subscribe to our Youtube


14455 questions

17168 answers


0 members

We are migrating to our new platform at Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.
0 votes
2,271 views 13 comments
by anonymous

Hi everyone,

Help me with this issue.

I'm trying to configure a DMVP spoke in my rut955 I've already set all parametrs, but in my logs i get an ipsec error:

Thu Nov 21 09:43:54 2019 syslog: 05[NET] sending packet: from[500] to IP Public[500] (212 bytes)

Thu Nov 21 09:43:55 2019 syslog: 08[NET] received packet: from IP Public [500] to[500] (52 bytes)

Thu Nov 21 09:43:55 2019 syslog: 08[ENC] parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]

Thu Nov 21 09:43:55 2019 syslog: 08[IKE] received NO_PROPOSAL_CHOSEN error notify

I hope somebody help me.


Go to the IPsec configuration page and make sure that you've added secrets, they are below the IPsec configurations, and check the selectors (secrets and selectors also can be added at the DMVPN configuration page), also make sure that all of the proposal algorithms matches the other side, check the Phase 1 and Phase 2 tabs.

And you might be using IKEv2 instead of IKEv1 on the other side, where RUT is using IKEv1 by default.

FYI: when you are pasting to public forums, please obfuscate the public IP addresses.
by anonymous

First of all thank you for your answer, I appreciate it.

In my ipsec configuration I already have the secrets set, But what What I am not very clear about is the Secrets ID Selector, How can set it on my ciscos hub, or better which one should I choose?

I have pass that error, now, I'm getting this one:

10[IKE] sending keep alive to HUB IP PÚBLIC [4500]

13[IKE] sending keep alive to HUB IP PÚBLIC [4500]

06[IKE] sending keep alive to HUB IP PÚBLIC [4500]

I can get sometime the information that the tunner has estabilished but but I'm still receiving 06[IKE] sending keep alive to HUB IP PÚBLIC [4500]

I don't know why.

by anonymous

And my IKE version I set V1 beacause when I set V2 I getting this error:

06[CFG] received stroke: initiate 'teste_dmvpn'

06[IKE] unable to resolve %any, initiate aborted

06[MGR] tried to checkin and delete nonexisting IKE_SA

I struggled to see if I found anything useful about this issue, but so far nothing

1 Answer

0 votes
Secret selector's are used to assign secret by specified selector to tunnel, you can always use %any or (if you left it empty, it will use %any anyway), or assign specific IP addresses, FQDN's to select secret according to IPsec tunnel attributes like local ID, remote ID and remote IP address. So in your case it would be best to use Public HUB IP address in spokes as selectors and and %any in HUB.

So the keep alive's are enabled by default, to check if the link between two points is not broken, it's not an error, just a feature.
by anonymous
Thank you mr. anonymous.

Só why I'm getting sending keep alive why can't I ping to the internal IP of my tunnel. Am doing something wrong?

Can you help me with issue.

Can you ping GRE tunnel end points from both sides?
by anonymous
No, I can't.

But in nrhp table in my cisco hub, I can see my Spoke IP Public of the spoke but the status is IDLE, and I don't know why too
Maybe you have any other Spokes connected to HUB, just to compare if you are not missing out on something in configuration? Also maybe you are using CISCO authentication on NHRP? RUT9 is not capable to use NHRP authentication at this moment.
by anonymous
Yes, I've other spoke (jus one) connected to hub. No I'm no using NHRP authentication.

I really don't understand, but I feel that I'm getting closer because know after some modification I can see the tunel up and active but I cannot ping.
by anonymous
Can I share you my scenario? just to give you more detail of what exactly is going on
by anonymous
Could you send troubleshoot of RUT and a snippet of CISCO Hub configuration via private message to me?
by anonymous

Mr. anonymous what you think?

by anonymous
Sorry, didn't notice, that I was logged out of account, I was the anonymous :)
by anonymous
Let me share you my scenario:

In Rut955 I have SIM card without IP Public (Because it's a NAT) and this SIM card is my wan interface.