Question : VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

Hi
We are trying to establish VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

we are getting the below error is some one can help us to resolve this

Number:       3232715
Date:      19Aug2010
Time:      16:10:22
Product:       VPN-1 Power/UTM
VPN Feature:      IKE
Interface:      daemon
Origin:      core1260a
Type:      Log
Action:      Key Install
Source:      core1260a (192.x.x.x)
Destination:       Partygaming-Devel (203.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
IKE Initiator Cookie:       1cf3a97ebdae0396
Information:       IKE: Main Mode Sent Notification to Peer: no
proposal chosen
Subproduct:       VPN

and

Number:       3245614
Date:      19Aug2010
Time:      16:14:13
Product:       VPN-1 Power/UTM
VPN Feature:      IKE
Interface:      daemon
Origin:      core1260a
Type:      Log
Action:      Reject
Source:      Partygaming-Devel (203.x.x.x)
Destination:       core1260a (192.x.x.x)
Encryption Scheme:      IKE
VPN Peer Gateway:       Partner-Devel (203.x.x.x)
Information:       IKE: Main Mode No matching dh groups between
myself and the peer
Reject Reason:      IKE failure
Subproduct:       VPN

ASA Debug Logs

Aug 19 20:05:34 [IKEv1]: IP = 194.x.x.x, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE MM Initiator FSM error history (struct &0xd46cae00) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, IKE SA MM:71f9cd10 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Aug 19 20:05:39 [IKEv1 DEBUG]: IP = 194.x.x.x, sending delete/delete with reason message
Aug 19 20:05:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 194.x.x.x local Proxy Address 10.195.250.0, remote Proxy Address 192.168.49.24, Crypto map (outside_map)
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing ISAKMP SA payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 02 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver 03 payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing NAT-Traversal VID ver RFC payload
Aug 19 20:05:40 [IKEv1 DEBUG]: IP = 194.x.x.x, constructing Fragmentation VID + extended capabilities payload
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 360

SENDING PACKET to 194.x.x.x
ISAKMP Header
Initiator COOKIE: 1f e6 54 75 96 de c9 a6
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 360
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 248
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 236
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 6
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 02 58
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 6d 60
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 a8 c0
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 4
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: AES-CBC
Key Length: 128
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 40
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 5
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 6
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00

IKE Recv RAW packet dump
1f e6 54 75 96 de c9 a6 00 00 00 00 00 00 00 00 | ..Tu............
0b 10 05 00 75 87 d3 cf 00 00 00 28 00 00 00 0c | ....u......(....
00 00 00 00 01 00 00 0e | ........

RECV PACKET from 194.x.x.x
ISAKMP Header
Initiator COOKIE: 1f e6 54 75 96 de c9 a6
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Notification
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 7587D3CF
Length: 40
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 12
DOI: Isakmp
Protocol-ID: PROTO_ISAKMP
Spi Size: 0
Notify Type: NO_PROPOSAL_CHOSEN
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, IKE_DECODE RECEIVED Message (msgid=7587d3cf) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Aug 19 20:05:40 [IKEv1]: IP = 194.x.x.x, Information Exchange processing failed

Answer : VPN tunnel between Cisco ASA 5520 and Nokia IP1260 - HA

based on what you are using (Group 5), my assumption is that the otherside is not using group 5, but possibly group 2, try changing your side to Group 2 and see if the tunnel comes up, but as I stated in the beginning of the thread, ensure that both ends (p1 and p2) match.

Billy

Random Solutions

My laptop hp pavilion dv9000 suddenly doesnt start

Gigabit motherboard but only running 100 Mbps on LAN

Clear Move Request (moverequest) matches multiple entries

Virus and/or Malware redirecting my links

sql server smtp port

Allow tabs in <textarea>

NPS Accounting Report for VPN Connections

WPAD setting for local webcams

apache_php_support

Access 2007 - Query Question