Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SA520 Remote VPN Connection Issue

Hello,

I've setup a Remote Access VPN using the SA520 and the attached guide. I've attached screen shots of my SA520 configs.  When I connect with the Shrew client, it tells me the tunnel has been established, but I can not access anything on my 192.168.75.0 subnet (which is the local subnet that the SA520 is connected to).  Also - the SA520 shows me that 0 IPSec VPN connections are currently in session, even though the ShrewVPN client says its tunnel is connected.  The other thing I see, is in the Network tab on the Shrew client, it tells me that the Security Associations have failed (and the counter keeps incrementing, and Established stays at 0).

Any idea of how I can proceed to troubleshoot this issue? Thank you very much in advanced for any help!

9 REPLIES
New Member

SA520 Remote VPN Connection Issue

Here's some logs from the SA520, looks likes its failing at Phase 2?

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Responding to new phase 2 negotiation: 192.168.75.1[0]<=>71.185.53.234[0]

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->0.0.0.0/0 from cltechsolutions.com

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  No policy found, generating the policy : 192.168.1.3/32[0] 192.168.75.0/24[0] proto=any dir=in

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Adjusting peer's encmode 3(3)->Tunnel(1)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Peer's Proposal:

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:   (proto_id=ESP spisize=4 spi=5a04edfd spi_p=00000000 encmode=Tunnel reqid=0:0)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:    (trns_id=3DES encklen=0 authtype=hmac-sha)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Local Proposal:

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:   (proto_id=ESP spisize=4 spi=00000000 spi_p=5a04edfd encmode=Tunnel reqid=4500:4500)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:    (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Phase 2 proposal by 71.185.53.234[0] did not match.

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] ERROR:  No suitable policy found for 71.185.53.234[0]

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] INFO:  Responding to new phase 2 negotiation: 192.168.75.1[0]<=>71.185.53.234[0]

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->0.0.0.0/0 from cltechsolutions.com

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] INFO:  No policy found, generating the policy : 192.168.1.3/32[0] 192.168.75.0/24[0] proto=any dir=in

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] INFO:  Adjusting peer's encmode 3(3)->Tunnel(1)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Peer's Proposal:

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:   (proto_id=ESP spisize=4 spi=6f7a70df spi_p=00000000 encmode=Tunnel reqid=0:0)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:    (trns_id=3DES encklen=0 authtype=hmac-sha)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Local Proposal:

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:   (proto_id=ESP spisize=4 spi=00000000 spi_p=6f7a70df encmode=Tunnel reqid=4500:4500)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:    (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Phase 2 proposal by 71.185.53.234[0] did not match.

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] ERROR:  No suitable policy found for 71.185.53.234[0]

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Responding to new phase 2 negotiation: 192.168.75.1[0]<=>71.185.53.234[0]

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->0.0.0.0/0 from cltechsolutions.com

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  No policy found, generating the policy : 192.168.1.3/32[0] 192.168.75.0/24[0] proto=any dir=in

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Adjusting peer's encmode 3(3)->Tunnel(1)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Peer's Proposal:

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:   (proto_id=ESP spisize=4 spi=5a04edfd spi_p=00000000 encmode=Tunnel reqid=0:0)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:    (trns_id=3DES encklen=0 authtype=hmac-sha)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Local Proposal:

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:   (proto_id=ESP spisize=4 spi=00000000 spi_p=5a04edfd encmode=Tunnel reqid=4500:4500)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:    (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Phase 2 proposal by 71.185.53.234[0] did not match.

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] ERROR:  No suitable policy found for 71.185.53.234[0]

Tue Sep 17 06:27:59 2013 (GMT +0100): [Cisco] [IKE] INFO:  Sending Informational Exchange: notify payload[NO-PROPOSAL-CHOSEN]

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] INFO:  Responding to new phase 2 negotiation: 192.168.75.1[0]<=>71.185.53.234[0]

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] INFO:  Using IPsec SA configuration: 192.168.75.0/24<->0.0.0.0/0 from cltechsolutions.com

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] INFO:  No policy found, generating the policy : 192.168.1.3/32[0] 192.168.75.0/24[0] proto=any dir=in

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] INFO:  Adjusting peer's encmode 3(3)->Tunnel(1)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Peer's Proposal:

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:   (proto_id=ESP spisize=4 spi=6f7a70df spi_p=00000000 encmode=Tunnel reqid=0:0)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:    (trns_id=3DES encklen=0 authtype=hmac-sha)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Local Proposal:

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:   (proto_id=ESP spisize=4 spi=00000000 spi_p=6f7a70df encmode=Tunnel reqid=4500:4500)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:    (trns_id=RIJNDAEL encklen=128 authtype=hmac-sha)

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] WARNING:  Phase 2 proposal by 71.185.53.234[0] did not match.

Tue Sep 17 06:28:00 2013 (GMT +0100): [Cisco] [IKE] ERROR:  No suitable policy found for 71.185.53.234[0]

Hi cltech2012,My name is

Hi cltech2012,

My name is Mehdi from Cisco Technical Support , following your configuration in SA500 I made screenshot from ShrewVPN how it should be, because I don't know exactly what you have as configuration on ShrewVPN

One think I cannot be sure from your configuration because from the screenshot is not clear :) 

Local FQDN : joesillo.com

Remote FQDN : cltechsolutions.com

if i'm correct please follow those steps on shrewVPN :

please change the hostname or IPaddress on the first screenshot to public IP of SA500

and the last screenshot with your private local network on SA500 (I believe this is the issue) anyway

please try this and let me know

 

 

Please rate the post or marked as answered to help other Cisco Customers

 

Best Regards

Mehdi

New Member

Thank you for your answer,

Thank you for your answer,

 

And, How do I set the SA 520, like that?

 

BR

 

Hi Tech1819, If you look at

Hi Tech1819,

 

If you look at the screenshot on the first post of cltech2012 just follow his configuration and of course you can change the local FQDN  and remote FQDN with another domain name.

 

I will post later or tomorrow the configuration from the SA500 regarding this particular shrewVPN configuration

 

Please rate the post or marked as answered to help other Cisco Customers

 

Regards

Mehdi

Hi,   For Remote and Local

Hi, 

 

 

For Remote and Local FQDN need to be changed on ShrewVPN (screenshot 5 and 6)

on screenshot 5 the Local FQDN is remote.com and the screenshot 6 the remote FQDN should be local.com 

 

Please rate the post or marked as answered to help other Cisco Customers

 

 

Regards

Mehdi

New Member

Hi Medi,I got it, the only

Hi Medi,

I got it, the only difference with my configuration is the encryption mode, I did it with 3DES instead AES. Which is better?

 

Hi Tech1819, AES is more

Hi Tech1819,

 

AES is more secure that's why i'm always giving example with AES encryption ...

Regards

Mehdi 

New Member

Hello, I have the same issue,

Hello,

I have the same issue, Could you do anything?

 

BR

Hi Tech1819, My name is Mehdi

Hi Tech1819,

 

My name is Mehdi from Cisco Technical Support , 

I respond to cltech2012, please also follow the steps and let me know 

 

Regards,

Mehdi

902
Views
5
Helpful
9
Replies