resolved

From: "mcaissie" <mcaissie@xxxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Aug 2005 17:11:28 GMT

FYI

problem is resolved

"ISAKMP: error, msg not encrypted" indicates that both sides cannot
exchange the preshared-key

"> ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_FQDN " indicates that the PIX
is sending it's identity using a hostname. Idendity authentication must be
the same on both side. So the
problem was resolved by adding the command

isakmp identity address

"mcaissie" <mcaissie@xxxxxxxxxxxxxxxxxxx> wrote in message
news:HIMKe.174142$9A2.79001@xxxxxxxxxxx
> Hi all,
>
> I am trying to establish a VPN between a PIX 506 ( 6.3(4) ) and a Nortel
> Contivity.
> I don't have access to the Contivity.
>
> A "sh isakmp sa" shows that the state of the tunnel doesn't go
> further than
> MM_KEY_EXCH
>
> and a "debug cry isakmp" gives
>
>
>
> ISAKMP (0): beginning Main Mode exchange
> crypto_isakmp_process_block:src:id3124, dest:x.x.x.x spt:500 dpt:500
> OAK_MM exchange
> ISAKMP (0): processing SA payload. message ID = 0
>
> ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy
> ISAKMP: encryption 3DES-CBC
> ISAKMP: hash SHA
> ISAKMP: default group 2
> ISAKMP: auth pre-share
> ISAKMP: life type in seconds
> ISAKMP: life duration (basic) of 28000
> ISAKMP (0): atts are acceptable. Next payload is 0
> ISAKMP (0): SA is doing pre-shared key authentication using id type
> ID_FQDN
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block:src:id3124, dest:x.x.x.x spt:500 dpt:500
> OAK_MM exchange
> ISAKMP (0): processing KE payload. message ID = 0
>
> ISAKMP (0): processing NONCE payload. message ID = 0
>
> ISAKMP (0): ID payload
> next-payload : 8
> type : 2
> protocol : 17
> port : 500
> length : 25
> ISAKMP (0): Total payload length: 29
> return status is IKMP_NO_ERROR
> crypto_isakmp_process_block:src:id3124, dest:x.x.x.x spt:500 dpt:500
>
>
> and after a few seconds
>

>
> What exactly can i conclude with this message. Does this means that the we
> don't use the same
> transform-set ? or something else ?
>
> thanks
>

.

References:
- PIX to Contivity
  - From: mcaissie

Prev by Date: Re: adding a second ip to a cisco 1700 interface
Next by Date: PIX routing config help
Previous by thread: PIX to Contivity
Next by thread: Cisco VPN 3002 Network Extension Mode
Index(es):
- Date
- Thread

Relevant Pages

RE: [fw-wiz] Pix to Checkpoint VPN Connectivity
... ISAKMP: beginning Main Mode exchange ... Next payload is 0 ... phase 2 packet is a duplicate of a previous packet ...
(Firewall-Wizards)
pix 506E to VPN3000 cant connect
... ISAKMP: beginning Main Mode exchange ... ISAKMP: Checking ISAKMP transform 1 against priority 20 policy ... ISAKMP: processing vendor id payload ...
(comp.dcom.sys.cisco)
Re: linksys ipsec with pix 501 6.3 anyone?
... OAK_MM exchange ... ISAKMP: encryption DES-CBC ... ISAKMP: life type in seconds ... Next payload is 3 ...
(comp.dcom.sys.cisco)
PIX to Contivity
... I don't have access to the Contivity. ... A "sh isakmp sa" shows that the state of the tunnel doesn't go further ... ISAKMP: beginning Main Mode exchange ... ISAKMP: ID payload ...
(comp.dcom.sys.cisco)
[UNIX] OpenBSD isakmpd Payload Handling DoS
... Get your security news from a reliable source. ... The ISAKMP packet processing functions in OpenBSD's isakmpd daemon contain ... OpenBSD's isakmpd daemon performs insufficient validation on payload ... CVE Information: ...
(Securiteam)