Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Ipsec VPN between Cisco IOS and Zywall

Reply
Thread Tools

Ipsec VPN between Cisco IOS and Zywall

 
 
Tom Pouce
Guest
Posts: n/a
 
      06-29-2005
I'll try to establish a S2S-VPN between a Cisco IOS and a ZyWall
While debuging they are negotiating but then I got a "Main mode failed
error"

Anybody some idea or suggestions ?

tom dot lauwereins add ardatis dot com


Jun 29 11:56:28: ISAKMP (0:0): received packet from x.y.252.33 (N) NEW SA
Jun 29 11:56:28: ISAKMP: local port 500, remote port 500
Jun 29 11:56:28: ISAKMP (0:10: processing SA payload. message ID = 0
Jun 29 11:56:28: ISAKMP (0:10: found peer pre-shared key matching
81.241.252.33
Jun 29 11:56:28: ISAKMP (0:10: Checking ISAKMP transform 1 against
priority 10 policy
Jun 29 11:56:28: ISAKMP: encryption 3DES-CBC
Jun 29 11:56:28: ISAKMP: hash MD5
Jun 29 11:56:28: ISAKMP: auth pre-share
Jun 29 11:56:28: ISAKMP: default group 2
Jun 29 11:56:28: ISAKMP: life type in seconds
Jun 29 11:56:28: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20
Jun 29 11:56:28: ISAKMP (0:10: Encryption algorithm offered does not
match policy!
Jun 29 11:56:28: ISAKMP (0:10: atts are not acceptable. Next payload is 0
Jun 29 11:56:28: ISAKMP (0:10: Checking ISAKMP transform 1 against
priority 20 policy
Jun 29 11:56:28: ISAKMP: encryption 3DES-CBC
Jun 29 11:56:28: ISAKMP: hash MD5
Jun 29 11:56:28: ISAKMP: auth pre-share
Jun 29 11:56:28: ISAKMP: default group 2
Jun 29 11:56:28: ISAKMP: life type in seconds
Jun 29 11:56:28: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20
Jun 29 11:56:28: ISAKMP (0:10: Diffie-Hellman group offered does not
match policy!
Jun 29 11:56:28: ISAKMP (0:10: atts are not acceptable. Next payload is 0
Jun 29 11:56:28: ISAKMP (0:10: Checking ISAKMP transform 1 against
priority 25 policy
Jun 29 11:56:28: ISAKMP: encryption 3DES-CBC
Jun 29 11:56:28: ISAKMP: hash MD5
Jun 29 11:56:28: ISAKMP: auth pre-share
Jun 29 11:56:28: ISAKMP: default group 2
Jun 29 11:56:28: ISAKMP: life type in seconds
Jun 29 11:56:28: ISAKMP: life duration (VPI) of 0x0 0x0 0x1C 0x20
Jun 29 11:56:28: ISAKMP (0:10: atts are acceptable. Next payload is 0
Jun 29 11:56:29: ISAKMP (0:10: processing vendor id payload
Jun 29 11:56:29: ISAKMP (0:10: processing vendor id payload
Jun 29 11:56:29: ISAKMP (0:10: SA is doing pre-shared key
authentication using id type ID_IPV4_ADDR
Jun 29 11:56:29: ISAKMP (0:10: sending packet to x.y.252.33 (R)
MM_SA_SETUP
Jun 29 11:56:31: ISAKMP (0:10: received packet from x.y.252.33 (R)
MM_SA_SETUP
Jun 29 11:56:31: ISAKMP (0:10: processing KE payload. message ID = 0
Jun 29 11:56:31: ISAKMP (0:10: processing NONCE payload. message ID = 0
Jun 29 11:56:31: ISAKMP (0:10: found peer pre-shared key matching
81.241.252.33
Jun 29 11:56:31: ISAKMP (0:10: SKEYID state generated
Jun 29 11:56:31: ISAKMP:received payload type 0
Jun 29 11:56:31: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode
failed with peer at x.y.252.33
Jun 29 11:56:31: ISAKMP (0:10: incrementing error counter on sa:
reset_retransmission
Jun 29 11:56:32: ISAKMP (0:10: retransmitting phase 1 MM_SA_SETUP...
Jun 29 11:56:32: ISAKMP (0:10: incrementing error counter on sa:
retransmit phase 1
Jun 29 11:56:32: ISAKMP (0:10: retransmitting phase 1 MM_SA_SETUP
Jun 29 11:56:32: ISAKMP (0:10: sending packet to x.y.252.33 (R)
MM_SA_SETUP
Jun 29 11:56:35: ISAKMP (0:10: received packet from x.y.252.33 (R)
MM_SA_SETUP
Jun 29 11:56:35: ISAKMP (0:10: processing KE payload. message ID = 0
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      06-29-2005
In article <(E-Mail Removed)>,
Tom Pouce <(E-Mail Removed)> wrote:
:I'll try to establish a S2S-VPN between a Cisco IOS and a ZyWall

:Jun 29 11:56:31: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at x.y.252.33

According to
http://www.cisco.com/en/US/tech/tk58...800949c5.shtml

that message "suggests" that the phase 1 policies do not match between
the two ends.


In my experience, a policy mismatch can happen if the policies are in
a different order between the two machines. Each side chooses the
first policy offered by the other that is acceptable to the local side.
If there are two policies which are acceptable to both, but the order
is different between them, then the two might choose different policies.
--
Look out, there are llamas!
 
Reply With Quote
 
 
 
 
AM
Guest
Posts: n/a
 
      06-29-2005
> In my experience, a policy mismatch can happen if the policies are in
> a different order between the two machines. Each side chooses the
> first policy offered by the other that is acceptable to the local side.
> If there are two policies which are acceptable to both, but the order
> is different between them, then the two might choose different policies.


Hi Walter,

could what you told cause one direction tunnels?
For all of this NG users I'm talking about thread named "PIX VPNs timeouts" posted on June 21st.

Thanks,

Alex.
 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      06-29-2005
In article <vjzwe.28375$(E-Mail Removed)>, AM <(E-Mail Removed)> wrote:
:> In my experience, a policy mismatch can happen if the policies are in
:> a different order between the two machines.

:could what you told cause one direction tunnels?
:For all of this NG users I'm talking about thread named "PIX VPNs timeouts" posted on June 21st.

Hmmm, I'm not sure, but I don't think so -- I don't think the devices
will attempt to negotiate Phase 2 until they have agreed on Phase 1.

I would tend to suspect the unidirectional tunnel problem you are
encountering is a problem with routing or filtering, but the debugs
and log messages would be needed to get further on that.
--
'The short version of what Walter said is "You have asked a question
which has no useful answer, please reconsider the nature of the
problem you wish to solve".' -- Tony Mantler
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPSEC Tunnel Between asa's and cisco vpn client cornerman Cisco 0 05-25-2011 01:06 PM
Cisco vpn client 4.8 and zywall 1 problems mettemusens@hotmail.com Cisco 0 06-21-2006 09:51 AM
IPSec VPN problem with a CISCO C827 ADSL Router and a Nortel Contivity VPN Client mw Cisco 2 04-20-2005 08:18 PM
Zywall to Pix Bjorn Cisco 0 10-30-2003 07:54 AM
VPN IPSEC connection between a cisco 17xx and Nortel vpn box Joris Deschacht Cisco 0 10-16-2003 02:13 PM



Advertisments