Cisco router to Adtran NetVanta VPN failing phase 2

jasonww04 · ‎08-01-2014

I cannot find anything wrong in the two configs. When I try to send traffic from the Cisco, this is what shows on the Adtran:

2014.08.01 09:30:57 CRYPTO_IKE.NEGOTIATION 105: Failed to select IPSec proposal

and this is what shows on the Cisco:

Aug 1 11:21:03: ISAKMP:(1018): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

I have lost count on how many times I've checked the settings and erased and put them back in.

Here is Cisco:

crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 30
encr aes 256
authentication pre-share
group 2
lifetime 28800

crypto isakmp key Pyx1s15Aw3s0me! address 205.x.x.x
crypto isakmp keepalive 120 30
crypto ipsec transform-set AES256_SHA esp-aes 256 esp-sha-hmac
crypto map VPN 12 ipsec-isakmp
set peer 205.x.x.x
set transform-set AES256_SHA
match address VPN_CareAltVA-ACL

Extended IP access list NAT
    120 deny ip any 10.6.0.0 0.0.255.255
    130 permit ip 172.20.121.0 0.0.0.255 any
    140 permit ip 172.19.121.0 0.0.0.255 any
    150 permit ip 172.18.121.0 0.0.0.255 any
Extended IP access list VPN_CareAltVA-ACL
    10 permit ip host 172.18.121.19 host 10.6.0.166
    20 permit ip 172.18.121.0 0.0.0.255 10.6.0.0 0.0.255.255

interface FastEthernet0/0
ip address 172.18.121.1 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1/0
switchport access vlan 100
!
interface Vlan100
ip address 50.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map VPN

ip route 0.0.0.0 0.0.0.0 50.x.x.x
ip route 10.6.0.0 255.255.0.0 50.x.x.x
ip route 10.6.0.166 255.255.255.255 50.x.x.x

Here is Adtran:

crypto ike policy 105
initiate main
respond anymode
local-id address 205.x.x.x
peer 50.x.x.x
attribute 1
encryption aes-256-cbc

crypto ike remote-id address 50.x.x.x preshared-key Pyx1s15Aw3s0me! ike-policy 105 crypto map VPN 60 no-xauth

crypto ipsec transform-set AES256_SHA esp-aes-256-cbc esp-sha-hmac
mode tunnel
!
crypto map VPN 60 ipsec-ike
match address VPN_GlenBurnie-ACL
set peer 50.x.x.x
set transform-set AES256_SHA
set security-association lifetime seconds 3600
ike-policy 105

interface eth 0/1
ip address 10.6.0.254 255.255.0.0
access-policy Private
no shutdown
!
!
!
!
interface t1 1/1
description Qwest circuit
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface ppp 1
ip address 205.x.x.x 255.255.255.252
access-policy Public
crypto map VPN
no shutdown
cross-connect 1 t1 1/1 1 ppp 1

ip access-list extended VPN_GlenBurnie-ACL
permit ip host 10.6.0.166 host 172.18.121.19
permit ip 10.6.0.0 0.0.255.255 172.18.121.0 0.0.0.255
!
ip policy-class Private
allow list VPN-40-vpn-selectors
allow list VPN-30-vpn-selectors stateless
allow list VPN-20-vpn-selectors stateless
allow list VPN_CRANFORD
nat source list NAT_OUT address 205.x.x.x overload
nat source list web-acl-10 address 10.6.0.254 overload
allow list web-acl-11 policy Private
nat source list web-acl-13 address 10.6.0.254 overload
allow list VPN_ColonialHeights-ACL
allow list VPN_GlenBurnie-ACL
!
ip policy-class Public
allow reverse list VPN-40-vpn-selectors
allow reverse list VPN-30-vpn-selectors stateless
allow reverse list VPN-20-vpn-selectors stateless
allow list ADTRAN
allow list telnet-in
allow reverse list VPN_CRANFORD
allow list web-acl-12
allow reverse list VPN_ColonialHeights-ACL
allow reverse list VPN_GlenBurnie-ACL

nkarthikeyan · ‎08-09-2014

Hi,

On your ike policy policy i do not see any matching policy....

say your cisco router has

IKE/ISAKMP policy:

encr aes 256
authentication pre-share
group 2
lifetime 28800

!

Your adtran has:

encryption aes-256-cbc alone... rest other have been left default...... is that all match with the default one's......

can you modify your crypto ike command like the below on adtran:

crypto ike remote-id address 50.x.x.x preshared-key Pyx1s15Aw3s0me! ike-policy 105 crypto map VPN 60 no-mode-config no-xauth

!

and then under

crypto map VPN 60 ipsec-ike

you have set security association lifetime ? do you see is that matching with cisco router??

how about the no-nat rules @ both ends....

Regards

Karthik

jasonww04 · ‎08-11-2014

This section from the Adtran is what matches the Cisco's IKE:

crypto ike policy 105
initiate main
respond anymode
local-id address 205.x.x.x
peer 50.x.x.x
attribute 1
encryption aes-256-cbc

What's killing me is that I have another VPN I added to the Adtran works fine with the exact same settings.

nkarthikeyan · ‎08-11-2014

Hi,

my question is where the below mentioned parameters is added in adtran? is that matching with the defaults?

authentication pre-share
group 2
lifetime 28800

Regards

Karthik

jasonww04 · ‎08-11-2014

This is from show ike policy:

Crypto IKE Policy 105
Initiate in main mode
Respond to main or aggressive mode
Local ID Address: 205.171.34.34
NAT Traversal V1 Allowed
Peers:
    50.245.242.233
Attributes:
    1
      Encryption: AES-256-CBC
      Hash: SHA
      Authentication: Pre-share
      Group: 2
      Lifetime: 28800 seconds

nkarthikeyan · ‎08-11-2014

Hi,

Hmm yeah... looks good..... how about the other questions on my earlier post?

Regards

Karthik