Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   PIX to Nortel VPN tunnel (http://www.velocityreviews.com/forums/t368939-pix-to-nortel-vpn-tunnel.html)

yellow 09-06-2006 02:54 PM

PIX to Nortel VPN tunnel
 
Hi,

Has anyone tried to build a vpn tunnel between PIX & Nortel ? One of my
branch office need to build a vpn tunnel with a Nortel box. I set
following profile :

isakmp - 3DES/SHA/DH G2/Pre-share key/lifetime 86400
ipsec - 3DES/SHA/PFS G2/lifetime 3600

When I type 'sh cry isa sa' in the pix, I could see the isakmp sa
estabsihed but getting below messages, looks like the porfile does not
match the Nortel box. Can anyone tell me how to configure the tunnel
with Nortel box, where x.x.x.x is peer gateway ip and y.y.y.y is branch
office address :

ISADB: reaper checking SA 0x12f645c, conn_id = 0
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: auth pre-share
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_FQDN
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a
queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x

ISAKMP (0): deleting SA: src x.x.x.x, dst y.y.y.y
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 2
protocol : 17
port : 500
length : 26
ISAKMP (0): Total payload length: 30
return status is IKMP_NO_ERROR
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:2 Total
VPN Peers:4
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
ISAKMP: error, msg not encrypted
ISADB: reaper checking SA 0x13a811c, conn_id = 0
ISADB: reaper checking SA 0x13a9804, conn_id = 0
ISADB: reaper checking SA 0x13b0af4, conn_id = 0
ISADB: reaper checking SA 0x12f645c, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:1 Total
VPN Peers:4IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x

ISADB: reaper checking SA 0x13a811c, conn_id = 0
ISADB: reaper checking SA 0x13a9804, conn_id = 0
ISADB: reaper checking SA 0x13b0af4, conn_id = 0
ISADB: reaper checking SA 0x13c1a54, conn_id = 0
crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

Any thoughts ?


mcaissie 09-06-2006 03:45 PM

Re: PIX to Nortel VPN tunnel
 
"ISAKMP: error, msg not encrypted"

indicates that both sides cannot exchange the preshared-key

> ISAKMP (0): SA is doing pre-shared key authentication using id type
> ID_FQDN "

indicates that the PIX is sending it's identity using a hostname. Idendity
authentication must be
the same on both side, and i think the default on the Contivity is by IP
address.

I would try to add the following command on the PIX

isakmp identity address


"yellow" <fogqb@hotmail.com> wrote in message
news:1157554467.410398.58050@h48g2000cwc.googlegro ups.com...
> Hi,
>
> Has anyone tried to build a vpn tunnel between PIX & Nortel ? One of my
> branch office need to build a vpn tunnel with a Nortel box. I set
> following profile :
>
> isakmp - 3DES/SHA/DH G2/Pre-share key/lifetime 86400
> ipsec - 3DES/SHA/PFS G2/lifetime 3600
>
> When I type 'sh cry isa sa' in the pix, I could see the isakmp sa
> estabsihed but getting below messages, looks like the porfile does not
> match the Nortel box. Can anyone tell me how to configure the tunnel
> with Nortel box, where x.x.x.x is peer gateway ip and y.y.y.y is branch
> office address :
>
> ISADB: reaper checking SA 0x12f645c, conn_id = 0
> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> OAK_MM exchange
> ISAKMP (0): processing SA payload. message ID = 0
>
> ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
> ISAKMP: encryption 3DES-CBC
> ISAKMP: hash MD5
> ISAKMP: auth pre-share
> ISAKMP: default group 2
> ISAKMP (0): atts are not acceptable. Next payload is 3
> ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
> ISAKMP: encryption 3DES-CBC
> ISAKMP: hash SHA
> ISAKMP: auth pre-share
> ISAKMP: default group 2
> ISAKMP (0): atts are acceptable. Next payload is 0
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): processing vendor id payload
>
> ISAKMP (0): remote peer supports dead peer detection
>
> ISAKMP (0): SA is doing pre-shared key authentication using id type
> ID_FQDN
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> OAK_MM exchange
> ISAKMP (0): processing KE payload. message ID = 0
>
> ISAKMP (0): processing NONCE payload. message ID = 0
>
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> OAK_MM exchange
> ISAKMP (0): processing ID payload. message ID = 0
> ISAKMP (0): processing HASH payload. message ID = 0
> ISAKMP (0): processing NOTIFY payload 24578 protocol 1
> spi 0, message ID = 0
> ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a
> queue event...
> IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
> IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
>
> ISAKMP (0): deleting SA: src x.x.x.x, dst y.y.y.y
> ISAKMP (0): SA has been authenticated
>
> ISAKMP (0): ID payload
> next-payload : 8
> type : 2
> protocol : 17
> port : 500
> length : 26
> ISAKMP (0): Total payload length: 30
> return status is IKMP_NO_ERROR
> ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
> ISAKMP (0): sending NOTIFY message 24576 protocol 1
> VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:2 Total
> VPN Peers:4
> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> ISAKMP: error, msg not encrypted
> ISADB: reaper checking SA 0x13a811c, conn_id = 0
> ISADB: reaper checking SA 0x13a9804, conn_id = 0
> ISADB: reaper checking SA 0x13b0af4, conn_id = 0
> ISADB: reaper checking SA 0x12f645c, conn_id = 0 DELETE IT!
>
> VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:1 Total
> VPN Peers:4IPSEC(key_engine): got a queue event...
> IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
> IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
>
> ISADB: reaper checking SA 0x13a811c, conn_id = 0
> ISADB: reaper checking SA 0x13a9804, conn_id = 0
> ISADB: reaper checking SA 0x13b0af4, conn_id = 0
> ISADB: reaper checking SA 0x13c1a54, conn_id = 0
> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
>
> Any thoughts ?
>




yellow 09-06-2006 04:01 PM

Re: PIX to Nortel VPN tunnel
 
Thanks for your comment.

