Hello Tobias, Thank you for details. I’ve already tased with
esp=aes256-sha1! esp=aes128-sha1! esp=3des-md5! No luck. Requested logs and configs from ASA by debug crypto ikev1 127 debug crypto ipsec 127 show crypto ipsec sa Thank you, Andrii Petrenko [email protected] <mailto:[email protected]> > On Mar 20, 2018, at 12:45 AM, Tobias Brunner <[email protected]> wrote: > > Hi Andrii, > > ike-scan won't help you here as it only reports on Phase 1 (IKE SA), but > your problem is during Phase 2 (Quick Mode, IPsec SA). > >> Remote side is not supporting pfs. >> >> IKE Phase One Parameters: >> Encryption Algorithm: AES 256 >> Hash Algorithm: SHA >> Authentication Method: Pre-shared key >> Key Exchange: Diffie Hellman Group 5 >> IKE SA Lifetime: 86400 (Cisco default) >> >> IKE Phase Two Parameters (IPSEC): >> Authentication: ESP with SHA-HMAC >> Encryption Algorithm: ESP-AES 256 >> SA Establishment: ipsec-isakmp (IKE negotiated) >> IPSEC Mode Tunnel (Cisco default) >> IPSEC SA Lifetime (time) 3600 seconds >> IPSEC SA Lifetime (volume) 4608000 kilobytes >> PFS (Perfect Forward Secrecy) No >> >> Optional encryption if requirements differ from above: >> esp-3des esp-md5-hmac >> esp-aes 256 esp-sha-hmac >> esp-aes 128 esp-sha-hmac >> >> This information I have from remote side. > > Looks like esp=aes256-sha1! should be correct then. You could also try > esp=aes128-sha1! or esp=3des-md5! (not recommended though). And if this > doesn't work, ask the remote admins for the correct settings (they > should see in the log why the proposal was rejected). > >> Is it possible to se what offer remote side? > > No (unless you do what ike-scan does i.e. try a number of possible > combinations). > > Regards, > Tobias
