Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

MS CA VPN PIX (NO_PROPOSAL_CHOSEN)

I'm using stand-alone MS CA Server to issue certificates, I've already installed the ADD-ON SCEP on Windows and there's connecvity between Pix and MS CA.

----sh ca cert output---

CA Certificate

Status: Available

Certificate Serial Number: 02c50c2f5832d9964ef6eb5f4ea988d6

Key Usage: Signature

CN = pc-jeff

OU = Company

O = Company

L = SP

ST = SP

C = BR

EA =<16> helpdesk@company.com

Validity Date:

start date: 09:43:12 BRST Nov 4 2003

------------------

I've already enrolled a VPN client with a certificate from this MS CA according http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a008009468a.shtml documentation, very usable..

But every time that I try estabilish a VPN Connection between VPN Client and Pix VPN(rsa-sig), the IKE negotiation does not work... with (NOTIFY:NO_PROPOSAL_CHOSEN) message on VPN Client Log viewer

--------Vpn Configuration---

crypto ipsec transform-set certset esp-des esp-md5-hmac

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication LOCAL

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

vpngroup vpncert address-pool ippool2

vpngroup vpncert idle-time 1800

vpngroup vpncert password ********

ca identity pc-jeff 10.10.10.230:/certsrv/mscep/mscep.dll

ca configure pc-jeff ra 1 5 crloptional

-------------------------------

obs: with pre-share the VPN works fine.

I appreciate who can help me in this problema...

Jefferson

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: MS CA VPN PIX (NO_PROPOSAL_CHOSEN)

create a seperate policy using Group2, the software client cannot use Group1

i.e.

isakmp identity address

you may need to change this to isakmp identity hostname'

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

try this first, there may also be a problem using 'isakmp identity address' instead of 'isakmp identity hostname' .

i have info on my site about configuring Microsoft SCEP, CA, and Cisco Routers that may be of interest to you

http://www.geocities.com/dgarnett2002/infoarch.html

2 REPLIES
Community Member

Re: MS CA VPN PIX (NO_PROPOSAL_CHOSEN)

create a seperate policy using Group2, the software client cannot use Group1

i.e.

isakmp identity address

you may need to change this to isakmp identity hostname'

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

try this first, there may also be a problem using 'isakmp identity address' instead of 'isakmp identity hostname' .

i have info on my site about configuring Microsoft SCEP, CA, and Cisco Routers that may be of interest to you

http://www.geocities.com/dgarnett2002/infoarch.html

Community Member

Re: MS CA VPN PIX (NO_PROPOSAL_CHOSEN)

I've followed the recommendation, but unfortunatly my the problem persists...

---------------------------

crypto ipsec transform-set certset esp-des esp-md5-hmac

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 20 set transform-set myset

crypto map mymap 20 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication radiusserver

crypto map mymap interface outside

isakmp enable outside

isakmp nat-traversal 20

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup vpncert address-pool ippool2

vpngroup vpncert idle-time 1800

vpngroup vpncert password ********

ca identity ronie-ca 10.10.10.177:/certsrv/mscep/mscep.dll

ca configure ronie-ca ra 1 20 crloptional

------------------------

To workaround I've updated the VPN Client to 4.0.2, and in the log window the following error message appear

... IKE/0xE3000099 Invalid SPI size (PayloadNotify:116)

and I can't estabilish the VPN tunnel...

Att

JEfferson

Ps: The website were very usable

161
Views
0
Helpful
2
Replies
CreatePlease to create content