12-19-2011 08:55 PM
HI
Kindly help me out. I'm configuring a p2p vpn between a cisco 2801 with IOS 12.3 and a linksys RV042. I'm getting following error on Linksys and Cisco respectively.
[Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet | ||
Dec 19 02:40:42 2011 | VPN Log | Received informational payload, type NO_PROPOSAL_CHOSEN |
dst src state conn-id slot status
x.x.x.x x.x.x.x MM_NO_STATE 0 0 ACTIVE
Below are my config:
Linksys RV042:
Keying Mode: IKE with Preshared Key
Phase1 DH Group: Group2
Phase1 Encryption: 3DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect forward secrecy : enabled
Phase2 DH Group: Group2
Phase2 Encryption: 3DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 28800
Preshared Key: xxxxxx
Cisco 2801:
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxx address xxxxxx
no crypto isakmp ccm
crypto ipsec transform-set STRONGER esp-3des esp-md5-hmac
crypto map myvpn 10 ipsec-isakmp
set peer xxxxxx
set transform-set STRONGER
set pfs group2
match address 103
interface FastEthernet0/0
ip address 10.0.0.56 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address xxxx xxxx
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
crypto map myvpn
ip nat pool branch xxxxxx xxxxx netmask 255.255.255.240
ip nat inside source route-map nonat pool branch overload
!
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
snmp-server community public RO
!
route-map nonat permit 10
match ip address 110
Rgards
SAM
09-17-2012 09:00 AM
Bump. Anyone sucessfully get past the "NO_PROPOSAL_CHOSEN" errors?
09-17-2012 02:13 PM
Hi,
It looks like you are using the default hash for the crypto isakmp policy and that your connection is failing on the phase 1 negotiation. The default hash on the crypto isakmp policy is sha. On the 2801 try adding hash md5.
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
Let me know if that helps.
Thank you,
Jason NIckle
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide