One of our partner agencies did an IOS upgrade on their Cisco C3850, after which the site-2-site vpn between us won't come back up. From troubleshooting at our end, it looks like a phase 2 issue and most likely some options or defaults have changed on the Cisco 3850. I'm most suspicious of the transform set. On our SRX, the ike sa is up, but the ipsec sa is not.
Our log messages:
Jan 19 10:10:12 CCOM-External kmd[1429]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: WL-VPN Gateway: WL-Gate, Loc
al: 10.37.253.57/500, Remote: 10.37.253.58/500, Local IKE-ID: 10.37.253.57, Remote IKE-ID: 10.37.253.58, VR-ID: 0
Our IPSEC settings:
set security ipsec proposal IPSEC-proposal1 protocol esp
set security ipsec proposal IPSEC-proposal1 authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-proposal1 encryption-algorithm aes-256-cbc
set security ipsec policy IPSEC-policy1 perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-policy1 proposals IPSEC-proposal1
set security ipsec vpn WL-VPN bind-interface st0.0
set security ipsec vpn WL-VPN ike gateway WL-Gate
set security ipsec vpn WL-VPN ike ipsec-policy IPSEC-policy1
set security ipsec vpn WL-VPN establish-tunnels immediately
And here's what they say their transform set is:
crypto ipsec transform-set County esp-aes 256 esp-sha-hmac
mode tunnel
I didn't see anything in their configuration about PFS, but not sure if that's relevant. Is there more detailed debugging I can do on my end to help them figure out what's up?
Thanks...