Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

tom
New Member

Phase 1 tunnel not completing - strange errors

First, let me say I am VERY new to cisco firewalls.  I am not really very well versed with IPSec tunnels either so I appologize if I sound like a boob.  I sure could use some help here - cisco TAC has done all they can and my counterpart is far from cooperative. 

Now for my issue:

I am configuring an ASA-5515-X to talk with a juniper firewall (sorry, I do not know the model).  I have been trough the configuration tons of times and I cannot find an issue.  Here is the output from the Juniper set up:

Part I – IKE Phase1

show security ike

proposal ecfo-ike-p1-prop {

    authentication-method pre-shared-keys;

    dh-group group2;

    authentication-algorithm sha1;

    encryption-algorithm aes-256-cbc;

}

policy ecfo-pri-ike-p1-policy {

    mode main;

    proposals ike-phase1-proposal;

    pre-shared-key ascii-text "$9$2.4ZjHkPz39kqPQFnu0"; ## SECRET-DATA

}

gateway ecfo-gw-1 {

    ike-policy new-pri-ike-p1-policy;

    address xx.xx.xx.xx;

    dead-peer-detection;

    no-nat-traversal;

    local-identity inet 10.96.66.252;

    remote-identity inet xx.xx.xx.xx;

    external-interface vlan.436;

    general-ikeid;

    inactive: version v2-only;

}

I swear I have my router set up the same, but I must not.  I keep getting "No Proposal Choosen" errors.  In looking at the log I get









Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2

Could someone please tell me what I am doing wrong?

I would be happy to post my configuration - sadly I am not well versed in the CLI nor do I know exactly what you would want.  Here is what I think is relevant:

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

2 REPLIES
Silver

Have you committed on Juniper

Have you committed on Juniper?

tom
New Member

It turns out it was thr

It turns out it was thr juniper configuration.
224
Views
0
Helpful
2
Replies