Solved: Phase 2 issue [All IPSec SA proposals found unacceptable!]

FlorianBerthelot · ‎03-31-2014

Hi there,

i have issues in configuring a L2L ipsec tunnel with my 1921 and ASA.

I have to use the aggressive mode as the 1921 does not any fixed IP.

The IKE phase 1 goes well, but then i get the following message :

5 Apr 01 2014 11:00:14 713119 Group = CIT-TEST, IP = YYY.YYY.YYY.YYY, PHASE 1 COMPLETED

5 Apr 01 2014 11:00:14 713904 Group = CIT-TEST, IP = YYY.YYY.YYY.YYY, All IPSec SA proposals found unacceptable!

and the tunnel fails to come up.

So i guess this is one concerning the identifyed networks, so i suspect the transform set for not being right.

ASA :

### Crypto map ###

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 match address OUTSIDE_cryptomap_65535.130

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 set ikev1 transform-set ESP-AES-256-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 set security-association lifetime seconds 86400

### Traffic identification ###

access-list Outside_cryptomap_65535.130 extended permit ip 10.30.2.0 255.255.255.0 10.30.42.0 255.255.255.0

### Crypto map ###

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 match address OUTSIDE_cryptomap_65535.130

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 set ikev1 transform-set ESP-AES-256-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 130 set security-association lifetime seconds 86400

And on the 1921 :

crypto keyring LOCAL

pre-shared-key address XXX.XXX.XXX.XXX key mykey

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp identity hostname

crypto isakmp profile ASA-AGGRESSIVE

keyring LOCAL

match identity address XXX.XXX.XXX.XXX 255.255.255.255

initiate mode aggressive

!

crypto ipsec transform-set gsm esp-aes esp-sha256-hmac

mode tunnel

!

crypto map gsm2 isakmp-profile ASA-AGGRESSIVE

crypto map gsm2 20 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set transform-set gsm

match address 103

!

access-list 103 permit ip 10.30.42.0 0.0.0.255 10.30.2.0 0.0.0.255

But tried with different combos on the 1921 but no chance. What am I missing ?

Anyone could help with the transform set command on the 1921, it is slightly different than on the ASA.

Anyone can help ?

Best regards

Marvin Rhoads · ‎04-01-2014

You didn't show us the configuration (if any is called) for the ASAs Phase 2 transform-set.

There should be one setup matching your 1921 something like the one in this example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100678-l2l-asa5505-config.html

View solution in original post

Marvin Rhoads · ‎04-01-2014

You didn't show us the configuration (if any is called) for the ASAs Phase 2 transform-set.

There should be one setup matching your 1921 something like the one in this example:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100678-l2l-asa5505-config.html

FlorianBerthelot · ‎04-01-2014

Hi marvin,

you pointed it right. i got confused with the ASDM, mixinf the transform set NAME and the parameters :

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

The same transform-set on the 1921 is :

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

the 256 parameter was missing on my 1921.

Very silly error, but thank you for pointing this at me :)

Best regards

Florian, From New Caledonia.