Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

HELP cisco 1941 site to site vpn can't connect

I am trying to connect 2 locations with a vpn tunnel.  Cisc0 1941 and Nortel 2700.  I can't them to connect.  The nortel the connection with the error <no proposal chosen>. The 2700 is at the main location and the 1941 is at the remote location.  I want the Cisco to be the initiator and nailed up.  Here is a copy of my config.

license udi pid CISCO1941/K9 sn FTX1435808A
!
!
username admin privilege 15 secret 5 $1$57OK$Rpl8X77/lH4nl49WgU4fe.
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 1800
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 5
crypto isakmp key testrules address 1.2.3.4
!
!
crypto ipsec transform-set testset esp-aes esp-sha-hmac
!
crypto map aptmap 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set testset
match address 110
!
!
!
!
!
interface GigabitEthernet0/0
description GE 0/0
ip address 2.2.2.2 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map unitedmap
!
!
interface GigabitEthernet0/1
exit
ip address 3.3.3.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool local 6.6.6.192 6.6.6.254 prefix-length 26
ip nat inside source route-map coke pool local
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 3.0.0.0 255.255.255.0 3.3.3.1
!
access-list 1 permit 3.0.0.0 0.255.255.255.0
access-list 110 permit ip 6.6.6.192 255.255.255.192 8.8.0.0 0.0.255.255
!
!
!
!
route-map local permit 10
match ip address 1
match interface GigabitEthernet0/0
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
  privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Thanks for any help with this.

5 REPLIES
Cisco Employee

Re: HELP cisco 1941 site to site vpn can't connect

The crypto map that has been created is named "aptmap", however, the crypto map assigned to the outside interface (g0/0) is "unitedmap".

Please also run debug on the 1941 router to see where it's failing, and if you can also share the corresponding Nortel configuration to see if it matches, that would be great.

Debug on 1941 to run:

debug cry isa

debug cry ipsec

Re: HELP cisco 1941 site to site vpn can't connect

halijenn is right. verify the name of the crypto map as well.

Community Member

Re: HELP cisco 1941 site to site vpn can't connect

Thanks I've corrected the  crypto map and here is the

debug of ipsec and isa.

*Sep 17 13:19:59.187: ISAKMP (0): received packet from dport 500 sport 500 Global (N) NEW SA
*Sep 17 13:19:59.187: ISAKMP: Created a peer struct for , peer port 500
*Sep 17 13:19:59.187: ISAKMP: New peer created peer = 0x311C5E60 peer_handle = 0x80000003
*Sep 17 13:19:59.187: ISAKMP: Locking peer struct 0x311C5E60, refcount 1 for crypto_isakmp_process_block
*Sep 17 13:19:59.187: ISAKMP: local port 500, remote port 500
*Sep 17 13:19:59.187: ISAKMP:(0):insert sa successfully sa = 26D047BC
*Sep 17 13:19:59.187: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 17 13:19:59.187: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Sep 17 13:19:59.187: ISAKMP:(0): processing SA payload. message ID = 0
*Sep 17 13:19:59.187: ISAKMP:(0):found peer pre-shared key matching
*Sep 17 13:19:59.187: ISAKMP:(0): local preshared key found
*Sep 17 13:19:59.187: ISAKMP : Scanning profiles for xauth ...
*Sep 17 13:19:59.187: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Sep 17 13:19:59.187: ISAKMP:      encryption 3DES-CBC
*Sep 17 13:19:59.187: ISAKMP:      hash SHA
*Sep 17 13:19:59.187: ISAKMP:      auth pre-share
*Sep 17 13:19:59.187: ISAKMP:      default group 2
*Sep 17 13:19:59.187: ISAKMP:(0):Lifetime type not found in proposal. Using configured lifetime instead.
*Sep 17 13:19:59.187: ISAKMP:(0):atts are acceptable. Next payload is 3
*Sep 17 13:19:59.187: ISAKMP:(0):Acceptable atts:actual life: 0
*Sep 17 13:19:59.187: ISAKMP:(0):Acceptable atts:life: 1800
*Sep 17 13:19:59.187: ISAKMP:(0):Returning Actual lifetime: 1800
*Sep 17 13:19:59.187: ISAKMP:(0)::Started lifetime timer: 1800.

*Sep 17 13:19:59.187: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 17 13:19:59.187: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Sep 17 13:19:59.187: ISAKMP:(0): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP
*Sep 17 13:19:59.187: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Sep 17 13:19:59.187: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 17 13:19:59.187: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Sep 17 13:19:59.331: ISAKMP (0): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP
*Sep 17 13:19:59.331: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 17 13:19:59.331: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Sep 17 13:19:59.331: ISAKMP:(0): processing KE payload. message ID = 0
*Sep 17 13:19:59.359: ISAKMP:(0): processing NONCE payload. message ID = 0
*Sep 17 13:19:59.359: ISAKMP:(0):found peer pre-shared key matching
*Sep 17 13:19:59.359: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 17 13:19:59.359: ISAKMP:(1002):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Sep 17 13:19:59.359: ISAKMP:(1002): sending packet to my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 17 13:19:59.359: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Sep 17 13:19:59.359: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 17 13:19:59.359: ISAKMP:(1002):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Sep 17 13:19:59.443: ISAKMP (1002): received packet from dport 500 sport 500 Global (R) MM_KEY_EXCH
*Sep 17 13:19:59.443: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Sep 17 13:19:59.443: ISAKMP:(1002):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Sep 17 13:19:59.443: ISAKMP:(1002): processing ID payload. message ID = 0
*Sep 17 13:19:59.443: ISAKMP (1002): ID payload
    next-payload : 8
    type         : 1
    address      :
    protocol     : 0
    port         : 0
    length       : 12
*Sep 17 13:19:59.443: ISAKMP:(0):: peer matches *none* of the profiles
*Sep 17 13:19:59.443: ISAKMP:(1002): processing HASH payload. message ID = 0
*Sep 17 13:19:59.443: ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1
    spi 0, message ID = 0, sa = 26D047BC
*Sep 17 13:19:59.443: ISAKMP:(1002):SA authentication status:
    authenticated
*Sep 17 13:19:59.443: ISAKMP:(1002):SA has been authenticated with
*Sep 17 13:19:59.443: ISAKMP:(1002):SA authentication status:
    authenticated
*Sep 17 13:19:59.443: ISAKMP:(1002): Process initial contact,
bring down existing phase 1 and 2 SA's with local remote remote port 500
*Sep 17 13:19:59.443: ISAKMP: Trying to insert a peer //500/,  and inserted successfully 311C5E60.
*Sep 17 13:19:59.443: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Sep 17 13:19:59.443: ISAKMP:(1002):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Sep 17 13:19:59.443: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Sep 17 13:19:59.443: ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Sep 17 13:19:59.443: ISAKMP (1002): ID payload
    next-payload : 8
    type         : 1
    address      :
    protocol     : 17
    port         : 500
    length       : 12
*Sep 17 13:19:59.443: ISAKMP:(1002):Total payload length: 12
*Sep 17 13:19:59.443: ISAKMP:(1002): sending packet to my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Sep 17 13:19:59.443: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Sep 17 13:19:59.443: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Sep 17 13:19:59.443: ISAKMP:(1002):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Sep 17 13:19:59.443: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Sep 17 13:19:59.443: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Sep 17 13:20:06.563: ISAKMP (1002): received packet from dport 500 sport 500 Global (R) QM_IDLE     
*Sep 17 13:20:06.563: ISAKMP: set new node 988593670 to QM_IDLE     
*Sep 17 13:20:06.563: ISAKMP:(1002): processing HASH payload. message ID = 988593670
*Sep 17 13:20:06.563: ISAKMP:(1002): processing SA payload. message ID = 988593670
*Sep 17 13:20:06.563: ISAKMP:(1002):Checking IPSec proposal 1
*Sep 17 13:20:06.563: ISAKMP: transform 1, ESP_3DES
*Sep 17 13:20:06.563: ISAKMP:   attributes in transform:
*Sep 17 13:20:06.563: ISAKMP:      authenticator is HMAC-SHA
*Sep 17 13:20:06.563: ISAKMP:      encaps is 1 (Tunnel)
*Sep 17 13:20:06.563: ISAKMP:      group is 2
*Sep 17 13:20:06.563: ISAKMP:      SA life type in seconds
*Sep 17 13:20:06.563: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0x70 0x80
*Sep 17 13:20:06.563: ISAKMP:(1002):atts are acceptable.
*Sep 17 13:20:06.563: ISAKMP:(1002):Checking IPSec proposal 1
*Sep 17 13:20:06.563: ISAKMP: transform 2, ESP_3DES
*Sep 17 13:20:06.563: ISAKMP:   attributes in transform:
*Sep 17 13:20:06.563: ISAKMP:      authenticator is HMAC-MD5
*Sep 17 13:20:06.563: ISAKMP:      encaps is 1 (Tunnel)
*Sep 17 13:20:06.563: ISAKMP:      group is 2
*Sep 17 13:20:06.563: ISAKMP:      SA life type in seconds
*Sep 17 13:20:06.563: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0x70 0x80
*Sep 17 13:20:06.563: ISAKMP:(1002):atts are acceptable.
*Sep 17 13:20:06.563: IPSEC(validate_proposal_request): proposal part #1
*Sep 17 13:20:06.563: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= , remote= ,
    local_proxy= 161.162.12.192/255.255.255.192/0/0 (type=4),
    remote_proxy= 151.162.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Sep 17 13:20:06.563: Crypto mapdb : proxy_match
    src addr     : 161.162.12.192
    dst addr     : 151.162.0.0
    protocol     : 0
    src port     : 0
    dst port     : 0
*Sep 17 13:20:06.563: Crypto mapdb : proxy_match
    src addr     : 161.162.12.192
    dst addr     : 151.162.0.0
    protocol     : 0
    src port     : 0
    dst port     : 0
*Sep 17 13:20:06.563: map_db_find_best did not find matching map
*Sep 17 13:20:06.563: IPSEC(ipsec_process_proposal): proxy identities not supported
*Sep 17 13:20:06.563: ISAKMP:(1002): IPSec policy invalidated proposal with error 32
*Sep 17 13:20:06.563: IPSEC(validate_proposal_request): proposal part #1
*Sep 17 13:20:06.563: IPSEC(validate_proposal_request): proposal part #1,

Cisco Employee

Re: HELP cisco 1941 site to site vpn can't connect

Hey,

Looks like phase1 is coming up just fine. Problem seems to be when the router is trying to match the configured crypto maps:

*Sep 17 13:20:06.563: Crypto mapdb : proxy_match
    src addr     :  161.162.12.192
    dst addr     : 151.162.0.0
    protocol     : 0
     src port     : 0
    dst port     : 0
*Sep 17 13:20:06.563:  Crypto mapdb : proxy_match
    src addr     : 161.162.12.192
     dst addr     : 151.162.0.0
    protocol     : 0
    src port     :  0
    dst port     : 0
*Sep 17 13:20:06.563: map_db_find_best did  not find matching map
*Sep 17 13:20:06.563:  IPSEC(ipsec_process_proposal): proxy identities not supported

Can you paste the output of "show crypto map" or a "show run | sec crypto" with masked IP addresses as necessary from this router?

Regards,

Prapanch

Re: HELP cisco 1941 site to site vpn can't connect

Based in this config

crypto isakmp policy 1
encr aes
authentication pre-share
group 5
lifetime 1800

You are using the cisco router default hash (md5 I think)? Is it the same  in your 2700 sh1t?

Please post the debug cryto isakmp.

898
Views
0
Helpful
5
Replies
CreatePlease to create content