Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

All proposals found unacceptable with ESP-AES-128-SHA on ASA 8.3

I want to configure a L2L VPN using X.509 certificates between an ASA 5505 8.3(1) and an OpenBSD 4.9 peer. The ASA has a static IP the OpenBSD peer has a dynamic public IP and is NATed.

I have configured the tunnel successfully using PSK aggressive mode, but as OpenBSD seems to have a problem with NAT-T detection using agressive mode, I have to use main mode. As I cannot use main mode using dynamic IPs with PSK (as far as I know) I want to use X.509 certificates. I simply have changed the "pre-shared-key" ipsec-attribute of the tunnel-group to the "trust-point" and added a certificate map and a tunnel-group-mapping. Since this I get following error message:

Nov 27 16:50:13 [IKEv1]: Group = brno, IP =, Mismatch: P1 Authentication algorithm in the crypto map entry different from negotiated algorithm for the L2L connection

Nov 27 16:50:13 [IKEv1]: Group = brno, IP =, All IPSec SA proposals found unacceptable!

I have not changed any IPSec nor ISAKMP proposals since the tunnel worked with PSK. I have changed the dynamic map to a static crypto map, but this did not resolve the problem.

I have configured my ASA to accept "ESP-AES-128-SHA" (beyond others) and this is the proposal my OpenBSD sends and the ASA receives (according to debug isakmp 254), but the ASA reports, that it cannot accept the proposal. I have also tried to use other combinations like 3DES-MD5.

Here is the configuration of my ASA:

tunnel-group brno type ipsec-l2l

tunnel-group brno general-attributes

default-group-policy IPSec_Site-to-Site

tunnel-group brno ipsec-attributes

trust-point vienna.private.lan

crypto map outside_map 2 match address vpn_brno

crypto map outside_map 2 set peer

crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-3DES-MD5

tunnel-group-map enable rules

tunnel-group-map brno 10 brno

crypto ca certificate map brno 10

subject-name attr cn eq brno.private.lan

crypto isakmp enable outside

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha    

group 2     

lifetime 86400

And here is the configuration of my OpenBSD peer:

ike esp from to peer \

        main auth hmac-sha enc aes group modp1024 \

        quick auth hmac-sha enc aes group none \

        srcid brno.private.lan dstid vienna.private.lan

With this configuration both gateways support at least the proposal "ESP-AES-128-SHA" in both phases. But the ASA does not accept the proposal from the OpenBSD peer (see debug messages above). The group selection is being done correctly (as can be seen in the debug messages).

I cannot imagin any misconfiguration, but I also have no more idea to resolve this problem.

  • VPN
Everyone's tags (4)
This widget could not be displayed.