pix-nortel contivity ipsec failing

Discussion in 'Cisco' started by Rik Bain, Nov 2, 2003.

  1. Rik Bain

    Rik Bain Guest

    try using "no-xauth no-config-mode" at the end of the ISAKMP key....?
     
    Rik Bain, Nov 2, 2003
    #1
    1. Advertisements

  2. Rik Bain

    Bill F Guest

    peer v.v.v.v is a nortel contivity.

    peer g.g.g.g is another pix for which the tunnel is functiong
    several questions
    1. why are they attempting to use OAK_MM, which I assume is the Oakley
    key protocol, and,(actually I guess this is part of the IKE stack)
    2. why is XAUTH listed as a requested attribute?
    Neither of these are selected on the contivity as far as I can see from
    a screenshot, anyway.
    3. how do I know which isakmp policy each tunnel is using?
    Its using the correct transform set but how do I know which isakmp
    policy is being used - could the isakmp policy have something to do with
    the OAK_MM request?

    *******************************************

    crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing HASH payload. message ID = 0
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 0
    ISAKMP (0): processing notify INITIAL_CONTACT
    ISAKMP (0): SA has been authenticated

    ISAKMP (0:0): Need XAUTH
    ISAKMP/xauth: request attribute XAUTH_TYPE
    ISAKMP/xauth: request attribute XAUTH_USER_NAME
    ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
    ISAKMP (0:0): initiating peer config to v.v.v.v ID = 708333664
    (0x2a385060)modecfg: sa: 1498e04, new mess id= 2a385060

    return status is IKMP_NO_ERROR
    VPN Peer: ISAKMP: Added new peer: ip:v.v.v.v/500 Total VPN Peers:2
    VPN Peer: ISAKMP: Peer ip:v.v.v.v/500 Ref cnt incremented to:1 Total VPN
    Peers:2
    crypto_isakmp_process_block:src:v.v.v.v, dest:a.a.a.a spt:500 dpt:500

    ********************************************
    # sh crypto isakmp sa
    Total : 2
    Embryonic : 0
    dst src state pending created
    g.g.g.g a.a.a.a QM_IDLE 0 1
    v.v.v.v a.a.a.a OAK_CONF_XAUTH 3 0

    ********************************************

    # sh crypto map
    #first one is a cisco client map entry
    Crypto Map: "mymap" interfaces: { outside }
    client authentication ias
    ..........

    Crypto Map "mymap" 1 ipsec-isakmp
    Peer = g.g.g.g
    access-list 102; 8 elements
    .............

    Current peer: g.g.g.g
    Security association lifetime: 4608000 kilobytes/28800 seconds
    PFS (Y/N): N
    Transform sets={ myset, }

    Crypto Map "mymap" 2 ipsec-isakmp
    Peer = v.v.v.v
    access-list 104; 24 elements
    ........


    Current peer: v.v.v.v
    Security association lifetime: 4608000 kilobytes/28800 seconds
    PFS (Y/N): N
    Transform sets={ valencia, }

    #the tunnel to v.v.v.v is using the correct transform set but how do I
    know which isakmp #policy is being used - could the isakmp policy have
    something to do #with the OAK_MM request?
    **********************************************

    my pix cfg

    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    # below transform is for peer v.v.v.v
    crypto ipsec transform-set valencia esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 1 ipsec-isakmp
    crypto map mymap 1 match address 102
    crypto map mymap 1 set peer g.g.g.g
    crypto map mymap 1 set transform-set myset
    crypto map mymap 2 ipsec-isakmp
    crypto map mymap 2 match address 104
    crypto map mymap 2 set peer v.v.v.v
    crypto map mymap 2 set transform-set valencia
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client authentication ias
    crypto map mymap interface outside
    isakmp enable outside
    isakmp key ******** address g.g.g.g netmask 255.255.255.255
    isakmp key ******** address v.v.v.v netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    # intended for peer v.v.v.
    isakmp policy 11 authentication pre-share
    isakmp policy 11 encryption 3des
    isakmp policy 11 hash md5
    isakmp policy 11 group 2
    isakmp policy 11 lifetime 900
     
    Bill F, Nov 2, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.