configuring an IPsec siste to site VPN . I have many sites in the same router and all is working except one

For all IPSec tunnel my ISAKMP encription , hash are as given in policy 1 . But for this particular site it is as mentioned in policy 2 .

The branch not working is using  paremeters used in policy 2 . How can ensure that specific branch is using policy 2 ? The below is the debug for my VPN Tunnel .

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes 512

authentication pre-share

group 2

:07:43.101: ISAKMP:(0:11:SW:1):SA has been authenticated with 56.5.4.6

Feb 25 06:07:43.101: ISAKMP: Trying to insert a peer 152.86.90.129/56.5.4.6

/500/,  and inserted successfully 63CE2DE4.

Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):beginning Quick Mode exchange, M-ID of -1841673445

Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1): sending packet to 56.5.4.6 my_port 500 peer_port 500 (I) QM_IDLE

Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Node -1841673445, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Feb 25 06:07:43.121: ISAKMP (0:134217739): received packet from 56.5.4.6 dport 500 sport 500 Global (I) QM_IDLE

Feb 25 06:07:43.121: ISAKMP: set new node -1459554599 to QM_IDLE

Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1): processing HASH payload. message ID = -1459554599

Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 0, message ID = -1459554599, sa = 63C68AF8

Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1):deleting node -1459554599 error FALSE reason "Informational (in) state 1"

Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Feb 25 06:07:43.121: ISAKMP (0:134217739): received packet from 56.5.4.6 dport 500 sport 500 Global (I) QM_IDLE

Feb 25 06:07:43.125: ISAKMP: set new node -235856768 to QM_IDLE

Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1): processing HASH payload. message ID = 235856768

Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1): processing DELETE payload. message ID = -235856768

Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):peer does not do paranoid keepalives.

Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 56.5.4.6)

Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):deleting node -235856768 error FALSE reason "Informational (in) state 1"

Feb 25 06:07:43.125: ISAKMP: set new node -212410468 to QM_IDLE

Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1): sending packet to 56.5.4.6 my_port 500 peer_port 500 (I) QM_IDLE

Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):purging node -212410468

Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 56.5.4.6)

Feb 25 06:07:43.129: ISAKMP: Unlocking IKE struct 0x63CE2DE4 for isadb_mark_sa_deleted(), count 0

Feb 25 06:07:43.129: ISAKMP: Deleting peer node by peer_reap for 56.5.4.6:63CE2DE4

Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting node -1841673445 error FALSE reason "IKE deleted"

Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting node -1459554599 error FALSE reason "IKE deleted"

Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting node -235856768 error FALSE reason "IKE deleted"

Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Feb 25 06:08:02.735: ISAKMP:(0:10:SW:1):purging node -39846581

Feb 25 06:08:02.739: ISAKMP:(0:10:SW:1):purging node 324814776

Feb 25 06:08:02.739: ISAKMP:(0:10:SW:1):purging node 958416367

6 REPLIES
Bronze

IPSec VPN Issue

Looks like you got notify message 14 "PROPOSAL_NOT_CHOSEN" during phase 2.  Compare your phase 2 attributes with the peer.

IPSec VPN Issue

Hello Haris,

The branch not working is using  paremeters used in policy 2 . How can ensure that specific branch is using policy 2 ? The below is the debug for my VPN Tunnel .

Each VPN endpoint innitiating the connection will send all of his isakmp's policies until a match happens, so if branch two also has isakmp policie one, that would be a match and they will use that one. as the first match is the one used.

Regards.

Do rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Bronze

IPSec VPN Issue

It's not a phase 1 issue.  Notify message 14 "NO_PROPOSAL_CHOSEN" can be used in both phase 1 and phase 2.  In this case you can see that phase 1 has completed and the notify message was received during quick mode.  I would first check the the phase 2 transform set and then the proxy ID (subnet) info as the INVALID_ID_INFO notify message isn't always used for host/subnet incompaibilities. 

IPSec VPN Issue

Hello Patrick,

When did I said it was a phase one issue?????????

I just answered one of his questions!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Bronze

Re: IPSec VPN Issue

It was phase2 problem and after changing the transformset it worked fine

Thanks

Bronze

IPSec VPN Issue

Hi Julio,

Wasn't trying argue with you, just trying to emphasize to the issue is not with phase 1.  Your response was correct.

-Patrick

4060
Views
0
Helpful
6
Replies
CreatePlease to create content