Re: PIX-Contivity VPN

From: Le Dinh An (anld@ispco.com.vn)
Date: Fri Feb 21 2003 - 04:24:10 GMT-3

• Next message: Yadav, Arvind K (CAP, GECIS): "RE: BGP maximum routes"
• Previous message: soon ccie: "Re: Custom Queuing byte count calculation"
• Maybe in reply to: tveillette: "Re: PIX-Contivity VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi all,
Please disregard my last message, I entered the wrong key for the remote
peer, should have my eyes checked! :-)
Still working on it, with no luck though.

Thanks,
An.

Le Dinh An wrote:

> Hi Friends,
>
>Thanks for your reply.
>But ironically, when I try your suggestions this morning, I have
>different error! The isakmp sa cannot be authenticated anymore, and I
>receive a request timer fired error message as below. All the routers and
>firewall configs are not changed, and I even erase and reconfig the PIX,
>it doesn't help. What could be the problem here?
>
>Again, thanks for your time.
>An.
>
>ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
>ISAKMP:B B B B B encryption 3DES-CBC
>ISAKMP:B B B B B hash MD5
>ISAKMP:B B B B B default group 2
>ISAKMP:B B B B B auth pre-share
>ISAKMP:B B B B B life type in seconds
>ISAKMP:B B B B B life duration (VPI) ofB 0x0 0x1 0x51 0x80
>ISAKMP (0): atts are acceptable. Next payload is 0
>ISAKMP (0): SA is doing pre-shared key authentication using id type
>ID_IPV4_ADDR
>return status is IKMP_NO_ERROR
>crypto_isakmp_process_block: src 10.64.10.15, dest 10.64.10.16
>OAK_MM exchange
>ISAKMP (0): processing KE payload. message ID = 0
>
>ISAKMP (0): processing NONCE payload. message ID = 0
>
>ISAKMP (0): ID payload
>B B B B B B B next-payload : 8
>B B B B B B B typeB B B B B B B B : 1
>B B B B B B B protocolB B B B : 17
>B B B B B B B portB B B B B B B B : 500
>B B B B B B B lengthB B B B B B : 8
>ISAKMP (0): Total payload length: 12
>return status is IKMP_NO_ERROR
>ISAKMP (0): retransmitting phase 1...
>crypto_isakmp_process_block: src 10.64.10.15, dest
>10.64.10.16IPSEC(key_engine): request timer fired: count = 1,
>B ...
>crypto_isakmp_process_block: src 10.64.10.15, dest 10.64.10.16
>ISAKMP (0): deleting SA: src 10.64.10.16, dst 10.64.10.15
>ISADB: reaper checking SA 0x812958e0, conn_id = 0B DELETE IT!
>
>VPN Peer: ISAKMP: Peer ip:10.64.10.15 Ref cnt decremented to:0 Total VPN
>Peers:1
>VPN Peer: ISAKMP: Deleted peer: ip:10.64.10.15 Total VPN peers:0
>crypto_isakmp_process_block: src 10.64.10.15, dest
>10.64.10.16IPSEC(key_engine): request timer fired: count = 2,
>
>tveillette wrote:
>
> I believe the error relates to isakmp identity, so if you
> don't have "isakmp identity address" on the PIX
> try it with it, or if it is there then "no isakmp identity address".
>
> -TV
>
> ----- Original Message -----
> From: "Le Dinh An" <anld@ispco.com.vn> To: <ccielab@groupstudy.com> Sent: Wednesday, February 19, 2003 3:21 AM
> Subject: OT: PIX-Contivity VPN
>
> Hi group,
>
> I'm working on a VPN between PIX and Nortel Contivity. Everything seems
> to be fine to me, all the atts are acceptable and isakmp sa is
> authenticated but there is an INVALID_ID_INFO error and the tunnel can
> not be created. I think this is a specific compibility problem between
> PIX and Nortel and I'm sure there's some VPN guru out there will show me
> how to solve this.
>
> Below is the relevant config and debug output.
>
> TIA,
> An.
>
> crypto ipsec transform-set myset esp-3des esp-md5-hmac
> crypto map mymap 10 ipsec-isakmp
> crypto map mymap 10 match address 100
> crypto map mymap 10 set peer 10.64.10.16
> crypto map mymap 10 set transform-set myset
> crypto map mymap interface outside
> isakmp enable outside
> isakmp key ******** address 10.64.10.16 netmask 255.255.255.255
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
>
> 00:11:12: ISAKMP (0:2): received packet from 10.64.10.16 (I) MM_KEY_EXCH
> 00:11:12: ISAKMP (0:2): processing ID payload. message ID = 0
> 00:11:12: ISAKMP (0:2): processing HASH payload. message ID = 0
> 00:11:12: ISAKMP (0:2): processing NOTIFY INITIAL_CONTACT protocol 1
> spi 0, message ID = 0, sa = 820E4A78
> 00:11:12: ISAKMP (0:2): SA has been authenticated with 10.64.10.16
> 00:11:12: ISAKMP (0:2): beginning Quick Mode exchange, M-ID of 1747508411
> 00:11:12: ISAKMP (0:2): sending packet to 10.64.10.16 (I) QM_IDLE
> 00:11:12: ISAKMP (0:2): received packet from 10.64.10.16 (I) QM_IDLE
> 00:11:12: ISAKMP (0:2): processing HASH payload. message ID = 384019695
> 00:11:12: ISAKMP (0:2): processing NOTIFY INVALID_ID_INFO protocol 3
> spi 1151687046, message ID = 384019695, sa = 820E4A78
> 00:11:12: ISAKMP (0:2): deleting spi 1151687046 message ID = 1747508411
> 00:11:12: ISAKMP (0:2): deleting node 1747508411 error TRUE reason
> "delete_larval"
> 00:11:12: ISAKMP (0:2): deleting node 384019695 error FALSE reason
> "informational (in) state 1"
>
> --
> Le Dinh An
> Network Consultant
> Phone: 84 913 100 478
>
>
>

-- 
Le Dinh An
Network Consultant
Phone: 84 913 100 478

• Next message: Yadav, Arvind K (CAP, GECIS): "RE: BGP maximum routes"
• Previous message: soon ccie: "Re: Custom Queuing byte count calculation"
• Maybe in reply to: tveillette: "Re: PIX-Contivity VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:31 GMT-3