Cisco 857 > ZyXEL USG 100 VPN NO_PROPOSAL_CHOSEN etc

jamiereesgml1 · ‎10-22-2013

Hello,

I'm having issues establishing a VPN between a Cisco ISR 857 and ZyXEL USG 100. I've deleted and readded the VPN a few times (via SDM and manually via SSH), ensured the settings are correct both sides but still no luck.

Seems to pass ISAKMP phase 1 ok, I get the status of QM_IDLE, but phase 2 negotation seems to point to a mismatch, but both sides are the same (3DES/DH5/PFS, same key etc). I get a variety of issues such as NO_PROPOSAL_CHOSEN,

I read that because NAT is running on the router I had to add a deny statement into the ACL being used by NAT to stop the remote network's traffic being NATted, but still no luck

This is my config:

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname firewall

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 SECRETPASSWORD

!

no aaa new-model

clock timezone GMT 1

!

no ip source-route

!

ip cef

no ip bootp server

ip name-server 8.8.8.8

!

username admin privilege 15 secret 5 SECRETPASSWORD

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 5

lifetime 3600

crypto isakmp key 12345678 address REMOTEPEER

crypto isakmp keepalive 3600

crypto isakmp nat keepalive 3600

crypto isakmp aggressive-mode disable

!

crypto ipsec transform-set TS esp-3des esp-sha-hmac

!

crypto map GMLVPN 1 ipsec-isakmp

set peer REMOTEPEER

set transform-set TS

set pfs group 5

match address GML-VPN

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface ATM0

ip address LOCALWANIPADDRESS 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $FW_OUTSIDE$$ES_WAN$

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

ip unnumbered Dialer0

tunnel mode ipsec ipv4

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.12.99 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname USERNAME

ppp chap password 7 PASSWORD

crypto map GMLVPN

!

no ip forward-protocol nd

ip route profile

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list OutsideNAT interface Dialer0 overload

ip nat inside source static tcp 192.168.12.8 25 EXTERNALIP 25 extendable

ip nat inside source static tcp 192.168.12.8 80 EXTERNALIP 80 extendable

ip nat inside source static tcp 192.168.12.8 443 EXTERNALIP 443 extendable

ip nat inside source static tcp 192.168.12.8 1723 EXTERNALIP 1723 extendable

ip nat inside source static tcp 192.168.12.8 5666 EXTERNALIP 5666 extendable

ip nat inside source static tcp 192.168.12.8 12489 EXTERNALIP 12489 extendable

!

ip access-list extended GML-VPN

permit ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255

!

ip access-list extended OutsideNAT

deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.12.0 0.0.0.255 any

!

logging trap debugging

access-list 5 permit SSHIP

access-list 5 permit 192.168.12.0 0.0.0.255

access-list 5 permit 192.168.0.0 0.0.0.255

access-list 5 remark Access to SSH

access-list 100 deny ip 192.168.12.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 100 permit ip 192.168.12.0 0.0.0.255 any

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

access-class 5 in

exec-timeout 5 0

privilege level 15

logging synchronous

login local

terminal-type monitor

transport input ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

And this is the output of the logs.....

008243: Oct 22 20:28:57.584 GMT: IPSEC(ipsec_process_proposal): invalid local address LOCALIPADDRESS

008244: Oct 22 20:28:57.584 GMT: ISAKMP:(2011): IPSec policy invalidated proposal with error 8

008245: Oct 22 20:28:57.584 GMT: ISAKMP:(2011): phase 2 SA policy not acceptable! (local LOCALIPADDRESS remote REMOTEPEER)

008246: Oct 22 20:28:57.588 GMT: ISAKMP: set new node -168813266 to QM_IDLE

008247: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 2191252528, message ID = -168813266

008248: Oct 22 20:28:57.588 GMT: ISAKMP:(2011): sending packet to REMOTEPEER my_port 500 peer_port 500 (R) QM_IDLE

008249: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):Sending an IKE IPv4 Packet.

008250: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):purging node -168813266

008251: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):deleting node 1453459847 error TRUE reason "QM rejected"

008252: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):Node 1453459847, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

008253: Oct 22 20:28:57.588 GMT: ISAKMP:(2011):Old State = IKE_QM_READY New State = IKE_QM_READY

008254: Oct 22 20:29:47.590 GMT: ISAKMP:(2011):purging node 1453459847

The USG at the other end has NO_PROPOSAL_CHOSEN in its logs, but I don't understand why as both ends are set to the same?

Any help appreciated.

Thanks,

Jamie

Michael Muenz · ‎10-22-2013

You dont have lifetime values for phase2, also try DH2. Doesnt make sense to use a high bit DH with low encryption (3des).
Also check if both network acl matches.
Your nat stuff is fine.

Sent from Cisco Technical Support Android App

Michael Please rate all helpful posts

jamiereesgml1 · ‎10-22-2013

Thanks for the reply, I tried changing the DH group to 2 and ensured that I had added a lifetime of 3600 seconds in my crypto map (which doesn't seem to appear in my running config for some reason) but without any luck.

I replaced the NAT rule OutsideNAT with a new one as I realised it ended up with the permit statement before the deny but this didn't do anything.

I now have no isakmp sa at all, and this in the log:

010641: Oct 22 21:59:04.283 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA

010642: Oct 22 21:59:04.283 GMT: %CRYPTO-4-IKMP_NO_SA: IKE message from 84.x.x.x has no SA and is not an initialization offer

010643: Oct 22 21:59:04.799 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA

010644: Oct 22 21:59:05.807 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA

010645: Oct 22 21:59:07.983 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA

010646: Oct 22 21:59:11.984 GMT: ISAKMP (0:0): received packet from 84.x.x.x dport 500 sport 500 Global (N) NEW SA

I've changed nothing on the other end apart from the phase 2 is now AES128/DH2 and I've updated this on the Cisco too.

Nicholas Carrieri · ‎10-22-2013

NAT is not compatible with mode tunnel on your transform set. You must use MODE TRANSPORT on your transform set on both sides, this is why you were getting a Proposal Not Chosen initially.