PIX to Nortel VPN tunnel

Discussion in 'Cisco' started by yellow, Sep 6, 2006.

  1. yellow

    yellow Guest

    Hi,

    Has anyone tried to build a vpn tunnel between PIX & Nortel ? One of my
    branch office need to build a vpn tunnel with a Nortel box. I set
    following profile :

    isakmp - 3DES/SHA/DH G2/Pre-share key/lifetime 86400
    ipsec - 3DES/SHA/PFS G2/lifetime 3600

    When I type 'sh cry isa sa' in the pix, I could see the isakmp sa
    estabsihed but getting below messages, looks like the porfile does not
    match the Nortel box. Can anyone tell me how to configure the tunnel
    with Nortel box, where x.x.x.x is peer gateway ip and y.y.y.y is branch
    office address :

    ISADB: reaper checking SA 0x12f645c, conn_id = 0
    crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash MD5
    ISAKMP: auth pre-share
    ISAKMP: default group 2
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption 3DES-CBC
    ISAKMP: hash SHA
    ISAKMP: auth pre-share
    ISAKMP: default group 2
    ISAKMP (0): atts are acceptable. Next payload is 0
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): remote peer supports dead peer detection

    ISAKMP (0): SA is doing pre-shared key authentication using id type
    ID_FQDN
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 0
    ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a
    queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x

    ISAKMP (0): deleting SA: src x.x.x.x, dst y.y.y.y
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): ID payload
    next-payload : 8
    type : 2
    protocol : 17
    port : 500
    length : 26
    ISAKMP (0): Total payload length: 30
    return status is IKMP_NO_ERROR
    ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    ISAKMP (0): sending NOTIFY message 24576 protocol 1
    VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:2 Total
    VPN Peers:4
    crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    ISAKMP: error, msg not encrypted
    ISADB: reaper checking SA 0x13a811c, conn_id = 0
    ISADB: reaper checking SA 0x13a9804, conn_id = 0
    ISADB: reaper checking SA 0x13b0af4, conn_id = 0
    ISADB: reaper checking SA 0x12f645c, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:1 Total
    VPN Peers:4IPSEC(key_engine): got a queue event...
    IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x

    ISADB: reaper checking SA 0x13a811c, conn_id = 0
    ISADB: reaper checking SA 0x13a9804, conn_id = 0
    ISADB: reaper checking SA 0x13b0af4, conn_id = 0
    ISADB: reaper checking SA 0x13c1a54, conn_id = 0
    crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

    Any thoughts ?
    yellow, Sep 6, 2006
    #1
    1. Advertising

  2. yellow

    mcaissie Guest

    "ISAKMP: error, msg not encrypted"

    indicates that both sides cannot exchange the preshared-key

    > ISAKMP (0): SA is doing pre-shared key authentication using id type
    > ID_FQDN "

    indicates that the PIX is sending it's identity using a hostname. Idendity
    authentication must be
    the same on both side, and i think the default on the Contivity is by IP
    address.

    I would try to add the following command on the PIX

    isakmp identity address


    "yellow" <> wrote in message
    news:...
    > Hi,
    >
    > Has anyone tried to build a vpn tunnel between PIX & Nortel ? One of my
    > branch office need to build a vpn tunnel with a Nortel box. I set
    > following profile :
    >
    > isakmp - 3DES/SHA/DH G2/Pre-share key/lifetime 86400
    > ipsec - 3DES/SHA/PFS G2/lifetime 3600
    >
    > When I type 'sh cry isa sa' in the pix, I could see the isakmp sa
    > estabsihed but getting below messages, looks like the porfile does not
    > match the Nortel box. Can anyone tell me how to configure the tunnel
    > with Nortel box, where x.x.x.x is peer gateway ip and y.y.y.y is branch
    > office address :
    >
    > ISADB: reaper checking SA 0x12f645c, conn_id = 0
    > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    > OAK_MM exchange
    > ISAKMP (0): processing SA payload. message ID = 0
    >
    > ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    > ISAKMP: encryption 3DES-CBC
    > ISAKMP: hash MD5
    > ISAKMP: auth pre-share
    > ISAKMP: default group 2
    > ISAKMP (0): atts are not acceptable. Next payload is 3
    > ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    > ISAKMP: encryption 3DES-CBC
    > ISAKMP: hash SHA
    > ISAKMP: auth pre-share
    > ISAKMP: default group 2
    > ISAKMP (0): atts are acceptable. Next payload is 0
    > ISAKMP (0): processing vendor id payload
    >
    > ISAKMP (0): processing vendor id payload
    >
    > ISAKMP (0): remote peer supports dead peer detection
    >
    > ISAKMP (0): SA is doing pre-shared key authentication using id type
    > ID_FQDN
    > return status is IKMP_NO_ERROR
    > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    > OAK_MM exchange
    > ISAKMP (0): processing KE payload. message ID = 0
    >
    > ISAKMP (0): processing NONCE payload. message ID = 0
    >
    > return status is IKMP_NO_ERROR
    > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    > OAK_MM exchange
    > ISAKMP (0): processing ID payload. message ID = 0
    > ISAKMP (0): processing HASH payload. message ID = 0
    > ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    > spi 0, message ID = 0
    > ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a
    > queue event...
    > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    > IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
    >
    > ISAKMP (0): deleting SA: src x.x.x.x, dst y.y.y.y
    > ISAKMP (0): SA has been authenticated
    >
    > ISAKMP (0): ID payload
    > next-payload : 8
    > type : 2
    > protocol : 17
    > port : 500
    > length : 26
    > ISAKMP (0): Total payload length: 30
    > return status is IKMP_NO_ERROR
    > ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    > ISAKMP (0): sending NOTIFY message 24576 protocol 1
    > VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:2 Total
    > VPN Peers:4
    > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    > ISAKMP: error, msg not encrypted
    > ISADB: reaper checking SA 0x13a811c, conn_id = 0
    > ISADB: reaper checking SA 0x13a9804, conn_id = 0
    > ISADB: reaper checking SA 0x13b0af4, conn_id = 0
    > ISADB: reaper checking SA 0x12f645c, conn_id = 0 DELETE IT!
    >
    > VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:1 Total
    > VPN Peers:4IPSEC(key_engine): got a queue event...
    > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    > IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
    >
    > ISADB: reaper checking SA 0x13a811c, conn_id = 0
    > ISADB: reaper checking SA 0x13a9804, conn_id = 0
    > ISADB: reaper checking SA 0x13b0af4, conn_id = 0
    > ISADB: reaper checking SA 0x13c1a54, conn_id = 0
    > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    >
    > Any thoughts ?
    >
    mcaissie, Sep 6, 2006
    #2
    1. Advertising

  3. yellow

    yellow Guest

    Thanks for your comment.

    Should 'lifetime' parameter exactly match at both PIX & Nortel box ? I
    assume two firewall will negotiate and pick the lowest lifetime.

    mcaissie 寫é“:

    > "ISAKMP: error, msg not encrypted"
    >
    > indicates that both sides cannot exchange the preshared-key
    >
    > > ISAKMP (0): SA is doing pre-shared key authentication using id type
    > > ID_FQDN "

    > indicates that the PIX is sending it's identity using a hostname. Idendity
    > authentication must be
    > the same on both side, and i think the default on the Contivity is by IP
    > address.
    >
    > I would try to add the following command on the PIX
    >
    > isakmp identity address
    >
    >
    > "yellow" <> wrote in message
    > news:...
    > > Hi,
    > >
    > > Has anyone tried to build a vpn tunnel between PIX & Nortel ? One of my
    > > branch office need to build a vpn tunnel with a Nortel box. I set
    > > following profile :
    > >
    > > isakmp - 3DES/SHA/DH G2/Pre-share key/lifetime 86400
    > > ipsec - 3DES/SHA/PFS G2/lifetime 3600
    > >
    > > When I type 'sh cry isa sa' in the pix, I could see the isakmp sa
    > > estabsihed but getting below messages, looks like the porfile does not
    > > match the Nortel box. Can anyone tell me how to configure the tunnel
    > > with Nortel box, where x.x.x.x is peer gateway ip and y.y.y.y is branch
    > > office address :
    > >
    > > ISADB: reaper checking SA 0x12f645c, conn_id = 0
    > > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    > > OAK_MM exchange
    > > ISAKMP (0): processing SA payload. message ID = 0
    > >
    > > ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    > > ISAKMP: encryption 3DES-CBC
    > > ISAKMP: hash MD5
    > > ISAKMP: auth pre-share
    > > ISAKMP: default group 2
    > > ISAKMP (0): atts are not acceptable. Next payload is 3
    > > ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    > > ISAKMP: encryption 3DES-CBC
    > > ISAKMP: hash SHA
    > > ISAKMP: auth pre-share
    > > ISAKMP: default group 2
    > > ISAKMP (0): atts are acceptable. Next payload is 0
    > > ISAKMP (0): processing vendor id payload
    > >
    > > ISAKMP (0): processing vendor id payload
    > >
    > > ISAKMP (0): remote peer supports dead peer detection
    > >
    > > ISAKMP (0): SA is doing pre-shared key authentication using id type
    > > ID_FQDN
    > > return status is IKMP_NO_ERROR
    > > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    > > OAK_MM exchange
    > > ISAKMP (0): processing KE payload. message ID = 0
    > >
    > > ISAKMP (0): processing NONCE payload. message ID = 0
    > >
    > > return status is IKMP_NO_ERROR
    > > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    > > OAK_MM exchange
    > > ISAKMP (0): processing ID payload. message ID = 0
    > > ISAKMP (0): processing HASH payload. message ID = 0
    > > ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    > > spi 0, message ID = 0
    > > ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a
    > > queue event...
    > > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    > > IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
    > >
    > > ISAKMP (0): deleting SA: src x.x.x.x, dst y.y.y.y
    > > ISAKMP (0): SA has been authenticated
    > >
    > > ISAKMP (0): ID payload
    > > next-payload : 8
    > > type : 2
    > > protocol : 17
    > > port : 500
    > > length : 26
    > > ISAKMP (0): Total payload length: 30
    > > return status is IKMP_NO_ERROR
    > > ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    > > ISAKMP (0): sending NOTIFY message 24576 protocol 1
    > > VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:2 Total
    > > VPN Peers:4
    > > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    > > ISAKMP: error, msg not encrypted
    > > ISADB: reaper checking SA 0x13a811c, conn_id = 0
    > > ISADB: reaper checking SA 0x13a9804, conn_id = 0
    > > ISADB: reaper checking SA 0x13b0af4, conn_id = 0
    > > ISADB: reaper checking SA 0x12f645c, conn_id = 0 DELETE IT!
    > >
    > > VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt decremented to:1 Total
    > > VPN Peers:4IPSEC(key_engine): got a queue event...
    > > IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
    > > IPSEC(key_engine_delete_sas): delete all SAs shared with x.x.x.x
    > >
    > > ISADB: reaper checking SA 0x13a811c, conn_id = 0
    > > ISADB: reaper checking SA 0x13a9804, conn_id = 0
    > > ISADB: reaper checking SA 0x13b0af4, conn_id = 0
    > > ISADB: reaper checking SA 0x13c1a54, conn_id = 0
    > > crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500
    > >
    > > Any thoughts ?
    > >
    yellow, Sep 6, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Ryan
    Replies:
    5
    Views:
    3,254
    Michael Ryan
    Jan 27, 2004
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,066
  3. Ken  Gallagher
    Replies:
    2
    Views:
    2,529
    ken gallagher
    Aug 7, 2006
  4. Trouble
    Replies:
    0
    Views:
    563
    Trouble
    Aug 4, 2006
  5. Trouble
    Replies:
    1
    Views:
    513
Loading...

Share This Page