10-22-2013 12:40 PM
Hello,
I'm having issues establishing a VPN between a Cisco ISR 857 and ZyXEL USG 100. I've deleted and readded the VPN a few times (via SDM and manually via SSH), ensured the settings are correct both sides but still no luck.
Seems to pass ISAKMP phase 1 ok, I get the status of QM_IDLE, but phase 2 negotation seems to point to a mismatch, but both sides are the same (3DES/DH5/PFS, same key etc). I get a variety of issues such as NO_PROPOSAL_CHOSEN,
I read that because NAT is running on the router I had to add a deny statement into the ACL being used by NAT to stop the remote network's traffic being NATted, but still no luck
This is my config:
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname firewall
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 SECRETPASSWORD
!
no aaa new-model
clock timezone GMT 1
!
no ip source-route
!
!
ip cef
no ip bootp server
ip name-server 8.8.8.8
!
!
!
username admin privilege 15 secret 5 SECRETPASSWORD
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 5
lifetime 3600
crypto isakmp key 12345678 address REMOTEPEER
crypto isakmp keepalive 3600
crypto isakmp nat keepalive 3600
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto map GMLVPN 1 ipsec-isakmp
set peer REMOTEPEER
set transform-set TS
set pfs group 5
match address GML-VPN
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
ip address LOCALWANIPADDRESS 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.12.99 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname USERNAME
ppp chap password 7 PASSWORD
crypto map GMLVPN
!
no ip forward-protocol nd
ip route profile
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list OutsideNAT interface Dialer0 overload
ip nat inside source static tcp 192.168.12.8 25 EXTERNALIP 25 extendable
ip nat inside source static tcp 192.168.12.8 80 EXTERNALIP 80 extendable
ip nat inside source static tcp 192.168.12.8 443 EXTERNALIP 443 extendable
ip nat inside source static tcp 192.168.12.8 1723 EXTERNALIP 1723 extendable
ip nat inside source static tcp 192.168.12.8 5666 EXTERNALIP 5666 extendable
ip nat inside source static tcp 192.168.12.8 12489 EXTERNALIP 12489 extendable
!
ip access-list extended GML-VPN
permit ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255
!
ip access-list extended OutsideNAT
deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 any
!
logging trap debugging
access-list 5 permit SSHIP
access-list 5 permit SSHIP
access-list 5 permit SSHIP
access-list 5 permit 192.168.12.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 remark Access to SSH
access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.12.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 5 in
exec-timeout 5 0
privilege level 15
logging synchronous
login local
terminal-type monitor
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
And this is the output of the logs.....
008243: Oct 22 20:28:57.584 GMT: IPSEC(ipsec_process_proposal): invalid local address LOCALIPADDRESS
008244: Oct 22 20:28:57.584 GMT: ISAKMP:(2011): IPSec policy invalidated proposal with error 8
008245: Oct 22 20:28:57.584 GMT: ISAKMP:(2011): phase 2 SA policy not acceptable! (local LOCALIPADDRESS remote REMOTEPEER)
008246: Oct 22 20:28:57.588 GMT: ISAKMP: set new node -168813266 to QM_IDLE
008247: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2191252528, message ID = -168813266
008248: Oct 22 20:28:57.588 GMT: ISAKMP:(2011): sending packet to REMOTEPEER my_port 500 peer_port 500 (R) QM_IDLE
008249: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):Sending an IKE IPv4 Packet.
008250: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):purging node -168813266
008251: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):deleting node 1453459847 error TRUE reason "QM rejected"
008252: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):Node 1453459847, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
008253: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):Old State = IKE_QM_READY New State = IKE_QM_READY
008254: Oct 22 20:29:47.590 GMT: ISAKMP:(2011):purging node 1453459847
The USG at the other end has NO_PROPOSAL_CHOSEN in its logs, but I don't understand why as both ends are set to the same?
Any help appreciated.
Thanks,
Jamie
10-22-2013 12:49 PM
You dont have lifetime values for phase2, also try DH2. Doesnt make sense to use a high bit DH with low encryption (3des).
Also check if both network acl matches.
Your nat stuff is fine.
Sent from Cisco Technical Support Android App
10-22-2013 02:14 PM
Thanks for the reply, I tried changing the DH group to 2 and ensured that I had added a lifetime of 3600 seconds in my crypto map (which doesn't seem to appear in my running config for some reason) but without any luck.
I replaced the NAT rule OutsideNAT with a new one as I realised it ended up with the permit statement before the deny but this didn't do anything.
I now have no isakmp sa at all, and this in the log:
010641: Oct 22 21:59:04.283 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA
010642: Oct 22 21:59:04.283 GMT: %CRYPTO-4-IKMP_NO_SA: IKE message from 84.x.x.x has no SA and is not an initialization offer
010643: Oct 22 21:59:04.799 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA
010644: Oct 22 21:59:05.807 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA
010645: Oct 22 21:59:07.983 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA
010646: Oct 22 21:59:11.984 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA
I've changed nothing on the other end apart from the phase 2 is now AES128/DH2 and I've updated this on the Cisco too.
10-22-2013 03:41 PM
NAT is not compatible with mode tunnel on your transform set. You must use MODE TRANSPORT on your transform set on both sides, this is why you were getting a Proposal Not Chosen initially.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: