cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
3118
Views
0
Helpful
3
Replies

ASA - IOS Router IPsec VPN NOTIFY PROPOSAL_NOT_CHOSEN

Hey all!

I'm trying to setup an IPsec VPN between cisco ios router and ASAv on GNS3.

I keep getting the error in the debug below when I debug on the cisco router.

*Mar  1 03:15:12.975: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

I think there's simply no common encryption protocols between both when it comes to the IPsec part which is phase2.

This is the router config.

Outside-R#show running-config | section crypto
crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ourset esp-aes
crypto map ourmap 1 ipsec-isakmp
 set peer 192.168.2.1
 set transform-set ourset
 match address 100
 crypto map ourmap

Here's the ASA config.

crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 192.168.2.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-MD5 ESP-AES-128-MD5-TRANS
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400

I don't see any option to match the esp-aes on both, the ASA only has ESP-AES-128-MD5. And then the router has ah-md5-hmac, while the ASA does not have HMAC.

And finally the debug from the router.

*Mar  1 03:15:12.955: ISAKMP:(1001): retransmitting phase 2 QM_IDLE       1349190959 ...
*Mar  1 03:15:12.955: ISAKMP (0:1001): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Mar  1 03:15:12.955: ISAKMP (0:1001): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Mar  1 03:15:12.955: ISAKMP:(1001): retransmitting phase 2 1349190959 QM_IDLE
*Mar  1 03:15:12.959: ISAKMP:(1001): sending packet to 192.168.2.1 my_port 500 peer_port 500 (R) QM_IDLE
*Mar  1 03:15:12.959: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar  1 03:15:12.975: ISAKMP (0:1001): received packet from 192.168.2.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar  1 03:15:12.975: ISAKMP: set new node -619099427 to QM_IDLE
*Mar  1 03:15:12.975: ISAKMP:(1001): processing HASH payload. message ID = -619099427
*Mar  1 03:15:12.975: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = -619099427, sa = 66772820
*Mar  1 03:15:12.975: ISAKMP:(1001):deleting node -619099427 error FALSE reason "Informational (in) state 1"
*Mar  1 03:15:12.975: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 03:15:12.975: ISAKMP:(1001):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Appreciate any pointers to get this working!

1 Accepted Solution

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

You should use the following guide as your reference:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html#anc21

On the ASA

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

On the IOS router

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

If you are using relatively newer IOS versions for both, these should be available as options to you.

View solution in original post

3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

You should use the following guide as your reference:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html#anc21

On the ASA

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

On the IOS router

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

If you are using relatively newer IOS versions for both, these should be available as options to you.

Hey thanks for the reply!

The thing is I can see some options in the ASA CLI but I don't see them in ASDM.

Here's the full crypto config from the CLI:

ciscoasa# show running-config crypto
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 192.168.2.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-MD5 ESP-AES-128-MD5-TRANS
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400

So do I need to use the no command and remove these options from here? So that they match with the router config.

Well I got it to work by removing all the other cipher suits with a no command and just left the one I needed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: