Re: PIX-Contivity VPN

From: tveillette (tveillette@myeastern.com)
Date: Wed Feb 19 2003 - 10:04:29 GMT-3

• Next message: Gary Duncanson: "RE: Anyone has any spare 3550 that they don't need"
• Previous message: OhioHondo: "RE: Framerelay /ATM traffic shaping"
• Next in thread: Le Dinh An: "Re: PIX-Contivity VPN"
• Maybe reply: Le Dinh An: "Re: PIX-Contivity VPN"
• Maybe reply: Le Dinh An: "Re: PIX-Contivity VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I believe the error relates to isakmp identity, so if you
don't have "isakmp identity address" on the PIX
try it with it, or if it is there then "no isakmp identity address".

-TV

----- Original Message -----
From: "Le Dinh An" <anld@ispco.com.vn>
To: <ccielab@groupstudy.com>
Sent: Wednesday, February 19, 2003 3:21 AM
Subject: OT: PIX-Contivity VPN

> Hi group,
>
> I'm working on a VPN between PIX and Nortel Contivity. Everything seems
> to be fine to me, all the atts are acceptable and isakmp sa is
> authenticated but there is an INVALID_ID_INFO error and the tunnel can
> not be created. I think this is a specific compibility problem between
> PIX and Nortel and I'm sure there's some VPN guru out there will show me
> how to solve this.
>
> Below is the relevant config and debug output.
>
> TIA,
> An.
>
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> crypto map mymap 10 ipsec-isakmp
> crypto map mymap 10 match address 100
> crypto map mymap 10 set peer 10.64.10.16
> crypto map mymap 10 set transform-set myset
> crypto map mymap interface outside
> isakmp enable outside
> isakmp key ******** address 10.64.10.16 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
>
> 00:11:12: ISAKMP (0:2): received packet from 10.64.10.16 (I) MM_KEY_EXCH
> 00:11:12: ISAKMP (0:2): processing ID payload. message ID = 0
> 00:11:12: ISAKMP (0:2): processing HASH payload. message ID = 0
> 00:11:12: ISAKMP (0:2): processing NOTIFY INITIAL_CONTACT protocol 1
> spi 0, message ID = 0, sa = 820E4A78
> 00:11:12: ISAKMP (0:2): SA has been authenticated with 10.64.10.16
> 00:11:12: ISAKMP (0:2): beginning Quick Mode exchange, M-ID of 1747508411
> 00:11:12: ISAKMP (0:2): sending packet to 10.64.10.16 (I) QM_IDLE
> 00:11:12: ISAKMP (0:2): received packet from 10.64.10.16 (I) QM_IDLE
> 00:11:12: ISAKMP (0:2): processing HASH payload. message ID = 384019695
> 00:11:12: ISAKMP (0:2): processing NOTIFY INVALID_ID_INFO protocol 3
> spi 1151687046, message ID = 384019695, sa = 820E4A78
> 00:11:12: ISAKMP (0:2): deleting spi 1151687046 message ID = 1747508411
> 00:11:12: ISAKMP (0:2): deleting node 1747508411 error TRUE reason
> "delete_larval"
> 00:11:12: ISAKMP (0:2): deleting node 384019695 error FALSE reason
> "informational (in) state 1"
>
> --
> Le Dinh An
> Network Consultant
> Phone: 84 913 100 478

• Next message: Gary Duncanson: "RE: Anyone has any spare 3550 that they don't need"
• Previous message: OhioHondo: "RE: Framerelay /ATM traffic shaping"
• Next in thread: Le Dinh An: "Re: PIX-Contivity VPN"
• Maybe reply: Le Dinh An: "Re: PIX-Contivity VPN"
• Maybe reply: Le Dinh An: "Re: PIX-Contivity VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:30 GMT-3