ASA IPSec IKEv1

When creating an ASA IPsec VPN, there will be times when Phase 2 does not match between the peers. When the VPN is initiated from the ASA, and debugs are enabled, you will see that the ASA receives a No Proposal Chosen message. There are two specific types of No Proposal Chosen messages that the ASA will see which are No proposal chosen (14) and Invalid ID (18). The 14 and 18 specify which portion of Phase 2 that is mismatching.

IPSec Phase 2

Phase 2 consists of Encryption, Hash, Perfect Forward Secrecy (PFS), Lifetime and Encryption Domain. The numbers 14 and 18 in the non-routine Notify response correlate to these settings.

Invalid ID info (18)

is the easiest to identify. This message is stating that the Encryption Domains do not match on both sides of the VPN. If the ASA has received this message, this means all other settings are valid for Phase 2, just the Access-List for the VPN needs to be updated on either the ASA or Remote Peer.

Error Example:
Oct 05 23:18:54 [IKEv1]Group = 1.2.3.4, IP = 1.2.3.4, Received non-routine Notify message: Invalid ID info (18)

No Proposal Chosen (14)

is a little tougher to troubleshoot which piece of the Phase 2 configuration is mismatched. 14 represents the Encryption, Hash, PFS and Lifetime. Usually this issue is not related to lifetime as this will auto negotiate to the lowest value between the ASA and the Remote peer. There are times when the Remote peer may not negotiate the lifetime which will present this message but this is rare.

This leaves Encryption, Hash and PFS. PFS tends to be the largest culprit of the issues with Phase 2. Some other VPN vendors will have PFS on by default, so the Remote side may believe that PFS is disabled as this was not configured by them. The easiest way to troubleshoot error 14 is to enable pfs as group2. This is the usual default PFS setting for other VPN endpoints and is the default PFS used by the ASA when enabled.

If the issue persists after testing PFS, then it is best to reach out to the other side and compare the settings for Encryption, Hash, PFS and Lifetime to make sure everything matches.

When changing these settings, be careful to watch if the No proposal message has changed from 14 to 18 (Invalid ID info). That would mean that Encryption, Hash, PFS and Lifetime are now correct. Message 18 is only presented if the tunnel has made it past message 14.

Error Example:
Oct 05 23:10:43 [IKEv1]Group = 1.2.3.4, IP = 1.2.3.4, Received non-routine Notify message: No proposal chosen (14)

IPSec Phase 2 Configuration Table

Invalid ID info (18)
access-list 200 permit ip 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0 <-Encryption Domain
crypto map VPNMAP 200 match address 200 <-Encryption Domain

No Proposal Chosen (14)
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac <-Encryption and Hash
crypto map VPNMAP 200 set peer 1.2.3.4
crypto map VPNMAP 200 set pfs group2 <-PFS
crypto map VPNMAP 200 set ikev1 transform-set ESP-AES-SHA <-Encryption and Hash
crypto map VPNMAP 200 set security-association lifetime seconds 3600 <-Lifetime

 

To understand more on configuring IPSec VPNs, please see my Basic Site to Site VPN Article or my Route Based VPN Article to learn more. If you wish to see more on troubleshooting VPNs, please check out my Troubleshooting article as well. If you would like to see any new Articles or if you have any questions, feel free to contact me.

 



Categories: ASAFirewalls

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.