Should 'lifetime' parameter exactly match at both PIX & Nortel box ? I
assume two firewall will negotiate and pick the lowest lifetime.

mcaissie 寫道:

> "ISAKMP: error, msg not encrypted"
>
> indicates that both sides cannot exchange the preshared-key
>
> > ISAKMP (0): SA is doing pre-shared key authentication using id type
> > ID_FQDN "

> indicates that the PIX is sending it's identity using a hostname. Idendity
> authentication must be
> the same on both side, and i think the default on the Contivity is by IP
> address.
>
> I would try to add the following command on the PIX
>
> isakmp identity address
>
>
> "yellow" <fogqb@hotmail.com> wrote in message
> news:1157554467.410398.58050@h48g2000cwc.googlegro ups.com...
> > Hi,
> >
> > Has anyone tried to build a vpn tunnel between PIX & Nortel ? One of my
> > branch office need to build a vpn tunnel with a Nortel box. I set
> > following profile :
> >
> > isakmp - 3DES/SHA/DH G2/Pre-share key/lifetime 86400
> > ipsec - 3DES/SHA/PFS G2/lifetime 3600
> >
> > When I type 'sh cry isa sa' in the pix, I could see the isakmp sa
> > estabsihed but getting below messages, looks like the porfile does not
> > match the Nortel box. Can anyone tell me how to configure the tunnel
> > with Nortel box, where x.x.x.x is peer gateway ip and y.y.y.y is branch
> > office address :
> >
> > ISADB: reaper checking SA 0x12f645c, conn_id = 0
> > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> > OAK_MM exchange
> > ISAKMP (0): processing SA payload. message ID = 0
> >
> > ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
> > ISAKMP: encryption 3DES-CBC
> > ISAKMP: hash MD5
> > ISAKMP: auth pre-share
> > ISAKMP: default group 2
> > ISAKMP (0): atts are not acceptable. Next payload is 3
> > ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
> > ISAKMP: encryption 3DES-CBC
> > ISAKMP: hash SHA
> > ISAKMP: auth pre-share
> > ISAKMP: default group 2
> > ISAKMP (0): atts are acceptable. Next payload is 0
> > ISAKMP (0): processing vendor id payload
> >
> > ISAKMP (0): processing vendor id payload
> >
> > ISAKMP (0): remote peer supports dead peer detection
> >
> > ISAKMP (0): SA is doing pre-shared key authentication using id type
> > ID_FQDN
> > return status is IKMP_NO_ERROR
> > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> > OAK_MM exchange
> > ISAKMP (0): processing KE payload. message ID = 0
> >
> > ISAKMP (0): processing NONCE payload. message ID = 0
> >
> > return status is IKMP_NO_ERROR
> > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> > OAK_MM exchange
> > ISAKMP (0): processing ID payload. message ID = 0
> > ISAKMP (0): processing HASH payload. message ID = 0
> > ISAKMP (0): processing NOTIFY payload 24578 protocol 1
> > spi 0, message ID = 0
> > ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a
> > queue event...
> > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
> > IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
> >
> > ISAKMP (0): deleting SA: src x.x.x.x, dst y.y.y.y
> > ISAKMP (0): SA has been authenticated
> >
> > ISAKMP (0): ID payload
> > next-payload : 8
> > type : 2
> > protocol : 17
> > port : 500
> > length : 26
> > ISAKMP (0): Total payload length: 30
> > return status is IKMP_NO_ERROR
> > ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
> > ISAKMP (0): sending NOTIFY message 24576 protocol 1
> > VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:2 Total
> > VPN Peers:4
> > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> > ISAKMP: error, msg not encrypted
> > ISADB: reaper checking SA 0x13a811c, conn_id = 0
> > ISADB: reaper checking SA 0x13a9804, conn_id = 0
> > ISADB: reaper checking SA 0x13b0af4, conn_id = 0
> > ISADB: reaper checking SA 0x12f645c, conn_id = 0 DELETE IT!
> >
> > VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:1 Total
> > VPN Peers:4IPSEC(key_engine): got a queue event...
> > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
> > IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
> >
> > ISADB: reaper checking SA 0x13a811c, conn_id = 0
> > ISADB: reaper checking SA 0x13a9804, conn_id = 0
> > ISADB: reaper checking SA 0x13b0af4, conn_id = 0
> > ISADB: reaper checking SA 0x13c1a54, conn_id = 0
> > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
> >
> > Any thoughts ?
> >




All times are GMT. The time now is 07:15 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.