Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > pix - contivity ipsec negotiation failing.

Reply
Thread Tools

pix - contivity ipsec negotiation failing.

 
 
Bill F
Guest
Posts: n/a
 
      11-02-2003
peer v.v.v.v is a nortel contivity.
peer g.g.g.g is another pix for which the tunnel is functiong
several questions
1. why are they attempting to use OAK_MM, which I assume is the Oakley
key protocol, and,
2. why is XAUTH listed as a requested attribute?
Neither of these are selected on the contivity as far as I can see from
a screenshot, anyway.
3. how do I know which isakmp policy each tunnel is using?
Its using the correct transform set but how do I know which isakmp
policy is being used - could the isakmp policy have something to do with
the OAK_MM request?

*******************************************

crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0): SA has been authenticated

ISAKMP (0:0): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to 63.86.117.11. ID = 708333664
(0x2a385060)modecfg: sa: 1498e04, new mess id= 2a385060

return status is IKMP_NO_ERROR
VPN Peer: ISAKMP: Added new peer: ip:63.86.117.11/500 Total VPN Peers:2
VPN Peer: ISAKMP: Peer ip:v.v.v.v/500 Ref cnt incremented to:1 Total VPN
Peers:2
crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500

********************************************
# sh crypto isakmp sa
Total : 2
Embryonic : 0
dst src state pending created
g.g.g.g 198.68.215.2 QM_IDLE 0 1
v.v.v.v 198.68.215.2 OAK_CONF_XAUTH 3 0

********************************************

# sh crypto map
#first one is a cisco client map entry
Crypto Map: "mymap" interfaces: { outside }
client authentication ias
..........

Crypto Map "mymap" 1 ipsec-isakmp
Peer = g.g.g.g
access-list 102; 8 elements
.............

Current peer: g.g.g.g
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ myset, }

Crypto Map "mymap" 2 ipsec-isakmp
Peer = v.v.v.v
access-list 104; 24 elements
........


Current peer: v.v.v.v
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ valencia, }

#the tunnel to v.v.v.v is using the correct transform set but how do I
know which isakmp #policy is being used - could the isakmp policy have
something to do #with the OAK_MM request?
**********************************************

my pix cfg

crypto ipsec transform-set myset esp-3des esp-sha-hmac
# below transform is for peer v.v.v.v
crypto ipsec transform-set valencia esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 1 ipsec-isakmp
crypto map mymap 1 match address 102
crypto map mymap 1 set peer g.g.g.g
crypto map mymap 1 set transform-set myset
crypto map mymap 2 ipsec-isakmp
crypto map mymap 2 match address 104
crypto map mymap 2 set peer v.v.v.v
crypto map mymap 2 set transform-set valencia
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication ias
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address g.g.g.g netmask 255.255.255.255
isakmp key ******** address v.v.v.v netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
# intended for peer v.v.v.
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash md5
isakmp policy 11 group 2
isakmp policy 11 lifetime 900

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
connecting a Nortel Contivity VPN device to a Cisco PIX Firewall in IPSEC tunnel mode Ken Gallagher Cisco 2 08-07-2006 02:51 PM
PIX to Contivity mcaissie Cisco 1 08-12-2005 05:11 PM
IPSec VPN problem with a CISCO C827 ADSL Router and a Nortel Contivity VPN Client mw Cisco 2 04-20-2005 08:18 PM
Cisco Pix to Nortel Contivity VPN Tunnel? Michael Ryan Cisco 5 01-27-2004 01:16 PM
pix-nortel contivity ipsec failing Rik Bain Cisco 1 11-02-2003 09:37 PM



Advertisments