Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Contivity 1050 and 221 VPN Setup

Status
Not open for further replies.
hall5942

hall5942

Vendor
May 7, 2002
377
US
I have a Contivity 1050 @ the Main Branch and a 221 and the remote site. I am trying to setup a branch tunnel with no luck. In the logs it shows "Phase 1 IKE SA process done" then shows "!! No proposal chosen". The manual says make sure that you are using the correct IPSec parameters. I have the 221 setup to use ESP-DES Sha1, that is also checked on the 1050. What am I missing?

Thanks.
 
Sort by date Sort by votes
You need to carefully review the IPSec settings on both sites:

In the 1050 tunnel profile, ensure that ALL encryption types are allowed except AH only.

You also need to verify the Diffie Hellman settings.

It will take some trial and error, but you'll get it.
 
Upvote 0 Downvote
On the 1050 is the only place to enable the encryption under
Profiles-->Branch Office-->then configure under Group/Base
That is the only place that I see anything.

On the 1050, I setup a group under base (Base/XYZ company)I have the XYZ company group inherite from Base group and have everything checked but AH only.
My Diffie-Hellman is set to 56-Bit DES with Group 1 (768-bit prime). I also changed it to all the other settings as well with no luck. However, I don't see a Diffie-Hellman setting on the 221 side.

Thanks for your help on this.
 
Upvote 0 Downvote
Sounds like you are not getting phase 2 up which means the security association is failing. Most common cause is the routing negotiation is disparate between the two. Check available network/routes that each side is advertising.
Branch tunnels fail often for this reason.
 
Upvote 0 Downvote
Is there a place in the 1050 to check the phase 2 Authentication. I Changed all of the Phase 2 settings to every combination I can and still no luck.
 
Upvote 0 Downvote
Under Profiles--> Branch Office--> Check to be certain that the 'local' and 'remote' networks being advertised are the same respectively.
On the 221, it will be under VPN, branch office, IP Policy, edit.
There are several things for phase 2...you wont see (1)place for everything...this is just the most common aspect that often is messed up.
 
Upvote 0 Downvote
no. I even set then NAT Transversal on to try but it still does the same thing.
 
Upvote 0 Downvote
on the 221 the software is VE221_2.0.0.0.013 | 12/01/2003

on the 1050 the software is V04_07.021

is that what you needed?
 
Upvote 0 Downvote
Perfect Forward Secrecy was disabled on the 1050 and enabled on the 221. Thanks for all of your help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tdhaslett
  • Locked
  • Question
Hotline setup to four cell phones
Replies
1
Views
236
tdhaslett
tdhaslett
UnderTheBusAsUsual
  • Question
Avaya IPO with OneCom and Gamma SIP trunks
Replies
1
Views
310
Firebird Scrambler
Firebird Scrambler
AShammah
  • Locked
  • Question
Nortel/Spectralink 2211/2210 lasted firmware
Replies
0
Views
223
AShammah
AShammah
Michel$
  • Question
hi guys, After upgrading System Manager Communication Manager and Session Manager versions 8.1 to 10.2 SIP device phones display the error message "n
Replies
0
Views
241
Michel$
Michel$
halj
  • Locked
  • Question
VPN phones - IKE version 2
Replies
1
Views
82
halj
halj

Part and Inventory Search

Sponsor

Back
Top