ROS to Cisco ASA IPSEC problem.

techmonkey1 · May 5, 2010, 9:30pm

Using RB750 ROS4.9 I can not initiate an IPSEC Tunnel to the Cisco. The Cisco can initiate the tunnel to the RB750 successfully.
How do I get this to work? Below is the log from the RB750 and the IPSEC configuration.

17:09:24 ipsec initiate new phase 1 negotiation: 65.10.10.10[500]<=>216.40.40.40[500]
17:09:24 ipsec begin Identity Protection mode.
17:09:24 ipsec received broken Microsoft ID: FRAGMENTATION
17:09:24 ipsec received Vendor ID: CISCO-UNITY
17:09:24 ipsec received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
17:09:25 ipsec received Vendor ID: DPD
17:09:25 ipsec ISAKMP-SA established 65.10.10.10[500]-216.40.40.40[500] spi:22a9d57be19cffec:454175ce55c5d921
17:09:25 ipsec initiate new phase 2 negotiation: 65.10.10.10[500]<=>216.40.40.40[500]
17:09:25 ipsec fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
17:09:25 ipsec Message: 'Mi '.
17:09:25 ipsec ISAKMP-SA expired 65.10.10.10[500]-216.40.40.40[500] spi:22a9d57be19cffec:454175ce55c5d921
17:09:55 ipsec 216.40.40.40 give up to get IPsec-SA due to time up to wait.
17:09:55 ipsec IPsec-SA expired: ESP/Tunnel 216.40.40.40[0]->65.10.10.10[0] spi=248785156(0xed42904)

/ip ipsec proposal
set default auth-algorithms=md5 comment=“” disabled=no enc-algorithms=3des lifetime=8h name=default pfs-group=modp1024

/ip ipsec peer
add address=216.40.40.40/32:500 auth-method=pre-shared-key comment=“” dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1 enc-algorithm=3des exchange-mode=main
generate-policy=no hash-algorithm=md5 lifebytes=0 lifetime=1d nat-traversal=no proposal-check=obey secret=12345 send-initial-contact=yes

/ip ipsec policy
add action=encrypt comment=“” disabled=no dst-address=128.1.0.54/32:any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=216.40.40.40 sa-src-address=
65.10.10.10 src-address=192.168.10.3/32:any tunnel=yes

/ip firewall nat
add action=accept chain=srcnat comment=“” disabled=no dst-address=128.1.0.54 src-address=192.168.10.3
add action=accept chain=srcnat comment=“” disabled=no dst-address=192.168.10.3 src-address=128.1.0.54

fewi · May 5, 2010, 9:41pm

17:09:25 ipsec fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.

What does the crypto map on the ASA look like?

techmonkey1 · May 7, 2010, 7:58pm

I used their Cisco crypto map as a reference to setup the MicroTik. Everything looks identical.

fewi · May 7, 2010, 8:04pm

Is it possible to post it here anyway? I often overlook tiny typos that my colleagues then spot for me.

I’d also try debugging this on the Cisco side. ‘debug crypto ipsec’ should give you some insight on why the ASA doesn’t choose a proposal.

itfellows · September 20, 2010, 11:42pm

techmonkey1,

did you figure out the problem, I have exactly the same problem only I don’t have access to the Cisco and the guy managing the Cisco won’t give me access and is not PIX proficient either? It worked earlier today, but somewhere along the line he changed something and doesn’t know it. it’s taken me a week to get these guys this far and its getting painfully frustrating…

borodamd · September 21, 2010, 5:04am

I have the same issue with same logs. But, in my case, Cisco side require what tunnel will be from internal address such 10.254.x.x. By their security policy, they cannot change this. Ifter i succefuly complete phase 1, on phase two i get reject of tunnel. Now i cannot have a idea, how i can make the ipsec tunnel with internal address. Maybe anyone can give me advice ?

Here is part of cisco log:

13699 09/18/2010 14:39:52.260 SEV=4 IKE/119 RPT=27864 89.28.xx.xx Group [89.28.xx.xx] PHASE 1 COMPLETED

13700 09/18/2010 14:39:52.260 SEV=4 AUTH/22 RPT=37332 89.28.xx.xx User [89.28.xx.xx] Group [89.28.xx.xx] connected, Session Type: IPSec/LAN-to-LAN

13702 09/18/2010 14:39:52.530 SEV=5 IKE/25 RPT=44764 89.28.xx.xx Group [89.28.xx.xx] Received remote Proxy Host data in ID Payload:
Address 89.28.67.69, Protocol 0, Port 0

13705 09/18/2010 14:39:52.530 SEV=5 IKE/24 RPT=13283 89.28.xx.xx Group [89.28.xx.xx] Received local Proxy Host data in ID Payload:
Address 62.13.170.66, Protocol 0, Port 0

13708 09/18/2010 14:39:52.530 SEV=4 IKE/61 RPT=8733 89.28.xx.xx Group [89.28.xx.xx] Tunnel rejected: Policy not found for Src:89.28.67.69, Dst: 62.13.xx.xx!

13710 09/18/2010 14:39:52.530 SEV=4 IKEDBG/97 RPT=25717 89.28.xx.xx Group [89.28.xx.xx] QM FSM error (P2 struct &0x5ffa6a4, mess id 0x9b0ef58b)!

borodamd · September 21, 2010, 11:06am

borodamd:

I have the same issue with same logs. But, in my case, Cisco side require what tunnel will be from internal address such 10.254.x.x. By their security policy, they cannot change this. Ifter i succefuly complete phase 1, on phase two i get reject of tunnel. Now i cannot have a idea, how i can make the ipsec tunnel with internal address. Maybe anyone can give me advice ?

Here is part of cisco log:

13699 09/18/2010 14:39:52.260 SEV=4 IKE/119 RPT=27864 89.28.xx.xx Group [89.28.xx.xx] PHASE 1 COMPLETED

13700 09/18/2010 14:39:52.260 SEV=4 AUTH/22 RPT=37332 89.28.xx.xx User [89.28.xx.xx] Group [89.28.xx.xx] connected, Session Type: IPSec/LAN-to-LAN

13702 09/18/2010 14:39:52.530 SEV=5 IKE/25 RPT=44764 89.28.xx.xx Group [89.28.xx.xx] Received remote Proxy Host data in ID Payload:
Address 89.28.67.69, Protocol 0, Port 0

13705 09/18/2010 14:39:52.530 SEV=5 IKE/24 RPT=13283 89.28.xx.xx Group [89.28.xx.xx] Received local Proxy Host data in ID Payload:
Address 62.13.170.66, Protocol 0, Port 0

13708 09/18/2010 14:39:52.530 SEV=4 IKE/61 RPT=8733 89.28.xx.xx Group [89.28.xx.xx] Tunnel rejected: Policy not found for Src:89.28.67.69, Dst: 62.13.xx.xx!

13710 09/18/2010 14:39:52.530 SEV=4 IKEDBG/97 RPT=25717 89.28.xx.xx Group [89.28.xx.xx] QM FSM error (P2 struct &0x5ffa6a4, mess id 0x9b0ef58b)!

My problem solved.

I made vlan to internal interface with needed address. Introduce it on ipsec policy as source address. After this, made a src-nat rules to send traffic to needed lan through created vlan. And, everything works fine.

Try this