Ipsec can not establish to cisco

lima7 · February 15, 2011, 9:04am

[rmkroot@SG-GT] /ip> ipsec peer pr
Flags: X - disabled
0 address=202.134.7.6/32:500 auth-method=pre-shared-key secret=“xxxxxxxxx” generate-policy=yes exchange-mode=main send-initial-contact=yes
nat-traversal=no proposal-check=obey hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=1m
dpd-maximum-failures=1
[rmkroot@SG-GT] /ip> ipsec policy pr
Flags: X - disabled, D - dynamic, I - inactive
0 src-address=10.10.12.96/27:any dst-address=192.168.2.3/32:any protocol=all action=encrypt level=unique ipsec-protocols=esp tunnel=yes
sa-src-address=202.134.5.6 sa-dst-address=202.134.7.6 proposal=default priority=0
[rmkroot@SG-GT] /ip> ipsec proposal pr
Flags: X - disabled
0 name=“default” auth-algorithms=md5,sha1 enc-algorithms=3des lifetime=30m pfs-group=none

15:48:38 ipsec begin Identity Protection mode.
15:48:38 ipsec ISAKMP-SA established 202.134.5.6[500]- 202.134.7.6[500] spi:17416654cc65ca55:96be00baf5a386e5
15:48:39 ipsec initiate new phase 2 negotiation: 202.134.5.6[500]<=>202.134.7.6[500]
15:48:39 ipsec fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
15:48:39 ipsec Message: '0 b= @ b= a l H a a '.
15:49:08 ipsec initiate new phase 2 negotiation: 202.134.5.6[500]<=>202.134.7.6[500]
15:49:08 ipsec fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
15:49:08 ipsec Message: '0 b% D b= a l a a '.
15:49:09 ipsec 202.134.7.6 give up to get IPsec-SA due to time up to wait.
15:49:09 ipsec IPsec-SA expired: ESP/Tunnel 202.134.7.6[0]->202.134.5.6[0] spi=89663660(0x55828ac)
15:49:38 ipsec 202.134.7.6 give up to get IPsec-SA due to time up to wait.
15:49:38 ipsec IPsec-SA expired: ESP/Tunnel 202.134.7.6[0]->202.134.5.6[0] spi=32828498(0x1f4ec52)
15:49:39 ipsec initiate new phase 2 negotiation: 202.134.5.6[500]<=>202.134.7.6[500]
15:49:39 ipsec fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
15:49:39 ipsec Message: '0 b= < b= a ll[ a a '.
15:50:09 ipsec 202.134.7.6 give up to get IPsec-SA due to time up to wait.
15:50:09 ipsec IPsec-SA expired: ESP/Tunnel 202.134.7.6[0]->202.134.5.6[0] spi=196734536(0xbb9ee48)
15:50:09 ipsec initiate new phase 2 negotiation: 202.134.5.6[500]<=>202.134.7.6[500]
15:50:09 ipsec fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
15:50:09 ipsec Message: '0 b= b= a l Qa a

what is suspected problems in MK side?

rwebb616 · September 26, 2011, 2:19pm

I know this topic is old, but I too am getting this attempting to establish to an ASA-5510 with 8.2(5) on it.

When I look at the ipsec box where the SAs are listed, it shows “none” for Auth Algorithm and Encr Algorithm. This tells me that the two sides don’t appear to be negotiating the proposal properly.

I’ve tried different parameters on both the ASA and on the MTK side.

Anyone?

-Rich

fewi · September 26, 2011, 2:33pm

Show the config from both sides. I’ve got an IPsec tunnel happily running between RouterOS 5.7 and an ASA 8.4.

rwebb616 · September 26, 2011, 2:40pm

I can show the config easily enough from the Cisco.. what command do I use for RouterOS? I pretty much use winbox exclusively for configuration.

-Rich

fewi · September 26, 2011, 3:10pm

“/ip ipsec export”, also post the output of “/ip firewall nat export” to make sure NAT exemption is configured right. In addition please post the output of “/ip address print detail” and “/ip route print detail” just because it helps paint a picture of the router.

Also make sure that you’re allowing udp/500 and ipsec-esp or ipsec-ah sourced from the ASA in the firewall filter input chain, or are allowing udp/500 and udp/4500 if you’re using NAT-T. If you’re unsure add the output of “/ip firewall filter export”.

rwebb616 · September 26, 2011, 3:49pm

Well… I had removed the configuration from the router not knowing how long it would take to get a response and when I put the configuration back in everything came up. Oddly enough the only thing I changed was the PSK. I had changed it so that I could post the config without having my actual key in it. Maybe one of the sides had an issue with a key with the $ symbol in it? That seems odd that it would since it’s supposed to be secure.

I also have another VPN that is a dynamic VPN from someone else and every time I touch the vpn configuration his tunnel goes down and he has to re-establish from his side. That also seems weird to me - esp if I didn’t flush the SAs

-Rich