09-03-2010 10:35 AM
Hello expert
i am trying to estabilsh site to site tunnel between ASA 5520 firewall and cisco 2811 router.The tunnel is not coming up with phase 1 getting completed and phase 2 is facing the problem.
i am getting the following error
no proposal chosen ( 14) received non routine notify message
on the same firewall,one more tunnel is working fine and similar is the case for Cisco 2811 router.we tried all possible combination for authentication/encryption/group but no success.Finally we have freezed the config of the tunnel on router with the same as other tunnel which is working on thr router and trying the combination on ASA side to make it up..can you please help me on the same
ASA Side Config
Crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer a.b.c.d
crypto map outside_map 3 set transform-set ESP-DES-SHA ESP-3DES-MD5 ESP-3DES ESP-DES-MD5 ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
unnel-group a.b.c.d type ipsec-l2l
tunnel-group a.b.c.d general-attributes
default-group-policy EDGAR_ONLINE
tunnel-group a.b.c.d ipsec-attributes
pre-shared-key ****
!
Router Side Config
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key **** address x.y.z.w no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TransSetSun2 esp-aes esp-md5-hmac
!
!
!
crypto map CustMap redundancy replay-interval inbound 800 outbound 10000
crypto map CustMap 30 ipsec-isakmp
set peer x.y.z.w
set transform-set TransSetSun2
match address protect CUST
!
09-03-2010 10:40 AM
Hi,
On the ASA replace this line:
no crypto map outside_map 3 set transform-set ESP-DES-SHA ESP-3DES-MD5 ESP-3DES ESP-DES-MD5 ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5
With these two:
crypto ipsec transform-set myset esp-aes esp-md5-hmac
crypto map outside_map 3 set transform-set myset
Try again.
Federico.
09-03-2010 11:06 AM
Thanks for the quick reply
So you want me to remove the extra transform sets and use only one which is required.
will it work now ??? (that was the only problem )
Regards
Sameer
09-03-2010 11:18 AM
Well...
Phase 2 should match now.. can you test it?
I see you have spi-recovery and redundancy on the crypto map on the router side (are those for a reason)?
Federico.
09-03-2010 07:47 PM
Hi
Need to take client online for this testing...
regarding the router side paramater, we cant change much as it bekongs to our client infrastructure..Corrossponding to those paramaeters do you suggest us to put any extra configuration in ASA.Please let us know accordnigly we will match it..
09-06-2010 12:06 AM
Hi
Theother transoform sets belongs to other tunnel.
Anyway after removing those statement and adding new statements mentioned by you,phase 1 only not coming up...
anything else you suspect,,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide