Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPsec VPN Problems Between Cisco 1711 & Netgear

I am trying to set up an IPsec VPN tunnel between a Cisco 1711 and Netgear FVS318 router/firewall. Phase1 is establishing but Phase2 is not. Debug output is provided below.

Netgear Settings:

Encryption: 3DES SHA-1 with Pre-share key, DH Group 2(1024 Bit), SA Lifetime 86400sec

ESP Configuration: 3DES SHA-1

Cisco Configuration:

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ciscotest address REMOTE_IP
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer REMOTE_IP
set transform-set vpn
match address 110
reverse-route
!
interface FastEthernet0
crypto map vpn
!
access-list 110 permit ip 10.50.50.0 0.0.0.255 172.16.0.0 0.0.0.255

Cisco Debug:


ISAKMP (0:268435457): received packet from REMOTE_IP dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -425808973 to QM_IDLE
ISAKMP:(0:1:HW:2): processing HASH payload. message ID = -425808973
ISAKMP:(0:1:HW:2): processing SA payload. message ID = -425808973
ISAKMP:(0:1:HW:2):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      encaps is 1 (Tunnel)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0:1:HW:2):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= WAN_IP, remote= REMOTE_IP,
    local_proxy= 10.50.50.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Crypto mapdb : proxy_match
        src addr     : 10.50.50.0
        dst addr     : 172.16.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-sha-hmac }
ISAKMP:(0:1:HW:2): IPSec policy invalidated proposal
ISAKMP:(0:1:HW:2): phase 2 SA policy not acceptable! (local WAN_IP remote REMOTE_IP)
ISAKMP: set new node -2125033073 to QM_IDLE
ISAKMP:(0:1:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2215118544, message ID = -2125033073
ISAKMP:(0:1:HW:2): sending packet to REMOTE_IP my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(0:1:HW:2):purging node -2125033073
ISAKMP:(0:1:HW:2):deleting node -425808973 error TRUE reason "QM rejected"
ISAKMP (0:268435457): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -425808973: state = IKE_QM_READY
ISAKMP:(0:1:HW:2):Node -425808973, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_READY
Sep 16 10:43:44 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at REMOTE_IP

ISAKMP:(0:1:HW:2):purging node -425808973

3 REPLIES

Re: IPsec VPN Problems Between Cisco 1711 & Netgear

Phase 2 is not matching.

Make sure you use ESP instead of AH.

no crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

Please try again after clearing the SAs.

Federico.

New Member

Re: IPsec VPN Problems Between Cisco 1711 & Netgear

i just took out AH as you mentioned, unfortunately it still does not work.

Re: IPsec VPN Problems Between Cisco 1711 & Netgear

Are you getting the same mismatch error in phase 2 after the change?

Is the netgear using Perfect Forward Secrecy setting on phase 2?


Federico.

2475
Views
0
Helpful
3
Replies