cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2984
Views
0
Helpful
3
Replies

IPsec VPN Problems Between Cisco 1711 & Netgear

shamimakhtar
Level 1
Level 1

I am trying to set up an IPsec VPN tunnel between a Cisco 1711 and Netgear FVS318 router/firewall. Phase1 is establishing but Phase2 is not. Debug output is provided below.

Netgear Settings:

Encryption: 3DES SHA-1 with Pre-share key, DH Group 2(1024 Bit), SA Lifetime 86400sec

ESP Configuration: 3DES SHA-1

Cisco Configuration:

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ciscotest address REMOTE_IP
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer REMOTE_IP
set transform-set vpn
match address 110
reverse-route
!
interface FastEthernet0
crypto map vpn
!
access-list 110 permit ip 10.50.50.0 0.0.0.255 172.16.0.0 0.0.0.255

Cisco Debug:


ISAKMP (0:268435457): received packet from REMOTE_IP dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node -425808973 to QM_IDLE
ISAKMP:(0:1:HW:2): processing HASH payload. message ID = -425808973
ISAKMP:(0:1:HW:2): processing SA payload. message ID = -425808973
ISAKMP:(0:1:HW:2):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      authenticator is HMAC-SHA
ISAKMP:      encaps is 1 (Tunnel)
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
ISAKMP:(0:1:HW:2):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= WAN_IP, remote= REMOTE_IP,
    local_proxy= 10.50.50.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
Crypto mapdb : proxy_match
        src addr     : 10.50.50.0
        dst addr     : 172.16.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
IPSEC(validate_transform_proposal): transform proposal not supported for identity:
    {esp-3des esp-sha-hmac }
ISAKMP:(0:1:HW:2): IPSec policy invalidated proposal
ISAKMP:(0:1:HW:2): phase 2 SA policy not acceptable! (local WAN_IP remote REMOTE_IP)
ISAKMP: set new node -2125033073 to QM_IDLE
ISAKMP:(0:1:HW:2):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2215118544, message ID = -2125033073
ISAKMP:(0:1:HW:2): sending packet to REMOTE_IP my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(0:1:HW:2):purging node -2125033073
ISAKMP:(0:1:HW:2):deleting node -425808973 error TRUE reason "QM rejected"
ISAKMP (0:268435457): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -425808973: state = IKE_QM_READY
ISAKMP:(0:1:HW:2):Node -425808973, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(0:1:HW:2):Old State = IKE_QM_READY  New State = IKE_QM_READY
Sep 16 10:43:44 EST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at REMOTE_IP

ISAKMP:(0:1:HW:2):purging node -425808973

3 Replies 3

Phase 2 is not matching.

Make sure you use ESP instead of AH.

no crypto ipsec transform-set vpn ah-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

Please try again after clearing the SAs.

Federico.

i just took out AH as you mentioned, unfortunately it still does not work.

Are you getting the same mismatch error in phase 2 after the change?

Is the netgear using Perfect Forward Secrecy setting on phase 2?


Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: