Microsoft
Software
Hardware
Network
Question : VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA
Hi
We are trying to establish VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA
we are getting the below error is some one can help us to resolve this
Number: 3232715
Date: 19Aug2010
Time: 16:10:22
Product: VPN-1 Power/UTM
VPN Feature: IKE
Interface: daemon
Origin: core1260a
Type: Log
Action: Key Install
Source: core1260a (192.x.x.x)
Destination: Partygaming-Devel (203.x.x.x)
Encryption Scheme: IKE
VPN Peer Gateway: Partner-Devel (203.x.x.x)
IKE Initiator Cookie: 1cf3a97ebdae0396
Information: IKE: Main Mode Sent Notification to Peer: no
proposal chosen
Subproduct: VPN
and
Number: 3245614
Date: 19Aug2010
Time: 16:14:13
Product: VPN-1 Power/UTM
VPN Feature: IKE
Interface: daemon
Origin: core1260a
Type: Log
Action: Reject
Source: Partygaming-Devel (203.x.x.x)
Destination: core1260a (192.x.x.x)
Encryption Scheme: IKE
VPN Peer Gateway: Partner-Devel (203.x.x.x)
Information: IKE: Main Mode No matching dh groups between
myself and the peer
Reject Reason: IKE failure
Subproduct: VPN
ASA Debug Logs
Aug 19 20:05:34 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE MM Initiator FSM error history (struct &0xd46cae00) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2,
NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1
, EV_RESEND_MSG-->MM_WAIT_MS
G2, EV_RETRY
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE SA MM:71f9cd10 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, sending delete/delete with reason message
Aug 19 20:05:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.x.x.x local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24, Crypto map (outside_map)
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing ISAKMP SA payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 02 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 03 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver RFC payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing Fragmentation VID + extended capabilities payload
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360
SENDING PACKET to 194.x.x.x
ISAKMP Header
Initiator COOKIE: 1f e6 54 75 96 de c9 a6
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 360
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 248
DOI: IPsec
Situation:(SIT_IDENTITY_ON
LY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 236
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 6
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 02 58
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 6d 60
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 a8 c0
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 4
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 6
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
IKE Recv RAW packet dump
1f e6 54 75 96 de c9 a6 00 00 00 00 00 00 00 00 | ..Tu............
0b 10 05 00 75 87 d3 cf 00 00 00 28 00 00 00 0c | ....u......(....
00 00 00 00 01 00 00 0e | ........
RECV PACKET from 194.x.x.x
ISAKMP Header
Initiator COOKIE: 1f e6 54 75 96 de c9 a6
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Notification
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 7587D3CF
Length: 40
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 12
DOI: Isakmp
Protocol-ID: PROTO_ISAKMP
Spi Size: 0
Notify Type: NO_PROPOSAL_CHOSEN
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Information Exchange processing failed
Answer : VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA
based on what you are using (Group 5), my assumption is that the otherside is not using group 5, but possibly group 2, try changing your side to Group 2 and see if the tunnel comes up, but as I stated in the beginning of the thread, ensure that both ends (p1 and p2) match.
Billy
Random Solutions
Counting number of checked checkboxes in a form (when checkboxes are all named differently)
Random Excel 2007 crashes
HP ML110 Disk Array failed
Can I use Dell Latitude windows 7 CD to custom install another Laptop?
windows xp home blue screens with bad _system_config_info on boot up
Split data from one column into 2 columns
Disable Driver Signature Enforcement during Windows 7 install
How can I multiply table 1 column by table 2 column then add all the results?
jquery datepicker make ALL sunday and monday unselectable
PL/SQL Procedure to insert CLOB data into Oracle Table
