VPN IPSEC connection between a cisco 17xx and Nortel vpn box

Discussion in 'Cisco' started by Joris Deschacht, Oct 16, 2003.

  1. I've allready set up 3 same connections but, the fourth just won't
    come up.

    I use a cisco 17xx to connect to the nortel box.

    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key $$$$$ address xxx.xxx.xxx.xxx
    crypto ipsec transform-set TRANSFORM_VPN esp-3des esp-md5-hmac
    !
    crypto map ENCRYPT_DAF 1 ipsec-isakmp
    set peer xxx.xxx.xxx.xxx
    set transform-set TRANSFORM_VPN
    set pfs group1
    match address 191

    Crypto policy on the Nortel VPN Box:
    - Encr : 3des
    - Hash : md5
    - Authentication pre-share

    Al i see in the debug is "notify has no has, rejected" . While I'am
    sure we both use the same settings !!!

    >sh ver

    Cisco Internetwork Operating System Software
    IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.2(15)T2,
    RELEASE SOFTWARE
    (fc2)
    TAC Support: http://www.cisco.com/tac
    Copyright (c) 1986-2003 by cisco Systems, Inc.
    Compiled Thu 01-May-03 09:47 by nmasa
    Image text-base: 0x80008120, data-base: 0x80FB8EB8

    ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)
    uptime is 23 hours, 29 minutes
    System returned to ROM by reload
    System image file is "flash:c1700-k9o3sy7-mz.122-15.T2.bin

    Please see the debug below.


    23:23:24: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= wan ip, remote= remote peer,
    local_proxy= 172.29.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 195.69.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x48409B11(1212193553), conn_id= 0, keysize= 0, flags= 0x400B
    23:23:24: ISAKMP: received ke message (1/1)
    23:23:24: ISAKMP (0:0): SA request profile is (NULL)
    23:23:24: ISAKMP: local port 500, remote port 500
    23:23:24: ISAKMP: set new node 0 to QM_IDLE
    23:23:24: ISAKMP: insert sa successfully sa = 81C03030
    23:23:24: ISAKMP (0:1): Can not start Aggressive mode, trying Main
    mode.
    23:23:24: ISAKMP: Looking for a matching key for remote peer in
    default : succ
    ess
    23:23:24: ISAKMP (0:1): found peer pre-shared key matching remote peer
    23:23:24: ISAKMP (0:1): constructed NAT-T vendor-03 ID
    23:23:24: ISAKMP (0:1): constructed NAT-T vendor-02 ID
    23:23:24: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
    23:23:24: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1

    23:23:24: ISAKMP (0:1): beginning Main Mode exchange
    23:23:24: ISAKMP (0:1): sending packet to remote peer my_port 500
    peer_port 50
    0 (I) MM_NO_STATE
    23:23:24: ISAKMP (0:1): received packet from remote peer dport 500
    sport 500 G
    lobal (I) MM_NO_STATE

    23:23:24: ISAKMP (0:1): Notify has no hash. Rejected.

    23:23:24: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
    23:23:24: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_I_MM1
    23:23:54: IPSEC(key_engine): request timer fired: count = 1,
    (identity) local= wan ip, remote= remote peer,
    local_proxy= 171.11.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 195.69.0.0/255.255.0.0/0/0 (type=4)
    23:23:54: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= wan ip, remote= remote peer,
    local_proxy= 171.11.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 195.69.0.0/255.255.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x22BAADFE(582659582), conn_id= 0, keysize= 0, flags= 0x400B
    23:23:54: ISAKMP: received ke message (1/1)
    23:23:54: ISAKMP: set new node 0 to QM_IDLE
    23:23:54: ISAKMP (0:1): SA is still budding. Attached new ipsec
    request to it.

    Maybe someone got an idee ??

    greetings,

    Joris
     
    Joris Deschacht, Oct 16, 2003
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mw
    Replies:
    2
    Views:
    3,283
  2. cisco 17xx or 851

    , Dec 23, 2005, in forum: Cisco
    Replies:
    6
    Views:
    1,208
    Igor Mamuzic
    Dec 27, 2005
  3. Ken  Gallagher
    Replies:
    2
    Views:
    2,583
    ken gallagher
    Aug 7, 2006
  4. Locian
    Replies:
    0
    Views:
    751
    Locian
    Dec 5, 2008
  5. Keane1
    Replies:
    0
    Views:
    798
    Keane1
    Nov 10, 2009
Loading...

Share This Page