BrotherJones
Technical User
client asked me to setup a site to site tunnel between 3 sites (Sites A, B and C)
Site A has a Cisco ASA 5510
Site B has a Cisco ASA 5505
Site C has a Juniper Netscreen 50
I was responsible for Sites A and B and another consultant took care of the Netscreen. The L2L tunnel between my 5510 and 5505 came up immediately. But the tunnels fail from my sites to the Netscreen 50.
From Site A (testing tunnels to Site B and C)
- show crypto isakmp sa - issued this command from 5510
it shows L2L tunnels established to site B and C
- show crypto ipsec sa - issued from the 5510
it shows the ipsec tunnel up with site B but not C
in my syslog it shows a tunnel trying to be established with site C, but I see an error where it states Received non-routine Notify message: No proposal chosen (14).
My assumption is that IKE phase 1 completed, but ike phase 2 failed because of a security association mismatch.
Which I believe means that the security devices aren't configured with the same transform set - esp 3des sha.
does this sound right to you?
Site A has a Cisco ASA 5510
Site B has a Cisco ASA 5505
Site C has a Juniper Netscreen 50
I was responsible for Sites A and B and another consultant took care of the Netscreen. The L2L tunnel between my 5510 and 5505 came up immediately. But the tunnels fail from my sites to the Netscreen 50.
From Site A (testing tunnels to Site B and C)
- show crypto isakmp sa - issued this command from 5510
it shows L2L tunnels established to site B and C
- show crypto ipsec sa - issued from the 5510
it shows the ipsec tunnel up with site B but not C
in my syslog it shows a tunnel trying to be established with site C, but I see an error where it states Received non-routine Notify message: No proposal chosen (14).
My assumption is that IKE phase 1 completed, but ike phase 2 failed because of a security association mismatch.
Which I believe means that the security devices aren't configured with the same transform set - esp 3des sha.
does this sound right to you?