Simple VPN Setup Fails with "NOTIFY PROPOSAL_NOT_CHOSEN protocol"

paul-giles · ‎10-06-2010

Hi,

This is pulling my hair out! Must be overlooking something very simple!

Simple lab setup with 3 routers. VPN setup between R1 & R3 with static routing. R2 connects R1 & R3. All interfaces are reachable, including loopbacks. I am trying to encrypt traffic between loopback on R1 (69.69.69.69) to loopback on R3 (192.168.100.223).

With no Crypto Map applied to outgoing interfaces on R1 and R3 ping is successful (sourced via local loopback) between the loopbacks. As soon as I add the Crypto Map the same ping fails and and I get the following debug messages.

When ping initiated via outgoing interface, ping successful!

*Oct 6 11:44:26.121: ISAKMP: set new node 0 to QM_IDLE
*Oct 6 11:44:26.125: SA has outstanding requests (local 103.13.216.8 port 500, remote 103.13.215.236 port 500)
*Oct 6 11:44:26.129: ISAKMP:(1002): sitting IDLE. Starting QM immediately (QM_IDLE )
*Oct 6 11:44:26.133: ISAKMP:(1002):beginning Quick Mode exchange, M-ID of -1381344893
*Oct 6 11:44:26.137: ISAKMP:(1002):QM Initiator gets spi
*Oct 6 11:44:26.145: ISAKMP:(1002): sending packet to 172.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Oct 6 11:44:26.145: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Oct 6 11:44:26.149: ISAKMP:(1002):Node -1381344893, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Oct 6 11:44:26.153: ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Oct 6 11:44:26.301: ISAKMP (0:1002): received packet from 172.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Oct 6 11:44:26.305: ISAKMP: set new node -1825528760 to QM_IDLE
*Oct 6 11:44:26.313: ISAKMP:(1002): processing HASH payload. message ID = -1825528760
*Oct 6 11:44:26.317: ISAKMP:(1002): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2376679447, message ID = -1825528760, sa = 670DD6A4
*Oct 6 11:44:26.317: ISAKMP:(1002): deleting spi 2376679447 message ID = -1381344893
*Oct 6 11:44:26.321: ISAKMP:(1002):deleting node -1381344893 error TRUE reason "Delete Larval"
*Oct 6 11:44:26.325: ISAKMP:(1002):deleting node -1825528760 error FALSE reason "Informational (in) state 1"
*Oct 6 11:44:26.329: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 6 11:44:26.329: ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

R1

crypto isakmp policy 1
authentication pre-share

!

crypto isakmp key cisco address 172.1.1.1
!
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
!
crypto map CRYPTO 1 ipsec-isakmp
description IPSec Peer to R3
set peer 172.1.1.1
set transform-set TEST
match address ACL1
!
interface GigabitEthernet1/0
ip address 192.250.156.6 255.255.255.0
no ip route-cache cef
no ip route-cache
negotiation auto
crypto map CRYPTO
!
ip access-list extended ACL1
permit ip host 69.69.69.69 host 192.168.100.223
!

R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.1.1.1 192.250.156.6 QM_IDLE 1002 0 ACTIVE

R3

crypto isakmp policy 1
authentication pre-share
!
crypto isakmp key cisco address 192.250.156.6
!
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
!
crypto map TEST 1 ipsec-isakmp
description Primary IPSec Peer to R1
set peer 192.250.156.6
set transform-set TEST
match address ACL1
!
interface GigabitEthernet1/0
ip address 172.1.1.1 255.255.255.0
no ip route-cache cef
no ip route-cache
negotiation auto
crypto map CRYPTO
!
ip access-list extended ACL1
permit ip host 192.168.100.223 host 69.69.69.69
!

R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
172.1.1.1 192.250.156.6 QM_IDLE 1002 0 ACTIVE

Any help appreciated,

Thanks.

Rudresh Veerappaji · ‎06-10-2014

Hi Paul,

"processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3" indicates the remote VPN peer rejected the phase 2 proposal.

The configuration snippet you have shared here seems fine, ISAKMP and IPSec debugs (debug crypto isakmp and debug crypto ipsec) from the remote VPN peer will be helpful in troubleshooting further.

Following is a useful doc on VPN troubleshooting:

IPsec Troubleshooting: Understanding and Using debug Commands

Cheers,

Rudresh V