https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896193#M458845 <HTML><HEAD></HEAD><BODY><P>It was phase2 problem and after changing the transformset it worked fine </P><P></P><P> </P><P></P><P>Thanks</P></BODY></HTML> Tue, 28 Feb 2012 13:31:08 GMT Haris P 2012-02-28T13:31:08Z https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896187#M458832 <P>Dears ,</P><P></P><P>I'm just configuring an IPsec siste to site VPN . I have many sites in the same router and all is working except one </P><P></P><P>For all IPSec tunnel my ISAKMP encription , hash are as given in policy 1 . But for this particular site it is as mentioned in policy 2 . </P><P></P><P></P><P>The branch not working is using&nbsp; paremeters used in policy 2 . How can ensure that specific branch is using policy 2 ? The below is the debug for my VPN Tunnel . </P><P></P><P>crypto isakmp policy 1</P><P> encr 3des</P><P> hash md5</P><P> authentication pre-share</P><P> group 2</P><P>!</P><P>crypto isakmp policy 2</P><P> encr aes 512</P><P> authentication pre-share</P><P> group 2</P><P></P><P></P><P>:07:43.101: ISAKMP:(0:11:SW:1):SA has been authenticated with 56.5.4.6</P><P>Feb 25 06:07:43.101: ISAKMP: Trying to insert a peer 152.86.90.129/56.5.4.6</P><P>/500/,&nbsp; and inserted successfully 63CE2DE4.</P><P>Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH</P><P>Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Old State = IKE_I_MM5&nbsp; New State = IKE_I_MM6</P><P></P><P>Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE</P><P>Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Old State = IKE_I_MM6&nbsp; New State = IKE_I_MM6</P><P></P><P>Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE</P><P>Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Old State = IKE_I_MM6&nbsp; New State = IKE_P1_COMPLETE</P><P>Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):beginning Quick Mode exchange, M-ID of -1841673445</P><P>Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1): sending packet to 56.5.4.6 my_port 500 peer_port 500 (I) QM_IDLE</P><P>Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Node -1841673445, Input = IKE_MESG_INTERNAL, IKE_INIT_QM</P><P>Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Old State = IKE_QM_READY&nbsp; New State = IKE_QM_I_QM1</P><P>Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE</P><P>Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Old State = IKE_P1_COMPLETE&nbsp; New State = IKE_P1_COMPLETE</P><P></P><P>Feb 25 06:07:43.121: ISAKMP (0:134217739): received packet from 56.5.4.6 dport 500 sport 500 Global (I) QM_IDLE</P><P>Feb 25 06:07:43.121: ISAKMP: set new node -1459554599 to QM_IDLE</P><P>Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1): processing HASH payload. message ID = -1459554599</P><P>Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; spi 0, message ID = -1459554599, sa = 63C68AF8</P><P>Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1):deleting node -1459554599 error FALSE reason "Informational (in) state 1"</P><P>Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY</P><P>Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1):Old State = IKE_P1_COMPLETE&nbsp; New State = IKE_P1_COMPLETE</P><P></P><P>Feb 25 06:07:43.121: ISAKMP (0:134217739): received packet from 56.5.4.6 dport 500 sport 500 Global (I) QM_IDLE</P><P>Feb 25 06:07:43.125: ISAKMP: set new node -235856768 to QM_IDLE</P><P>Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1): processing HASH payload. message ID = 235856768</P><P>Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1): processing DELETE payload. message ID = -235856768</P><P>Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):peer does not do paranoid keepalives.</P><P></P><P>Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):deleting SA reason "No reason" state (I) QM_IDLE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (peer 56.5.4.6)</P><P>Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):deleting node -235856768 error FALSE reason "Informational (in) state 1"</P><P>Feb 25 06:07:43.125: ISAKMP: set new node -212410468 to QM_IDLE</P><P>Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1): sending packet to 56.5.4.6 my_port 500 peer_port 500 (I) QM_IDLE</P><P>Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):purging node -212410468</P><P>Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL</P><P>Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Old State = IKE_P1_COMPLETE&nbsp; New State = IKE_DEST_SA</P><P></P><P>Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting SA reason "No reason" state (I) QM_IDLE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; (peer 56.5.4.6)</P><P>Feb 25 06:07:43.129: ISAKMP: Unlocking IKE struct 0x63CE2DE4 for isadb_mark_sa_deleted(), count 0</P><P>Feb 25 06:07:43.129: ISAKMP: Deleting peer node by peer_reap for 56.5.4.6:63CE2DE4</P><P>Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting node -1841673445 error FALSE reason "IKE deleted"</P><P>Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting node -1459554599 error FALSE reason "IKE deleted"</P><P>Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting node -235856768 error FALSE reason "IKE deleted"</P><P>Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH</P><P>Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Old State = IKE_DEST_SA&nbsp; New State = IKE_DEST_SA</P><P></P><P>Feb 25 06:08:02.735: ISAKMP:(0:10:SW:1):purging node -39846581</P><P>Feb 25 06:08:02.739: ISAKMP:(0:10:SW:1):purging node 324814776</P><P>Feb 25 06:08:02.739: ISAKMP:(0:10:SW:1):purging node 958416367</P> Mon, 11 Mar 2019 22:34:57 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896187#M458832 Haris P 2019-03-11T22:34:57Z https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896188#M458835 <HTML><HEAD></HEAD><BODY><P>Looks like you got notify message 14 "PROPOSAL_NOT_CHOSEN" during phase 2.&nbsp; Compare your phase 2 attributes with the peer. </P></BODY></HTML> Sat, 25 Feb 2012 16:45:37 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896188#M458835 Patrick0711 2012-02-25T16:45:37Z https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896189#M458838 <HTML><HEAD></HEAD><BODY><P>Hello Haris,</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif;"><SPAN style="text-decoration: underline;"><STRONG>The branch not working is using&nbsp; paremeters used in policy 2 . How can ensure that specific branch is using policy 2 ? The below is the debug for my VPN Tunnel .</STRONG></SPAN></P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif; min-height: 8pt; height: 8pt;">Each VPN endpoint innitiating the connection will send all of his isakmp's policies until a match happens, so if branch two also has isakmp policie one, that would be a match and they will use that one. as the first match is the one used.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif; min-height: 8pt; height: 8pt;">Regards.</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif; min-height: 8pt; height: 8pt;">Do rate all the helpful posts</P><P></P><P style="background-color: #ffffff; border-collapse: collapse; font-size: 12px; list-style-type: none; font-family: Arial, verdana, sans-serif; min-height: 8pt; height: 8pt;">Julio</P></BODY></HTML> Sun, 26 Feb 2012 18:44:33 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896189#M458838 Julio Carvajal 2012-02-26T18:44:33Z https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896190#M458839 <HTML><HEAD></HEAD><BODY><P>It's not a phase 1 issue.&nbsp; Notify message 14 "NO_PROPOSAL_CHOSEN" can be used in both phase 1 and phase 2.&nbsp; In this case you can see that phase 1 has completed and the notify message was received during quick mode.&nbsp; I would first check the the phase 2 transform set and then the proxy ID (subnet) info as the INVALID_ID_INFO notify message isn't always used for host/subnet incompaibilities.&nbsp; </P></BODY></HTML> Sun, 26 Feb 2012 23:01:54 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896190#M458839 Patrick0711 2012-02-26T23:01:54Z https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896191#M458840 <HTML><HEAD></HEAD><BODY><P>Hello Patrick,</P><P></P><P>When did I said it was a phase one issue?????????</P><P></P><P>I just answered one of his questions!!</P></BODY></HTML> Mon, 27 Feb 2012 01:35:40 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896191#M458840 Julio Carvajal 2012-02-27T01:35:40Z https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896192#M458842 <HTML><HEAD></HEAD><BODY><P>Hi Julio,</P><P></P><P>Wasn't trying argue with you, just trying to emphasize to the issue is not with phase 1.&nbsp; Your response was correct.</P><P></P><P>-Patrick </P></BODY></HTML> Mon, 27 Feb 2012 03:30:15 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896192#M458842 Patrick0711 2012-02-27T03:30:15Z https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896193#M458845 <HTML><HEAD></HEAD><BODY><P>It was phase2 problem and after changing the transformset it worked fine </P><P></P><P> </P><P></P><P>Thanks</P></BODY></HTML> Tue, 28 Feb 2012 13:31:08 GMT https://community.cisco.com/t5/network-security/ipsec-vpn-issue/m-p/1896193#M458845 Haris P 2012-02-28T13:31:08Z