1 Reply Latest reply on Jan 15, 2016 3:04 AM by lnurmi

    Failing IPSec SA negotiation bcas IKE sa getting deleted

    gopalpathak

      Hello Guys,

       

      I need an help on this issue and let me if any thing else required

       

      Scenario:

      Central Hub Gateway : Have public IP on outside interface

      Satellite Gateway : Port 0 (Outside) Have static private range (10.8.9.0/24) ip address on interface

                                            (But Interface have Full internet access for communication as we are accessing internet from Other company's LAN, Extending cable from switch)

                                  Port 4  (LAN) Also have private range (10.0.0.0/8) ip address

      Status: Firewall came up and showing Green in SMC

      Policy: VPN policy has been pushed at both end

      Issue: VPN is not getting established and showing below logs

      My analyses: I have check and verified RSA certificate is correct and valid at both end

                          VPN

      Note: We have other sites VPN which are working without any issue

       

      Logs:

      ================================================================================ =========================================================

      Last IKE packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), N(HTTP_CERT_LOOKUP_SUPPORTED), CERTREQ, Vid
      IKEv2 SA error: No proposal chosen
      IKEv2 SA initiator failed, Local 10.8.9.51 (ipv4), Local auth method: RSA signature, Remote auth method: Reserved
      IPsec SA local proposal: SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 256, HMAC-SHA1-96, No ESN; ),
      IPsec SA initiator error: No proposal chosen
      Failing IPsec SA negotiation because IKE SA is being deleted
      Waiting for IKE SA negotiation to finish, marking IKE SA invalid
      IKE SA deleted
      Starting IKEv2 initiator negotiation
      IKEv2 SA proposal SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA256-128, HMAC-SHA384-192, HMAC-SHA512-256, HMAC-SHA256 PRF, HMAC-SHA384 PRF, HMAC-SHA512 PRF, 1536 bit MODP; )
      Last IKE packet: HDR, SA, KE, Nonce, N(NAT_DETECTION_SOURCE_IP), N(NAT_DETECTION_DESTINATION_IP), N(HTTP_CERT_LOOKUP_SUPPORTED), CERTREQ, Vid
      IKEv2 SA error: No proposal chosen
      IKEv2 SA initiator failed, Local 10.8.9.51 (ipv4), Local auth method: RSA signature, Remote auth method: Reserved
      IPsec SA local proposal: SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 256, HMAC-SHA1-96, No ESN; ),
      IPsec SA initiator error: No proposal chosen
      Failing IPsec SA negotiation because IKE SA is being deleted
      Waiting for IKE SA negotiation to finish, marking IKE SA invalid
      IKE SA deleted

      ================================================================================ =============================================================