Re: ASA to IOS: strange error in phase 2

isautospa · ‎06-03-2007

Hi all,

I am facing a problem trying to establish a tunnel with one of our supplier.

Their side is terminated on a IOS router currently unknown type and version (should be 12.2 - 12.4), my side is an ASA 7.2(2), configurations are attached (at least the snippet of the IOS config I was sent).

Apparently Phase 1 completes correctly but P2 fails with "Received non-routine Notify message: No proposal chosen (14)", I also attach debug from ASA with " debug crypto isakmp 129" and "debug crypto ipsec 129".

I double checked transform sets and IKE policies.

BTW I never had to use static NAT AND IPSec as here (I was asked to do so by other side), I have found few config examples on that (to solve overlapping networks), I hope it is possible with ASA o.s. too.

Many thanx in advance...

Ivano

Jon Marshall · ‎06-04-2007

Hi

In my experience IPSEC phase 2 fails for one of two reasons

1) Incorrect settings ie. the ecnryption algorithms, lifetimes etc.

2) The local and remote subnets as defined in the crpyto map access-lists are different.

2) looks okay from the configs.

Could you

1) Get a debug output from the customer on their side or alternativley get them to initiate the connection and send a debug.

2) Before doing that could you explicitly set up PFS under phase2 on both the ASA and the IOS. Each device is using it's default setting for PFS and they may be different.

HTH

Jon

isautospa · ‎06-04-2007

Hi Jon,

too bad we are the "customer side" so I am close to none in control of the IOS router config.

Anyway I inserted explicit parameters for pfs and requested them to adapt and send back a debug output.

I will post results asap.

Thanks a lot

Ivano

net.administrator · ‎06-25-2007

Not an expert but just had similar problem: in your ASA you have:

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 3600

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

and in IOS you have:

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

( no encryption and no DH group )

also couldnt work out what this refers to (may be knowledge gap):

match address ip-isauto

I would have thought this should refer to an access list.

I dont know if any of this will help but hope you find problem. regards, sean.

isautospa · ‎06-25-2007

Hi Sean and thanks for replying,

parameters that takes default values don't show up in "show running-config" so that's why you can't find DH Group and encryption in the IOS ISAKMP policy, anyway they matched.

BTW exactly last Friday 22/06 we found what was blocking P2 to complete.

On the IOS router they have stated:

crypto map MAPNAME local-address Loopback0

which I understand use the Loopback0 address as identity in IPSec SA, too bad in some other place of the configuration they never showed me they put:

Interface Loopback0

no ip address

That, without any experience, sounded very strange to me so I asked them to remove the former statement (crypto map .... local-address) and voila' IPSec SA ok and VPN traffic flowing, of course using the physical interfaces IP address as IPSec identities.

It remains the question of why other (IOS based) peers were working correctly (and still are!) with that router totally unregarding the guilty piece of config....

Anyway, thanks to everybody who helped.

Greetings from Italy

Ivano

isautospa · ‎06-25-2007

... me again, just wanted to add a little comment.

I wouldn't have been able to solve this if I weren't finally given the debug output of the IOS router where the "local-address" error was clearly pinned.

I then have to say that the debug of the ASA side lacks (or hides) a lot of important informations with respect to IOS platform.

Am I the only one thinking that, or perhaps is that due to my always too limited knowledge?

Thanks again, c u

Ivano