Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3954
Views
5
Helpful
17
Replies

Phase 2 fails [NO_PROP_CHOSEN]

Lybra1983
Level 1
Level 1

‎01-12-2011 09:12 AM

Hello,

I was testing a particular configuration with dynamic maps for soho routers and it worked well... see this post for the conf: https://supportforums.cisco.com/message/3265755

Since a few days I'm trying to port this configuration on a productive appliance (ASA5510 - v8.22) and it's not working.

The only difference is that the ASA5510 is already configured to allow access to users with vpn client.

The Zyxel router is telling this: (read it from bottom to up)

Send<:[HASH][DEL]>
Recv<:[HASH][NOTFY:NO_PROP_CHOSEN]>
Send<:[HASH][SA][NONCE][ID][ID]>
Start Phase 2: Quick Mode
Phase 1 IKE SA process done

The show isa sa on the ASA it telling this:


IKE Peer: ***.***.***.***
Type    : L2L             Role    : responder
Rekey   : no              State   : AM_WAIT_MSG3

And this is a piece of the conf:

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set dynset esp-3des esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map map2 10 set transform-set trmset1
crypto dynamic-map map2 10 set security-association lifetime seconds 28800
crypto dynamic-map map2 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map DN3710 2 match address ST_3710
crypto dynamic-map DN3710 2 set transform-set dynset

crypto map yyymap 10 ipsec-isakmp dynamic map2
crypto map yyymap 11 ipsec-isakmp dynamic DN3710

crypto map yyymap interface outside

crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400

crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

I can't figure out where the problem is. Any idea will be appreciated!!!

Thanks in advance for a help.

Regards,

Luca

Labels:
0 Helpful
17 Replies 17

Lybra1983
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-14-2011 01:48 AM

The Zyxel only accept a simple AES, not 192 and not 256, anyway I changed the transform set from 3DES/MD5 to AES/SHA and put an appropriate policy, but the error messages are always the same.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Lybra1983

‎01-14-2011 05:30 AM

You can post your current config of both sides with the errors on both sides as well.

Federico.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎01-15-2011 12:58 AM

Hi Federico,

I should read posts better    you were right indeed it is not a phase 1 problem

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents