02-24-2012 11:07 PM - edited 03-11-2019 03:34 PM
Dears ,
I'm just configuring an IPsec siste to site VPN . I have many sites in the same router and all is working except one
For all IPSec tunnel my ISAKMP encription , hash are as given in policy 1 . But for this particular site it is as mentioned in policy 2 .
The branch not working is using paremeters used in policy 2 . How can ensure that specific branch is using policy 2 ? The below is the debug for my VPN Tunnel .
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 512
authentication pre-share
group 2
:07:43.101: ISAKMP:(0:11:SW:1):SA has been authenticated with 56.5.4.6
Feb 25 06:07:43.101: ISAKMP: Trying to insert a peer 152.86.90.129/56.5.4.6
/500/, and inserted successfully 63CE2DE4.
Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Old State = IKE_I_MM5 New State = IKE_I_MM6
Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Feb 25 06:07:43.101: ISAKMP:(0:11:SW:1):Old State = IKE_I_MM6 New State = IKE_I_MM6
Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):beginning Quick Mode exchange, M-ID of -1841673445
Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1): sending packet to 56.5.4.6 my_port 500 peer_port 500 (I) QM_IDLE
Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Node -1841673445, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Feb 25 06:07:43.105: ISAKMP:(0:11:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Feb 25 06:07:43.121: ISAKMP (0:134217739): received packet from 56.5.4.6 dport 500 sport 500 Global (I) QM_IDLE
Feb 25 06:07:43.121: ISAKMP: set new node -1459554599 to QM_IDLE
Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1): processing HASH payload. message ID = -1459554599
Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = -1459554599, sa = 63C68AF8
Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1):deleting node -1459554599 error FALSE reason "Informational (in) state 1"
Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Feb 25 06:07:43.121: ISAKMP:(0:11:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Feb 25 06:07:43.121: ISAKMP (0:134217739): received packet from 56.5.4.6 dport 500 sport 500 Global (I) QM_IDLE
Feb 25 06:07:43.125: ISAKMP: set new node -235856768 to QM_IDLE
Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1): processing HASH payload. message ID = 235856768
Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1): processing DELETE payload. message ID = -235856768
Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):peer does not do paranoid keepalives.
Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):deleting SA reason "No reason" state (I) QM_IDLE (peer 56.5.4.6)
Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):deleting node -235856768 error FALSE reason "Informational (in) state 1"
Feb 25 06:07:43.125: ISAKMP: set new node -212410468 to QM_IDLE
Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1): sending packet to 56.5.4.6 my_port 500 peer_port 500 (I) QM_IDLE
Feb 25 06:07:43.125: ISAKMP:(0:11:SW:1):purging node -212410468
Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting SA reason "No reason" state (I) QM_IDLE (peer 56.5.4.6)
Feb 25 06:07:43.129: ISAKMP: Unlocking IKE struct 0x63CE2DE4 for isadb_mark_sa_deleted(), count 0
Feb 25 06:07:43.129: ISAKMP: Deleting peer node by peer_reap for 56.5.4.6:63CE2DE4
Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting node -1841673445 error FALSE reason "IKE deleted"
Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting node -1459554599 error FALSE reason "IKE deleted"
Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):deleting node -235856768 error FALSE reason "IKE deleted"
Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Feb 25 06:07:43.129: ISAKMP:(0:11:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Feb 25 06:08:02.735: ISAKMP:(0:10:SW:1):purging node -39846581
Feb 25 06:08:02.739: ISAKMP:(0:10:SW:1):purging node 324814776
Feb 25 06:08:02.739: ISAKMP:(0:10:SW:1):purging node 958416367
02-25-2012 08:45 AM
Looks like you got notify message 14 "PROPOSAL_NOT_CHOSEN" during phase 2. Compare your phase 2 attributes with the peer.
02-26-2012 10:44 AM
Hello Haris,
The branch not working is using paremeters used in policy 2 . How can ensure that specific branch is using policy 2 ? The below is the debug for my VPN Tunnel .
Each VPN endpoint innitiating the connection will send all of his isakmp's policies until a match happens, so if branch two also has isakmp policie one, that would be a match and they will use that one. as the first match is the one used.
Regards.
Do rate all the helpful posts
Julio
02-26-2012 03:01 PM
It's not a phase 1 issue. Notify message 14 "NO_PROPOSAL_CHOSEN" can be used in both phase 1 and phase 2. In this case you can see that phase 1 has completed and the notify message was received during quick mode. I would first check the the phase 2 transform set and then the proxy ID (subnet) info as the INVALID_ID_INFO notify message isn't always used for host/subnet incompaibilities.
02-26-2012 05:35 PM
Hello Patrick,
When did I said it was a phase one issue?????????
I just answered one of his questions!!
02-28-2012 05:31 AM
It was phase2 problem and after changing the transformset it worked fine
Thanks
02-26-2012 07:30 PM
Hi Julio,
Wasn't trying argue with you, just trying to emphasize to the issue is not with phase 1. Your response was correct.
-Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide