pix-nortel contivity ipsec failing

Discussion in 'Cisco' started by Rik Bain, Nov 2, 2003.

  1. Rik Bain

    Rik Bain Guest

    try using "no-xauth no-config-mode" at the end of the ISAKMP key....?


    On Mon, 03 Nov 2003 03:37:21 +0600, Bill F wrote:

    > peer v.v.v.v is a nortel contivity.
    >
    > peer g.g.g.g is another pix for which the tunnel is functiong several
    > questions
    > 1. why are they attempting to use OAK_MM, which I assume is the Oakley
    > key protocol, and,(actually I guess this is part of the IKE stack) 2.
    > why is XAUTH listed as a requested attribute? Neither of these are
    > selected on the contivity as far as I can see from a screenshot, anyway.
    > 3. how do I know which isakmp policy each tunnel is using? Its using the
    > correct transform set but how do I know which isakmp policy is being
    > used - could the isakmp policy have something to do with the OAK_MM
    > request?
    >
    > *******************************************
    >
    > crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500
    > OAK_MM exchange
    > ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing
    > HASH payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578
    > protocol 1
    > spi 0, message ID = 0
    > ISAKMP (0): processing notify INITIAL_CONTACT ISAKMP (0): SA has been
    > authenticated
    >
    > ISAKMP (0:0): Need XAUTH
    > ISAKMP/xauth: request attribute XAUTH_TYPE ISAKMP/xauth: request
    > attribute XAUTH_USER_NAME ISAKMP/xauth: request attribute
    > XAUTH_USER_PASSWORD ISAKMP (0:0): initiating peer config to v.v.v.v ID =
    > 708333664 (0x2a385060)modecfg: sa: 1498e04, new mess id= 2a385060
    >
    > return status is IKMP_NO_ERROR
    > VPN Peer: ISAKMP: Added new peer: ip:v.v.v.v/500 Total VPN Peers:2 VPN
    > Peer: ISAKMP: Peer ip:v.v.v.v/500 Ref cnt incremented to:1 Total VPN
    > Peers:2
    > crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500
    >
    > ******************************************** # sh crypto isakmp sa Total
    > : 2
    > Embryonic : 0
    > dst src state pending created
    > g.g.g.g a.a.a.a QM_IDLE 0 1
    > v.v.v.v a.a.a.a OAK_CONF_XAUTH 3 0
    >
    > ********************************************
    >
    > # sh crypto map
    > #first one is a cisco client map entry Crypto Map: "mymap" interfaces: {
    > outside }
    > client authentication ias
    > .........
    >
    > Crypto Map "mymap" 1 ipsec-isakmp
    > Peer = g.g.g.g
    > access-list 102; 8 elements
    > ............
    >
    > Current peer: g.g.g.g
    > Security association lifetime: 4608000 kilobytes/28800 seconds
    > PFS (Y/N): N
    > Transform sets={ myset, }
    >
    > Crypto Map "mymap" 2 ipsec-isakmp
    > Peer = v.v.v.v
    > access-list 104; 24 elements
    > .......
    >
    >
    > Current peer: v.v.v.v
    > Security association lifetime: 4608000 kilobytes/28800 seconds
    > PFS (Y/N): N
    > Transform sets={ valencia, }
    >
    > #the tunnel to v.v.v.v is using the correct transform set but how do I
    > know which isakmp #policy is being used - could the isakmp policy have
    > something to do #with the OAK_MM request?
    > **********************************************
    >
    > my pix cfg
    >
    > crypto ipsec transform-set myset esp-3des esp-sha-hmac # below transform
    > is for peer v.v.v.v crypto ipsec transform-set valencia esp-3des
    > esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto
    > map mymap 1 ipsec-isakmp
    > crypto map mymap 1 match address 102
    > crypto map mymap 1 set peer g.g.g.g
    > crypto map mymap 1 set transform-set myset crypto map mymap 2
    > ipsec-isakmp
    > crypto map mymap 2 match address 104
    > crypto map mymap 2 set peer v.v.v.v
    > crypto map mymap 2 set transform-set valencia crypto map mymap 10
    > ipsec-isakmp dynamic dynmap crypto map mymap client authentication ias
    > crypto map mymap interface outside
    > isakmp enable outside
    > isakmp key ******** address g.g.g.g netmask 255.255.255.255 isakmp key
    > ******** address v.v.v.v netmask 255.255.255.255 isakmp identity address
    > isakmp policy 10 authentication pre-share isakmp policy 10 encryption
    > 3des
    > isakmp policy 10 hash sha
    > isakmp policy 10 group 2
    > isakmp policy 10 lifetime 86400
    > # intended for peer v.v.v.
    > isakmp policy 11 authentication pre-share isakmp policy 11 encryption
    > 3des
    > isakmp policy 11 hash md5
    > isakmp policy 11 group 2
    > isakmp policy 11 lifetime 900
     
    Rik Bain, Nov 2, 2003
    #1
    1. Advertising

  2. Rik Bain

    Bill F Guest

    peer v.v.v.v is a nortel contivity.

    peer g.g.g.g is another pix for which the tunnel is functiong
    several questions
    1. why are they attempting to use OAK_MM, which I assume is the Oakley
    key protocol, and,(actually I guess this is part of the IKE stack)
    2. why is XAUTH listed as a requested attribute?
    Neither of these are selected on the contivity as far as I can see from
    a screenshot, anyway.
    3. how do I know which isakmp policy each tunnel is using?
    Its using the correct transform set but how do I know which isakmp
    policy is being used - could the isakmp policy have something to do with
    the OAK_MM request?

    *******************************************

    crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 0
    ISAKMP (0): processing notify INITIAL_CONTACT
    ISAKMP (0): SA has been authenticated

    ISAKMP (0:0): Need XAUTH
    ISAKMP/xauth: request attribute XAUTH_TYPE
    ISAKMP/xauth: request attribute XAUTH_USER_NAME
    ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
    ISAKMP (0:0): initiating peer config to v.v.v.v ID = 708333664
    (0x2a385060)modecfg: sa: 1498e04, new mess id= 2a385060

    return status is IKMP_NO_ERROR
    VPN Peer: ISAKMP: Added new peer: ip:v.v.v.v/500 Total VPN Peers:2
    VPN Peer: ISAKMP: Peer ip:v.v.v.v/500 Ref cnt incremented to:1 Total VPN
    Peers:2
    crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500

    ********************************************
    # sh crypto isakmp sa
    Total : 2
    Embryonic : 0
    dst src state pending created
    g.g.g.g a.a.a.a QM_IDLE 0 1
    v.v.v.v a.a.a.a OAK_CONF_XAUTH 3 0

    ********************************************

    # sh crypto map
    #first one is a cisco client map entry
    Crypto Map: "mymap" interfaces: { outside }
    client authentication ias
    ..........

    Crypto Map "mymap" 1 ipsec-isakmp
    Peer = g.g.g.g
    access-list 102; 8 elements
    .............

    Current peer: g.g.g.g
    Security association lifetime: 4608000 kilobytes/28800 seconds
    PFS (Y/N): N
    Transform sets={ myset, }

    Crypto Map "mymap" 2 ipsec-isakmp
    Peer = v.v.v.v
    access-list 104; 24 elements
    ........


    Current peer: v.v.v.v
    Security association lifetime: 4608000 kilobytes/28800 seconds
    PFS (Y/N): N
    Transform sets={ valencia, }

    #the tunnel to v.v.v.v is using the correct transform set but how do I
    know which isakmp #policy is being used - could the isakmp policy have
    something to do #with the OAK_MM request?
    **********************************************

    my pix cfg

    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    # below transform is for peer v.v.v.v
    crypto ipsec transform-set valencia esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 1 ipsec-isakmp
    crypto map mymap 1 match address 102
    crypto map mymap 1 set peer g.g.g.g
    crypto map mymap 1 set transform-set myset
    crypto map mymap 2 ipsec-isakmp
    crypto map mymap 2 match address 104
    crypto map mymap 2 set peer v.v.v.v
    crypto map mymap 2 set transform-set valencia
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client authentication ias
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address g.g.g.g netmask 255.255.255.255
    isakmp key ******** address v.v.v.v netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    # intended for peer v.v.v.
    isakmp policy 11 authentication pre-share
    isakmp policy 11 encryption 3des
    isakmp policy 11 hash md5
    isakmp policy 11 group 2
    isakmp policy 11 lifetime 900
     
    Bill F, Nov 2, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bill F
    Replies:
    0
    Views:
    666
    Bill F
    Nov 2, 2003
  2. Michael Ryan
    Replies:
    5
    Views:
    3,292
    Michael Ryan
    Jan 27, 2004
  3. mw
    Replies:
    2
    Views:
    3,285
  4. Ken  Gallagher
    Replies:
    2
    Views:
    2,584
    ken gallagher
    Aug 7, 2006
  5. Replies:
    3
    Views:
    27,220
Loading...

Share This Page