cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

257
Views
0
Helpful
2
Replies
Highlighted
Beginner

PIX to Contivity

Hi all,

I am trying to establish a VPN between a PIX 506 ( 6.3(4) ) and a Nortel

Contivity.

I don't have access to the Contivity.

A "sh isakmp sa" shows that the state of the tunnel doesn't go further

than

MM_KEY_EXCH

and a "debug cry isakmp" gives

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:id3124, dest:x.x.x.x spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 20 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 28000

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:id3124, dest:x.x.x.x spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 500

length : 25

ISAKMP (0): Total payload length: 29

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:id3124, dest:x.x.x.x spt:500 dpt:500

and after a few seconds

ISAKMP: error, msg not encrypted

What exactly can i conclude with this message. Does this means that the we

don't use the same

transform-set ? or something else ?

thanks

2 REPLIES 2
Highlighted
Beginner

Looks like the Preshared key is not matching on both sides.

Regards,

Shijo George.

Highlighted

Thanks for the hint ,problem is resolved

They were effectively not able to Exchange the key but not because they were different.

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

indicates that the PIX was identifying itself using a hostname . I forced the identification using the address and it resolved the problem

I just add the command

isakmp identity address

Content for Community-Ad