Question : VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

Hi
We are trying to establish VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

we are getting the below error is some one can help us to resolve this

Number:       3232715
Date:      19Aug2010
Time:      16:10:22
Product:       VPN-1 Power/UTM
VPN Feature:      IKE
Interface:      daemon
Origin:      core1260a
Type:      Log
Action:      Key Install
Source:      core1260a (192.x.x.x)
Destination:       Partygaming-Devel (203.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
IKE Initiator Cookie:       1cf3a97ebdae0396
Information:       IKE: Main Mode Sent Notification to Peer: no
proposal chosen
Subproduct:       VPN

and

Number:       3245614
Date:      19Aug2010
Time:      16:14:13
Product:       VPN-1 Power/UTM
VPN Feature:      IKE
Interface:      daemon
Origin:      core1260a
Type:      Log
Action:      Reject
Source:      Partygaming-Devel (203.x.x.x)
Destination:       core1260a (192.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
Information:       IKE: Main Mode No matching dh groups between
myself and the peer
Reject Reason:      IKE failure
Subproduct:       VPN

ASA Debug Logs

Aug 19 20:05:34 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE MM Initiator FSM error history (struct &0xd46cae00) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE SA MM:71f9cd10 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, sending delete/delete with reason message
Aug 19 20:05:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.x.x.x local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24, Crypto map (outside_map)
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing ISAKMP SA payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 02 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 03 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver RFC payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing Fragmentation VID + extended capabilities payload
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360

SENDING PACKET to 194.x.x.x
ISAKMP Header
Initiator COOKIE: 1f e6 54 75 96 de c9 a6
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 360
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 248
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 236
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 6
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 02 58
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 6d 60
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 a8 c0
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 4
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 6
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00

IKE Recv RAW packet dump
1f e6 54 75 96 de c9 a6 00 00 00 00 00 00 00 00 | ..Tu............
0b 10 05 00 75 87 d3 cf 00 00 00 28 00 00 00 0c | ....u......(....
00 00 00 00 01 00 00 0e | ........

RECV PACKET from 194.x.x.x
ISAKMP Header
Initiator COOKIE: 1f e6 54 75 96 de c9 a6
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Notification
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 7587D3CF
Length: 40
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 12
DOI: Isakmp
Protocol-ID: PROTO_ISAKMP
Spi Size: 0
Notify Type: NO_PROPOSAL_CHOSEN
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Information Exchange processing failed

Answer : VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

based on what you are using (Group 5), my assumption is that the otherside is not using group 5, but possibly group 2, try changing your side to Group 2 and see if the tunnel comes up, but as I stated in the beginning of the thread, ensure that both ends (p1 and p2) match.

Billy

Random Solutions

I'm trying to learn how to develop Android Apps..

BSOD - Core Server 2008 RS possibly caused by VM session with wrongly configured RAM

I need videos on WPF

updating sql database structure while keeping existing structure intact

Firewall & Windows Security Center

Binding Select (Multiple)

In Sent Items, how can I tell if a message was sent with Read Receipt Requested

Way to force data in Excel into the format I want?

Oracle 10g: How to index a column in a materialized view?

Calculated variable on server...