Re: PIX-Contivity VPN

From: Le Dinh An (anld@ispco.com.vn)
Date: Fri Feb 21 2003 - 01:22:51 GMT-3

• Next message: Mahmud, Yasser: "RE: DLSW: allow incoming netbios host X"
• Previous message: Brian Dennis: "RE: Lab test topics"
• Maybe in reply to: tveillette: "Re: PIX-Contivity VPN"
• Next in thread: Le Dinh An: "Re: PIX-Contivity VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

 Hi Friends,

Thanks for your reply.
But ironically, when I try your suggestions this morning, I have
different error! The isakmp sa cannot be authenticated anymore, and I
receive a request timer fired error message as below. All the routers and
firewall configs are not changed, and I even erase and reconfig the PIX,
it doesn't help. What could be the problem here?

Again, thanks for your time.
An.

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:B B B B B encryption 3DES-CBC
ISAKMP:B B B B B hash MD5
ISAKMP:B B B B B default group 2
ISAKMP:B B B B B auth pre-share
ISAKMP:B B B B B life type in seconds
ISAKMP:B B B B B life duration (VPI) ofB 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 10.64.10.15, dest 10.64.10.16
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
B B B B B B B next-payload : 8
B B B B B B B typeB B B B B B B B : 1
B B B B B B B protocolB B B B : 17
B B B B B B B portB B B B B B B B : 500
B B B B B B B lengthB B B B B B : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): retransmitting phase 1...
crypto_isakmp_process_block: src 10.64.10.15, dest
10.64.10.16IPSEC(key_engine): request timer fired: count = 1,
B ...
crypto_isakmp_process_block: src 10.64.10.15, dest 10.64.10.16
ISAKMP (0): deleting SA: src 10.64.10.16, dst 10.64.10.15
ISADB: reaper checking SA 0x812958e0, conn_id = 0B DELETE IT!

VPN Peer: ISAKMP: Peer ip:10.64.10.15 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:10.64.10.15 Total VPN peers:0
crypto_isakmp_process_block: src 10.64.10.15, dest
10.64.10.16IPSEC(key_engine): request timer fired: count = 2,

tveillette wrote:

  I believe the error relates to isakmp identity, so if you
  don't have "isakmp identity address" on the PIX
  try it with it, or if it is there then "no isakmp identity address".
  
  -TV
  
  ----- Original Message -----
  From: "Le Dinh An" <anld@ispco.com.vn> To: <ccielab@groupstudy.com> Sent: Wednesday, February 19, 2003 3:21 AM
  Subject: OT: PIX-Contivity VPN

    Hi group,
    
    I'm working on a VPN between PIX and Nortel Contivity. Everything seems
    to be fine to me, all the atts are acceptable and isakmp sa is
    authenticated but there is an INVALID_ID_INFO error and the tunnel can
    not be created. I think this is a specific compibility problem between
    PIX and Nortel and I'm sure there's some VPN guru out there will show me
    how to solve this.
    
    Below is the relevant config and debug output.
    
    TIA,
    An.
    
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto map mymap 10 ipsec-isakmp
    crypto map mymap 10 match address 100
    crypto map mymap 10 set peer 10.64.10.16
    crypto map mymap 10 set transform-set myset
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address 10.64.10.16 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    
    00:11:12: ISAKMP (0:2): received packet from 10.64.10.16 (I) MM_KEY_EXCH
    00:11:12: ISAKMP (0:2): processing ID payload. message ID = 0
    00:11:12: ISAKMP (0:2): processing HASH payload. message ID = 0
    00:11:12: ISAKMP (0:2): processing NOTIFY INITIAL_CONTACT protocol 1
            spi 0, message ID = 0, sa = 820E4A78
    00:11:12: ISAKMP (0:2): SA has been authenticated with 10.64.10.16
    00:11:12: ISAKMP (0:2): beginning Quick Mode exchange, M-ID of 1747508411
    00:11:12: ISAKMP (0:2): sending packet to 10.64.10.16 (I) QM_IDLE
    00:11:12: ISAKMP (0:2): received packet from 10.64.10.16 (I) QM_IDLE
    00:11:12: ISAKMP (0:2): processing HASH payload. message ID = 384019695
    00:11:12: ISAKMP (0:2): processing NOTIFY INVALID_ID_INFO protocol 3
            spi 1151687046, message ID = 384019695, sa = 820E4A78
    00:11:12: ISAKMP (0:2): deleting spi 1151687046 message ID = 1747508411
    00:11:12: ISAKMP (0:2): deleting node 1747508411 error TRUE reason
    "delete_larval"
    00:11:12: ISAKMP (0:2): deleting node 384019695 error FALSE reason
    "informational (in) state 1"
    
    --
    Le Dinh An
    Network Consultant
    Phone: 84 913 100 478

-- 
Le Dinh An
Network Consultant
Phone: 84 913 100 478

• Next message: Mahmud, Yasser: "RE: DLSW: allow incoming netbios host X"
• Previous message: Brian Dennis: "RE: Lab test topics"
• Maybe in reply to: tveillette: "Re: PIX-Contivity VPN"
• Next in thread: Le Dinh An: "Re: PIX-Contivity VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:31 GMT-3