Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3596
Views
0
Helpful
3
Replies

ASA - IOS Router IPsec VPN NOTIFY PROPOSAL_NOT_CHOSEN

Go to solution
Allwyn Mascarenhas
Level 1
Level 1

‎05-20-2017 08:46 AM - edited ‎02-21-2020 09:17 PM

Hey all!

I'm trying to setup an IPsec VPN between cisco ios router and ASAv on GNS3.

I keep getting the error in the debug below when I debug on the cisco router.

*Mar  1 03:15:12.975: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

I think there's simply no common encryption protocols between both when it comes to the IPsec part which is phase2.

This is the router config.

Outside-R#show running-config | section crypto
crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ourset esp-aes
crypto map ourmap 1 ipsec-isakmp
 set peer 192.168.2.1
 set transform-set ourset
 match address 100
 crypto map ourmap

Here's the ASA config.

crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 192.168.2.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-MD5 ESP-AES-128-MD5-TRANS
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400

I don't see any option to match the esp-aes on both, the ASA only has ESP-AES-128-MD5. And then the router has ah-md5-hmac, while the ASA does not have HMAC.

And finally the debug from the router.

*Mar  1 03:15:12.955: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       1349190959 ...
*Mar  1 03:15:12.955: ISAKMP (0:1001): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Mar  1 03:15:12.955: ISAKMP (0:1001): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Mar  1 03:15:12.955: ISAKMP:(1001): retransmitting phase 2 1349190959 QM_IDLE
*Mar  1 03:15:12.959: ISAKMP:(1001): sending packet to 192.168.2.1 my_port 500 peer_port 500 (R) QM_IDLE
*Mar  1 03:15:12.959: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar  1 03:15:12.975: ISAKMP (0:1001): received packet from 192.168.2.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar  1 03:15:12.975: ISAKMP: set new node -619099427 to QM_IDLE
*Mar  1 03:15:12.975: ISAKMP:(1001): processing HASH payload. message ID = -619099427
*Mar  1 03:15:12.975: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = -619099427, sa = 66772820
*Mar  1 03:15:12.975: ISAKMP:(1001):deleting node -619099427 error FALSE reason "Informational (in) state 1"
*Mar  1 03:15:12.975: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 03:15:12.975: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Appreciate any pointers to get this working!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎05-20-2017 09:22 AM

You should use the following guide as your reference:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html#anc21

On the ASA

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

On the IOS router

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

If you are using relatively newer IOS versions for both, these should be available as options to you.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎05-20-2017 09:22 AM

You should use the following guide as your reference:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html#anc21

On the ASA

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

On the IOS router

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

If you are using relatively newer IOS versions for both, these should be available as options to you.

0 Helpful

Go to solution
Allwyn Mascarenhas
Level 1
Level 1
In response to Rahul Govindan

‎05-20-2017 10:54 PM

Hey thanks for the reply!

The thing is I can see some options in the ASA CLI but I don't see them in ASDM.

Here's the full crypto config from the CLI:

ciscoasa# show running-config crypto
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 192.168.2.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-MD5 ESP-AES-128-MD5-TRANS
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400

So do I need to use the no command and remove these options from here? So that they match with the router config.

0 Helpful

Go to solution
Allwyn Mascarenhas
Level 1
Level 1
In response to Rahul Govindan

‎05-23-2017 04:54 AM

Well I got it to work by removing all the other cipher suits with a no command and just left the one I needed.

0 Helpful
Customers Also Viewed These Support Documents